Ran Ad-ware to help stop browser pop-ups. Log below.

Discussion in 'adware, spyware & hijack cleaning' started by gowings, Jul 16, 2004.

Thread Status:
Not open for further replies.
  1. gowings

    gowings Registered Member

    Joined:
    Jul 16, 2004
    Posts:
    1
    Logfile of HijackThis v1.97.7
    Scan saved at 10:52:58 AM, on 7/16/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\SYSTEM32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe
    C:\DMI\WIN32\bin\DellDmi.exe
    C:\Program Files\Dell\OpenManage\Client\EventAgt.exe
    C:\Program Files\Dell\OpenManage\Client\DLT.exe
    C:\Program Files\Dell\OpenManage\Client\Iap.exe
    C:\WINDOWS\System32\inetsrv\inetinfo.exe
    C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    C:\Program Files\Network Associates\VirusScan\Mcshield.exe
    C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft Analysis Services\Bin\msmdsrv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\dmi\win32\bin\Win32sl.exe
    C:\Program Files\RightFax\faxctrl.exe
    C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
    C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LoadGolfCourses.exe
    C:\Program Files\OfficeXP\Office10\OUTLOOK.EXE
    C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Documents and Settings\gnaum\Local Settings\Temporary Internet Files\Content.IE5\1RVNXDGQ\HijackThis[1].exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://infoweb.comshare.com/
    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)
    O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {AC4A882B-4E7A-4C6F-BB9E-0336FBCC7DF5} - C:\WINDOWS\System32\dgcrpsetu.dll (file missing)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [RightFAX Print-to-Fax Driver] C:\Program Files\RightFax\faxctrl.exe
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
    O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
    O4 - Global Startup: LoadGolfCourses.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: stamp.dat
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\OfficeXP\Office10\EXCEL.EXE/3000
    O9 - Extra button: Create Mobile Favorite (HKLM)
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O15 - Trusted Zone: http://answerlink.gama.us.geac.com
    O15 - Trusted Zone: http://answerlink.us.org.geac.com
    O15 - Trusted Zone: http://answerwebqa.gama.us.geac.com
    O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
    O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37886.4712731481
    O16 - DPF: {B38DAA80-BCDB-11D5-B05C-0001031AD03B} (MemberAllocation.clsMemberAllocation) - http://msurel3/deciweb/mpc/MemberAllocation.Cab
    O16 - DPF: {CC693687-B38E-45BA-B846-A85DCCDC3E17} (GlobalEvent.clsGlobalEvent) - http://msurel3/deciweb/mpc/GlobalEvent.Cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = us.org.geac.com
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\Software\..\Telephony: DomainName = us.org.geac.com
    O17 - HKLM\System\CCS\Services\Tcpip\..\{2AA85C2D-194D-48DF-84F1-6FE5F0D81448}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{3E78B171-5B8A-48E5-B1FD-5B4942D43B53}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5679CB7B-26E2-4C96-A1D3-0C689C4AFEA1}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{583A2DB6-66E5-439D-8CB4-BC23A73544B5}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{73AAF417-BDF2-4C55-8D10-91D4E6833772}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{B8EF69FD-A1E3-4DB1-8754-31AAF89B17DB}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D7A07BFF-85C0-461C-9EA3-1CBEDECE37E9}: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = us.org.geac.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = us.org.geac.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
    O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
    O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14,69.57.147.175
     
    gowings, Jul 16, 2004
    #1
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Hi gowings

    Pls. save your HijackThis into its OWN folder - like C:\Hijackthis.

    Check the following items in HijackThis.
    Close all windows except HijackThis and click "Fix checked":

    R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - (no file)

    O2 - BHO: (no name) - {12DF6E3E-6272-4AE8-880B-2158D60791C0} - C:\Program Files\Homepage\WinPage.dll (file missing)

    O2 - BHO: (no name) - {AC4A882B-4E7A-4C6F-BB9E-0336FBCC7DF5} - C:\WINDOWS\System32\dgcrpsetu.dll (file missing)

    O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\OfficeXP\Office10\OSA.EXE <-----optional

    Did YOU put this in "trusted Zone" ??
    O15 - Trusted Zone: http://answerlink.gama.us.geac.com
    O15 - Trusted Zone: http://answerlink.us.org.geac.com
    O15 - Trusted Zone: http://answerwebqa.gama.us.geac.com
    If NOT - pls. check !


    Make sure you can view hidden and system files: Instructions here

    Then Boot to safe mode: Instructions here

    Delete the following files\folders IF still present:

    C:\Program Files\TV Media <-----folder

    Then reboot and use AdAware as described :
    HERE

    Spybot S&D
    The download for Spybot S&D is available here: http://www.computercops.biz/downloads-file-108.html

    Install by double-clicking on the downloaded file.
    Run Spybot S&D from desktop icon or Start menu.
    Press "Search for updates" button to get list of updates available.
    Press "Download updates" button.
    Close all IE windows and close & restart Spybot S&D.
    Press "Check for problems" button.
    Have SpyBot remove all it marks in red by pressing "Fix selected problems".

    Close Spybot S&D, reboot your system .

    Then browse to the C:\documents and settings\\User Name (repeat for all users)\local settings\temp folder and delete all files and folders in it.
    Then browse to the C:\Windows\Temp folder and delete all files in it.
    Then in internet explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

    Then Disable system restore: Instructions here
    Reboot

    Enable System Restore.

    Problem gone?
     
    Marianna, Jul 16, 2004
    #2
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...