1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Help with HijackThis Log Please!

Discussion in 'Virus & Other Malware Removal' started by tlmm, Apr 11, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. tlmm

    tlmm Thread Starter

    Joined:
    Feb 6, 2004
    Messages:
    57
    Can someone tell me if there's anything that needs to be removed in the log file posted below? I keep getting popups. Running Ad Aware brings back a lot of objects each time I run it and I try to remove them, but they still come back each time I run Ad Aware.

    Logfile of HijackThis v1.99.1
    Scan saved at 8:30:59 AM, on 4/11/05
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\keyhook.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
    C:\Program Files\Bpt\bpt.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\windows\system32\teZWvFeo.exe
    C:\Program Files\bpc_search\BPCv2.exe
    C:\WINDOWS\System32\gah95on6.exe
    C:\WINDOWS\system32\teZWvFeo.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    C:\windows\system32\taskmg.exe
    C:\WINDOWS\System32\slbecsvc.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\sesc32.exe
    C:\Documents and Settings\npower.nlowe\Application Data\ottn.exe
    C:\WINDOWS\System32\w?nword.exe
    C:\PROGRA~1\COMMON~1\rruf\rrufm.exe
    C:\PROGRA~1\COMMON~1\rruf\rrufa.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\npower.nlowe\Desktop\Tammy\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll
    O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
    O2 - BHO: (no name) - {A98C23BA-B97B-EADF-7756-EE5B565B60E6} - C:\WINDOWS\System32\ewtdca.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
    O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\NPOWER~1.NLO\LOCALS~1\Temp\27.exe\27.exe"
    O4 - HKLM\..\Run: [RMSpGR9WL.exe] C:\windows\system32\RMSpGR9WL.exe
    O4 - HKLM\..\Run: [teZWvFeo.exe] c:\windows\system32\teZWvFeo.exe
    O4 - HKLM\..\Run: [BPCv2] C:\Program Files\bpc_search\BPCv2.exe
    O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\Run: [RMSpGR9WL] C:\windows\system32\RMSpGR9WL.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [foqmRki5S] sesc32.exe
    O4 - HKCU\..\Run: [Uahu] C:\Documents and Settings\npower.nlowe\Application Data\ottn.exe
    O4 - HKCU\..\Run: [Dzkrsm] C:\WINDOWS\System32\w?nword.exe
    O4 - HKCU\..\Run: [rruf] C:\PROGRA~1\COMMON~1\rruf\rrufm.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/MyFunCardsFWBInitialSetup1.0.0.8.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50252/QDow_AS2.cab
    O16 - DPF: {9AE283A5-DF43-4C83-B6AA-7EBDBDB0204A} (VacPro.canada_ver10) - http://advnt01.com/dialer/canada_ver10.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

    Thanks in advance!
     
  2. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    hi, welcome to TSG.

    go to add/remove and uninstall if there.

    wintools/esyndicate/flash enhancer and any other toolbars, but not yahoo, or goggle.

    Move hijack this to it's own folder!
    Save hijack this to it's own folder such as c:\ hijack this so that it runs
    properly and can make back ups. Click scan then save the log
    and post it here so we can take a look at it for you.


    go to this site and download these tools and once you get both
    adaware and spybot, update both of them.

    Set adaware to do a full system scan and deselect, "search for neglible risk entries".
    Click next to start the scan.Delete everything adaware finds.

    reboot and now run spybot

    Spybot: Search and destroy.

    Delete what spybot finds marked in red. After updating spybot hit the immunize
    button.

    reboot again


    With CWshredder close all browsers and programmes and select the FIX button.



    Go here and download Microsoft Antispyware Beta. First in the top menu click File then Check for updates to download the definitons updates.

    After updating look in the right side of the main window under "Run Quick Scan Now" and click Spyware scan options. In that window put a tick by Run a full system scan and then put a check by all three options below that then click Run Scan now.

    When the scan is finished, let it fix anything that it finds (have it quarantine the items that have that option rather than delete just in case. It is a beta program and there may be false positives)

    Restart your computer.



    All tools can be downloaded at the link below!

    . Microsoft Antispyware Beta
    . cwshredder
    . SpyBot search and destroy


    http://www.majorgeeks.com/downloads31.html

    have hijack this fix these entries.

