1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Please check HJT scan and help me fix problems.

Discussion in 'Virus & Other Malware Removal' started by lynmaire, Sep 1, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. lynmaire

    lynmaire Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    6
    Please check the HJT scan I've copied below and see if you can find my virus problem, and tell me how to get rid of the Hosts that are showing up....shouldn't SpyBot or AdAware have knocked them out?

    My Norton virus protection found Bloodhound.Exploit.6 (trojan) and can't repair it. The patch they forwarded me to had already been put on my computer back in July. I've had automatic security downloads to my computer for the last 2 years, and also scanned the computer at the Microsoft download site and I have every security update, including the new release for XP that includes a firewall.

    Before I ran HJT I ran my AdAware (config. the way you'd recommended in another post) and Spybot. Then I did the online Symantec virus check, but it didn't find the Bloodhound.

    Thanks to all you great guys who offer this service! I'll be more than happy to leave a donatation....just tell me where and how.

    Lynmaire

    HJT SCAN:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:57:07 PM, on 9/1/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\fxssvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\BellSouth\Client Foundation\CFD.exe
    C:\WINNT\IEXPLORd.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\WINNT\system32\CTHELPER.EXE
    C:\WINNT\IEXPLORd.EXE
    C:\WINNT\System32\Nvr0A.exe
    C:\WINNT\System32\KrwH5.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Lynda\Desktop\HiJack This\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://liveireland.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://liveireland.com/
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C2805C30-3FD0-42AA-AAF6-91A6F12C3E0D} - C:\WINNT\System32\abbliftter.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: (no name) - {6590A5BB-CB0B-46F7-A18C-753C20BA3B8B} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [MSTestNB] C:\WINNT\IEXPLORd.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Gbi1r6.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: Alarm Manager.LNK = ?
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Connection Manager.lnk.disabled
    O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.EXE
    O4 - Global Startup: ItsDeductible7PopUp.lnk.disabled
    O4 - Global Startup: NkvMon.exe.lnk.disabled
    O4 - Global Startup: ZoneAlarm Pro.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Hello from Picasa Capture - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Picasa\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in &Hello from Picasa - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Picasa\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Expressit Card Creator - http://expressit.broderbund.com/300_Business_Center/380_Card_Creator/dd.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://65.83.242.102/sdccommon/download/tgctlcm.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/downloads/su/ocx/12119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/win/djvuplugin/en_US/DjVuControl_en_US.cab
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avchecker/controles/AvDetInst.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...le.com/samantha/us/win/QuickTimeInstaller.exe
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/classes/BPImageEditor.cab?ver=1,1,0,30
    O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/mediaversion/005/latest/twophase.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26b5951303346dfffe15/netzip/RdxIE6.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/classes/batchdwnl.cab?version=4,3,2,20802
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.travel.ie/seeireland/software/svideo.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/reader/live/Disk1/isetupml.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite22/fvlite.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://highst-gw.galway.net/activex/AxisCamControl.ocx
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://www.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/serialharvest/gwCID.CAB
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\Helpspot\XPLControl.CAB
    O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
    O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestation.com/common/classes/BPPrintClient.cab?ver=2,0,0,48
    O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/activex/LightSurfUploadControl.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/add/XUpload.ocx
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/downloads/su/ocx/12119/CTPID.cab
     
  2. lynmaire

    lynmaire Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    6
    Please check the HJT scan I've copied below and see if you can find my virus problem, and tell me how to get rid of the Hosts that are showing up....shouldn't SpyBot or AdAware have knocked them out?

    My Norton virus protection found Bloodhound.Exploit.6 (trojan) and can't repair it. The patch they forwarded me to had already been put on my computer back in July. I've had automatic security downloads to my computer for the last 2 years, and also scanned the computer at the Microsoft download site and I have every security update, including the new release for XP that includes a firewall.

    Before I ran HJT I ran my AdAware (config. the way you'd recommended in another post) and Spybot. Then I did the online Symantec virus check, but it didn't find the Bloodhound.

    Thanks to all you great guys who offer this service! I'll be more than happy to leave a donatation....just tell me where and how.

    Lynmaire

    HJT SCAN:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:57:07 PM, on 9/1/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\fxssvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\BellSouth\Client Foundation\CFD.exe
    C:\WINNT\IEXPLORd.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\WINNT\system32\CTHELPER.EXE
    C:\WINNT\IEXPLORd.EXE
    C:\WINNT\System32\Nvr0A.exe
    C:\WINNT\System32\KrwH5.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Lynda\Desktop\HiJack This\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://liveireland.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://liveireland.com/
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C2805C30-3FD0-42AA-AAF6-91A6F12C3E0D} - C:\WINNT\System32\abbliftter.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: (no name) - {6590A5BB-CB0B-46F7-A18C-753C20BA3B8B} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [MSTestNB] C:\WINNT\IEXPLORd.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Gbi1r6.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: Alarm Manager.LNK = ?
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Connection Manager.lnk.disabled
    O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.EXE
    O4 - Global Startup: ItsDeductible7PopUp.lnk.disabled
    O4 - Global Startup: NkvMon.exe.lnk.disabled
    O4 - Global Startup: ZoneAlarm Pro.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Hello from Picasa Capture - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Picasa\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in &Hello from Picasa - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Picasa\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Expressit Card Creator - http://expressit.broderbund.com/300..._Creator/dd.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://65.83.242.102/sdccommon/download/tgctlcm.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/down...119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/...ntrol_en_US.cab
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avcheck...s/AvDetInst.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/...ab?ver=1,1,0,30
    O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/m...st/twophase.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26b5951303346d...tzip/RdxIE6.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/..._1/axofupld.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.travel.ie/seeireland/software/svideo.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/...k1/isetupml.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles...ll/MFImgVwr.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite22/fvlite.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://highst-gw.galway.net/activex/AxisCamControl.ocx
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://www.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/...rvest/gwCID.CAB
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\Helpspot\XPLControl.CAB
    O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/5...03C00/setup.exe
    O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestation.com/common/...ab?ver=2,0,0,48
    O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/acti...loadControl.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/add/XUpload.ocx
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/down...12119/CTPID.cab bump
     
  3. lynmaire

    lynmaire Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    6
    Please check the HJT scan I've copied below and see if you can find my virus problem, and tell me how to get rid of the Hosts that are showing up....shouldn't SpyBot or AdAware have knocked them out?

    My Norton virus protection found Bloodhound.Exploit.6 (trojan) and can't repair it. The patch they forwarded me to had already been put on my computer back in July. I've had automatic security downloads to my computer for the last 2 years, and also scanned the computer at the Microsoft download site and I have every security update, including the new release for XP that includes a firewall.

    Before I ran HJT I ran my AdAware (config. the way you'd recommended in another post) and Spybot. Then I did the online Symantec virus check, but it didn't find the Bloodhound.

    Thanks to all you great guys who offer this service! I'll be more than happy to leave a donatation....just tell me where and how.

    Lynmaire

    HJT SCAN:

    Logfile of HijackThis v1.98.2
    Scan saved at 8:57:07 PM, on 9/1/2004
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
    C:\WINNT\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINNT\System32\nvsvc32.exe
    C:\WINNT\System32\MsPMSPSv.exe
    C:\WINNT\system32\fxssvc.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\BellSouth\Client Foundation\CFD.exe
    C:\WINNT\IEXPLORd.EXE
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    C:\WINNT\system32\CTHELPER.EXE
    C:\WINNT\system32\CTHELPER.EXE
    C:\WINNT\IEXPLORd.EXE
    C:\WINNT\System32\Nvr0A.exe
    C:\WINNT\System32\KrwH5.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Lynda\Desktop\HiJack This\HijackThis19802.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://liveireland.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://liveireland.com/
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {C2805C30-3FD0-42AA-AAF6-91A6F12C3E0D} - C:\WINNT\System32\abbliftter.dll (file missing)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: (no name) - {6590A5BB-CB0B-46F7-A18C-753C20BA3B8B} - (no file)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
    O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BellSouth\Client Foundation\CFD.exe
    O4 - HKLM\..\Run: [MSTestNB] C:\WINNT\IEXPLORd.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Gbi1r6.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
    O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /startmonitor /deaf
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
    O4 - Startup: Alarm Manager.LNK = ?
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Connection Manager.lnk.disabled
    O4 - Global Startup: ItsDeductible7PopUp.lnk = C:\Program Files\ItsDeductible7\ItsD7.EXE
    O4 - Global Startup: ItsDeductible7PopUp.lnk.disabled
    O4 - Global Startup: NkvMon.exe.lnk.disabled
    O4 - Global Startup: ZoneAlarm Pro.lnk.disabled
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Hello from Picasa Capture - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Picasa\Hello\PicasaCapture.dll
    O9 - Extra 'Tools' menuitem: Share in &Hello from Picasa - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Picasa\Hello\PicasaCapture.dll
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: Expressit Card Creator - http://expressit.broderbund.com/300..._Creator/dd.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://65.83.242.102/sdccommon/download/tgctlcm.cab
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://us.creative.com/support/down...119/CTSUEng.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/...ntrol_en_US.cab
    O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoftware.es/avcheck...s/AvDetInst.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
    O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
    O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.imagestation.com/common/...ab?ver=1,1,0,30
    O16 - DPF: {47F591A2-8783-11D2-8343-00A0C945A819} (RFXPlayer Class) - http://download.richfx.com/player/m...st/twophase.cab
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26b5951303346d...tzip/RdxIE6.cab
    O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/...ion=4,3,2,20802
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
    O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com/tv/igor/gigexagent.dll
    O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/..._1/axofupld.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/sof...nch/alaunch.cab
    O16 - DPF: {7142BA01-8BDF-11CF-9E23-0000E8A37440} (Surround Video Control Object) - http://www.travel.ie/seeireland/software/svideo.cab
    O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://www.newsstand.com/downloads/...k1/isetupml.cab
    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
    O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles...ll/MFImgVwr.cab
    O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} (FVLiteLoad Class) - http://digitalflip.org/fvlite22/fvlite.cab
    O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
    O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://highst-gw.galway.net/activex/AxisCamControl.ocx
    O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://www.shutterfly.com/downloads/Uploader.cab
    O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
    O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - http://support.gateway.com/support/...rvest/gwCID.CAB
    O16 - DPF: {A1337CC4-FF8E-11D1-9C48-00A0CC20E0D2} - http://www.therealyellowpageslive.net/live/ezinit.cab
    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab
    O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.broderbund.com/plugin/Download.cab
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/Sh...n/bin/cabsa.cab
    O16 - DPF: {C8BAC37C-A8D2-425E-B7FC-80B9537FB14A} - http://www.spyblast.com/download/SBFullSInst.cab
    O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
    O16 - DPF: {CE37E095-ACFF-4380-A856-A560D389E5E1} (XPLControlProject.XPLControl) - file://C:\Program Files\Gateway\Helpspot\XPLControl.CAB
    O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/5...03C00/setup.exe
    O16 - DPF: {DF304508-B304-11D3-B860-00201857EBF5} (Pixami Print Layout Control) - http://www.imagestation.com/common/...ab?ver=2,0,0,48
    O16 - DPF: {E6EB803E-DD89-11D3-80C4-0050DA2E09D0} (LightSurfUploadCtl Class) - http://picturecenter.kodak.com/acti...loadControl.cab
    O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.ritzpix.com/add/XUpload.ocx
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://us.creative.com/support/down...12119/CTPID.cab
     
  4. physician

    physician

    Joined:
    Jul 13, 2004
    Messages:
    1,421
    C:\WINNT\IEXPLORd.EXe
    C:\WINNT\IEXPLORd.EXE
    C:\WINNT\System32\Nvr0A.exe
    C:\WINNT\System32\KrwH5.exe
    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop
    O2 - BHO: (no name) - {C2805C30-3FD0-42AA-AAF6-91A6F12C3E0D} - C:\WINNT\System32\abbliftter.dll (fil
    O3 - Toolbar: (no name) - {6590A5BB-CB0B-46F7-A18C-753C20BA3B8B} - (no file)
    O4 - HKLM\..\Run: [MSTestNB] C:\WINNT\IEXPLORd.EXE
    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Gbi1r6.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstalle

    these are the ones that you should put a check by and let hijack this fix. then reboot and repost your log...doc
     
  5. lynmaire

    lynmaire Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    6
    Thank you. Appreciate the help and will see how that works.
     
  6. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    First download and run the PeperFix.exe program from http://www3.ns.sympatico.ca/c.bennett03/PeperFix.exe
    Click "Find and Fix" and let it do its thing.


    Download CW Shredder:
    http://www3.ns.sympatico.ca/c.bennett03/moboswindowclinic.html
    Open and hit the ->fix tab to fix all found problems

    Then rescan once again with hijack and insert a check next to each of the following, close all browser windows and click "fix checked"

    R3 - URLSearchHook: (no name) - _{707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O1 - Hosts: 64.200.25.145 gator.com #cooklop
    O1 - Hosts: 64.200.25.145 www.gator.com #cooklop
    O1 - Hosts: 64.200.25.145 doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 www.doubleclick.net #cooklop
    O1 - Hosts: 64.200.25.145 tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 www.tripod.com #cooklop
    O1 - Hosts: 64.200.25.145 adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 www.adultfriendfinder.com #cooklop
    O1 - Hosts: 64.200.25.145 cj.com #cooklop
    O1 - Hosts: 64.200.25.145 www.cj.com #cooklop
    O1 - Hosts: 64.200.25.145 paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 www.paypopup.com #cooklop
    O1 - Hosts: 64.200.25.145 worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 www.worldsex.com #cooklop
    O1 - Hosts: 64.200.25.145 free6.com #cooklop
    O1 - Hosts: 64.200.25.145 trafficmp.com #cooklop
    O1 - Hosts: 64.200.25.145 www.trafficmp.com #cooklop

    O2 - BHO: (no name) - {C2805C30-3FD0-42AA-AAF6-91A6F12C3E0D} - C:\WINNT\System32\abbliftter.dll (file missing)

    O3 - Toolbar: (no name) - {6590A5BB-CB0B-46F7-A18C-753C20BA3B8B} - (no file)

    O4 - HKLM\..\Run: [MSTestNB] C:\WINNT\IEXPLORd.EXE

    O4 - HKLM\..\Run: [2SWZKN82R5K47C] C:\WINNT\System32\Gbi1r6.exe

    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://65.83.242.102/sdccommon/download/tgctlcm.cab

    O16 - DPF: {3F0EECCE-E138-11D1-8712-0060083D83F5} (LPViewer Class) - http://www.mgisoft.com/ActiveX/LPControl.cab

    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/26b5951303346d...tzip/RdxIE6.cab

    O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB

    O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.cab



    Then reboot into safe mode : http://dotcomsecurity.org/forums/index.php?showtopic=55

    C:\WINNT\System32\Nvr0A.exe

    C:\WINNT\System32\KrwH5.exe

    C:\WINNT\IEXPLORd.EXE

    Reboot, rescan and post a fresh log please.
     
  7. lynmaire

    lynmaire Thread Starter

    Joined:
    Sep 1, 2004
    Messages:
    6
    Will repost after I've done the scans.
     
  8. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    114,860
    lynmaire,

    I have merged all of your threads together. Please continue replying to this thread rather than starting new ones.
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/269186

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice