Ran Ad-ware to help stop browser pop-ups. Log below.

Discussion in 'adware, spyware & hijack cleaning' started by gowings, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. gowings

    gowings Registered Member

    Jul 16, 2004
    Logfile of HijackThis v1.97.7
    Scan saved at 10:52:58 AM, on 7/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe
    C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\gnaum\Local Settings\Temporary Internet Files\Content.IE5\1RVNXDGQ\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://infoweb.comshare.com/
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AC4A882B-4E7A-4C6F-BB9E-0336FBCC7DF5} - C:\WINDOWS\System32\dgcrpsetu.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: LoadGolfCourses.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: stamp.dat
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://answerlink.gama.us.geac.com
    O15 - Trusted Zone: http://answerlink.us.org.geac.com
    O15 - Trusted Zone: http://answerwebqa.gama.us.geac.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4712731481
    O16 - DPF: {B38DAA80-BCDB-11D5-B05C-0001031AD03B} (MemberAllocation.clsMemberAllocation) - http://msurel3/deciweb/mpc/MemberAllocation.Cab
    O16 - DPF: {CC693687-B38E-45BA-B846-A85DCCDC3E17} (GlobalEvent.clsGlobalEvent) - http://msurel3/deciweb/mpc/GlobalEvent.Cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.org.geac.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\Software\..\Telephony: DomainName = us.org.geac.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AA85C2D-194D-48DF-84F1-6FE5F0D81448}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E78B171-5B8A-48E5-B1FD-5B4942D43B53}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5679CB7B-26E2-4C96-A1D3-0C689C4AFEA1}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{583A2DB6-66E5-439D-8CB4-BC23A73544B5}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{73AAF417-BDF2-4C55-8D10-91D4E6833772}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EF69FD-A1E3-4DB1-8754-31AAF89B17DB}: NameServer =,
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7A07BFF-85C0-461C-9EA3-1CBEDECE37E9}: NameServer =,
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.org.geac.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer =,
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.org.geac.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer =,
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer =,
  2. Marianna

    Marianna Spyware Fighter

    Apr 23, 2002
    B.C. Canada
    Hi gowings

    Pls. save your HijackThis into its OWN folder - like C:\Hijackthis.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click "Fix checked":

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O2 - BHO: (no name) - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll (file missing)

    O2 - BHO: (no name) - {AC4A882B-4E7A-4C6F-BB9E-0336FBCC7DF5} - C:\WINDOWS\System32\dgcrpsetu.dll (file missing)

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE <-----optional

    Did YOU put this in "trusted Zone" ??
    O15 - Trusted Zone: http://answerlink.gama.us.geac.com
    O15 - Trusted Zone: http://answerlink.us.org.geac.com
    O15 - Trusted Zone: http://answerwebqa.gama.us.geac.com
    If NOT - pls. check !

    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\Program Files\TV Media <-----folder

    Then reboot and use AdAware as described :

    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Then Disable system restore: Instructions here

    Enable System Restore.

    Problem gone?
Thread Status:
Not open for further replies.