Discussion in 'adware, spyware & hijack cleaning' started by Raoul K, May 15, 2004.

Thread Status:
Not open for further replies.
  1. Raoul K

    Raoul K Registered Member

    May 15, 2004
    hey how's everything the program isn't doing anything (not that I know of) but it still bugs me that it's there so if you can help me delete it i would highly apriciated thank you. (the file is msg121.cpy.dll).

    Logfile of HijackThis v1.97.7
    Scan saved at 3:39:37 PM, on 5/15/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\Common Files\Dell\EUSW\Support.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Linksys\WUSB11 v25 Config Utility\WUSB11Cfg.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Documents and Settings\custome\Local Settings\Temp\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O1 - Hosts: ý_‘
    O1 - Hosts: ý_‘
    O1 - Hosts: ý_‘ ieautosearch
    O2 - BHO: (no name) - {021BB032-80A8-4FB6-B3D5-CF27B1553B95} - C:\WINDOWS\mslagent\4b_1,0,1,0_mslagent.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
    O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
    O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
    O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
    O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [DownloadAccelerator] C:\PROGRA~1\DAP\DAP.EXE /STARTUP
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security Professional\UrlLstCk.exe
    O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [mslagent] C:\WINDOWS\mslagent\mslagent.exe
    O4 - HKCU\..\Run: [Instant Access] rundll32.exe EGCOMLIB_1035.dll,InstantAccess
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Instant Wireless Configuration Utility.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Run DAP (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: IEToolbarCab -
    O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} -
    O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) -
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) -
    O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -
    O16 - DPF: {1EB17D1C-141D-4D9D-91CB-24D99215851D} -
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
    O16 - DPF: {9B4AA442-9EBF-11D5-8C11-0050DA4957F5} -
    O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} -
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
    O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) -
    O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} -
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) -
    O16 - DPF: {EEECA057-AD0F-44A7-8BE5-8634CEDBDBD1} -

    thank you once again
    Regards Raoul K
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Apr 27, 2002
    Hi Raoul K,

    Download VX2. BetterInternet Finder from

    This will only work on Win2K, XP

    -Finds all files created by Look2Me

    *(although it is possible an error could
    occur detecting and listing files, but
    **skilled eyes looking at filenames
    can decide that fairly quickly..
    it hasn't been wrong yet)
    Also confirmation needed for every file
    to delete.(saftey)

    1.)Delete all files found(VX2Finder will "End Task" on
    up to 2 instances of Rundll32.exe automatically)
    You will get a message about "cannot delete this one"
    matching the same name in the Guardian Key.

    2.)Click "Open regedit" will take you right to
    the Guardian Key(no need to search for it)
    Guide user through procedure of

    Hilite "Guardian", RightClick and choose
    Security/permissions, you'll get another
    window with 'advanced'..
    DE-select (uncheck) the lower box with
    "inheritable permissions"
    hit 'ok' and 'remove' on the following
    security prompts.

    Restart computer.

    3.)On restart use VX2Finder again, select + delete the
    last file, click "User Agent$" will remove that
    entry from the registry.

    4.)Click "Open regedit" again, this time
    restoring the checkmark in "inheritable permissions"

    5.)Click "Guardian.reg" Deletes the Guardian

    6.Use Find again should produce a clean log of blank values.

    7.)Click "Restore Policy" to restore the Debug
    policy altered in the look2Me installation.(requires
    reboot to apply, but not immediatley neccessary)

    'Purpose of this so far is to keep the user out of
    the system directory, and out of the registry where
    they will get themselves into trouble.
    Using VX2Finder buttons limits them to "one click"
    operations and an unfortunate but neccessary
    regedit of the "inheritable permissions" .
    Again using the VX2Finder Regedit button opens
    directly on whatever Guardian key they have,
    limiting the user to the correct area instead of
    trusting them to find it on their own.
    *If the Guardian Key does not exist, regedit will open
    one level up on the Notify key.

    The total fix to remove all Look2Me components
    listed only requires 1 reboot.

    Post a new HIjackThis log when you are done.
    There will be some leftovers to take care off.


Thread Status:
Not open for further replies.