    O2 - BHO: (no name) - {8DA5457F-A8AA-4CCF-A842-70E6FD274094} - C:\PROGRA~1\COMMON~1\WinTools\WToolsT.dll (file missing)
    O2 - BHO: FlashEnhancer Extender - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - c:\Program Files\Flen\flen.dll
    O2 - BHO: (no name) - {A98C23BA-B97B-EADF-7756-EE5B565B60E6} - C:\WINDOWS\System32\ewtdca.dll
    O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
    O2 - BHO: Band Class - {CC378B83-9577-44D0-B4F8-0DD965E176FC} - C:\Program Files\eSyndicate\esyn.dll
    O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
    O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
    O4 - HKLM\..\Run: [DI2] "C:\DOCUME~1\NPOWER~1.NLO\LOCALS~1\Temp\27.exe\27.exe"
    O4 - HKLM\..\Run: [RMSpGR9WL.exe] C:\windows\system32\RMSpGR9WL.exe
    O4 - HKLM\..\Run: [teZWvFeo.exe] c:\windows\system32\teZWvFeo.exe
    O4 - HKLM\..\Run: [BPCv2] C:\Program Files\bpc_search\BPCv2.exe
    O4 - HKLM\..\Run: [FlenCPY] "C:\Program Files\Common Files\Java\flencpy.exe"
    O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
    O4 - HKLM\..\Run: [RMSpGR9WL] C:\windows\system32\RMSpGR9WL.exe
    O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    O4 - HKCU\..\Run: [foqmRki5S] sesc32.exe
    O4 - HKCU\..\Run: [Uahu] C:\Documents and Settings\npower.nlowe\Application Data\ottn.exe
    O4 - HKCU\..\Run: [Dzkrsm] C:\WINDOWS\System32\w?nword.exe
    O4 - HKCU\..\Run: [rruf] C:\PROGRA~1\COMMON~1\rruf\rrufm.exe
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab
    O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50252/QDow_AS2.cab
    O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


    reboot to safe mode and find and delete these files and folders if there.


    booting into safemode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    c:\Program Files\Flen\flen.dll
    C:\WINDOWS\System32\ewtdca.dll
    C:\Program Files\SEP\sep.dll
    C:\Program Files\eSyndicate\esyn.dll
    "C:\Program Files\Bpt\bpt.exe"
    "C:\Program Files\Common Files\Java\bptre.exe"
    "C:\DOCUME~1\NPOWER~1.NLO\LOCALS~1\Temp\27.exe\27.exe"
    C:\windows\system32\RMSpGR9WL.exe
    c:\windows\system32\teZWvFeo.exe
    C:\Program Files\bpc_search\BPCv2.exe
    C:\Program Files\Common Files\Java\flencpy.exe"
    C:\WINDOWS\System32\gah95on6.exe
    C:\windows\system32\RMSpGR9WL.exe
    C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
    sesc32.exe
    C:\Documents and Settings\npower.nlowe\Application Data\ottn.exe
    C:\WINDOWS\System32\w?nword.exe
    C:\PROGRA~1\COMMON~1\rruf\rrufm.exe


    Run an online antivirus check from at least one and preferably 2 of the following sites....
    http://housecall.trendmicro.com/
    http://www.pandasoftware.com/activescan/
    http://www.ravantivirus.com/scan/
    http://support.f-secure.com/enu/home/ols.shtml

    make sure autoclean is enabled on the scans

    post another log after cleaning up.

    khaz
     
  3. tlmm

    tlmm Thread Starter

    Joined:
    Feb 6, 2004
    Messages:
    57
    Thanks!

    I tried your suggestions and here is the new log file.

    Logfile of HijackThis v1.99.1
    Scan saved at 9:06:50 AM, on 4/13/05
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\keyhook.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\regrxy.exe
    C:\WINDOWS\System32\w?nword.exe
    C:\WINDOWS\system32\teZWvFeo.exe
    C:\WINDOWS\system32\teZWvFeo.exe
    C:\Documents and Settings\npower.nlowe\Desktop\Tammy\Hijack This\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKLM\..\Run: [teZWvFeo.exe] C:\WINDOWS\system32\teZWvFeo.exe
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [foqmRki5S] regrxy.exe
    O4 - HKCU\..\Run: [Dzkrsm] C:\WINDOWS\System32\w?nword.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9AE283A5-DF43-4C83-B6AA-7EBDBDB0204A} (VacPro.canada_ver10) - http://advnt01.com/dialer/canada_ver10.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

    Is there anything else that needs to be removed?

    Thanks.
     
  4. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    you need to move hijack this to it's own folder so it can run properly and make back ups, such as C:\ hijack this!

    do a ctr/alt/del and stop these processes running if there.

    regrxy.exe
    w?nword.exe
    teZWvFeo.exe




    have hijack this fix these entries.


    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.yahoo.com/search?p=%s
    O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O3 - Toolbar: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
    O4 - HKLM\..\Run: [teZWvFeo.exe] C:\WINDOWS\system32\teZWvFeo.exe
    O4 - HKCU\..\Run: [foqmRki5S] regrxy.exe
    O4 - HKCU\..\Run: [Dzkrsm] C:\WINDOWS\System32\w?nword.exe

    reboot to safe mode and find and delete these files if there.

    booting into safemode

    http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam


    Because XP will not always show you hidden files and folders by default,
    Go to Start > Search and under "More advanced search options".
    Make sure there is a check by "Search System Folders" and "Search hidden
    files and folders" and "Search system subfolders"

    Next click on My Computer. Go to Tools > Folder Options. Click on the View
    tab and make sure that "Show hidden files and folders" is checked. Also
    uncheck "Hide protected operating system files" and "Hide extensions for
    known file types" . Now click "Apply to all folders"
    Click "Apply" then "OK"

    C:\WINDOWS\system32\teZWvFeo.exe
    C:\WINDOWS\system32\regrxy.exe
    C:\WINDOWS\System32\w?nword.exe

    post another log
     
  5. tlmm

    tlmm Thread Starter

    Joined:
    Feb 6, 2004
    Messages:
    57
    I removed the files you listed and here is the latest log file:

    Logfile of HijackThis v1.99.1
    Scan saved at 8:46:49 AM, on 4/14/05
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\system32\fxssvc.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\ctfmon.exe
    C:\WINDOWS\System32\keyhook.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\userinit.exe
    C:\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://companyweb
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
    O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\AOpen\Mouse\Amoumain.exe
    O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
    O14 - IERESET.INF: START_PAGE_URL=http://companyweb
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {9AE283A5-DF43-4C83-B6AA-7EBDBDB0204A} (VacPro.canada_ver10) - http://advnt01.com/dialer/canada_ver10.CAB
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

    How does this look?

    Thanks.
     
  6. khazars

    khazars

    Joined:
    Feb 15, 2004
    Messages:
    12,302
    your log is clean. Is your computer running better now?


    to stop reinfection get these two tools, spywareguard and spywareblaster from

    www.javacoolsoftware.com


    get the hosts file from here.

    put it into C:\windows\system32\drivers\etc, for xp and w2k or

    C:\windows\ for 95,98 and ME

    http://www.mvps.org/winhelp2002/hosts.htm


    ie-spyad.Puts over 5000 sites in your restricted zone so you'll be protected

    when you visit innocent-looking sites that aren't actually innocent at all.

    https://netfiles.uiuc.edu/ehowes/www/resource.htm


    winpatrol

    http://www.winpatrol.com/winpatrol.html


    prevX a new tool, looks like a good one

    http://www.prevx.com/prevxhome.asp


    Use spybot's immunize button and use spywareblaster' enable
    protection once you update it. you can put spybot's hosts file into
    your own and lock it. Plus you can also turn on spybot's tea timer
    for added protection against pests.

    I would also suggest switching to Mozilla's firefox browser, it's safer, has a built in pop up blocker, blocks cookies and adds.

    http://www.mozilla.org/

    you can mark your own thread solved through thread tools at the top of
    the page.
     
  7. tlmm

    tlmm Thread Starter

    Joined:
    Feb 6, 2004
    Messages:
    57
    Thanks for all your help. The computer seems to be working fine now. I will have a look at those other tools you mentioned.

    Thanks again.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/351739

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice