Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

clicksearchclick.com.....the aftermath

Started by supermungky , May 25 2005 01:37 AM

Please log in to reply

#1
supermungky

Posted 25 May 2005 - 01:37 AM

Member

Member
35 posts

hey gang--

my laptop was hit hard by the clicksearchclick.com spyware/virus cluster today and I've been working on it for a while. What I've done so far:

Used killbox, smitfraud, and went into safemode using hijackthis to remove some malicious stuff in accordance to some other clicksearchclick threads in this forum.

Ran Microsoft Antispyware, Ad-Aware Antispyware, Windows CleanUp, and CWShredder to clean up some bits and pieces.

the laptop is running a lot better, and appears to be back in order, but I'm still nervous about putting it back online because I'm not convinced that I got everything out of it.

Check it out:

Logfile of HijackThis v1.99.1
Scan saved at 9:23:19 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\[NAME]\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [befxqer] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [xjhfdqk] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [bawyevt] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [alfjbhc] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wckbdlh] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [lhcfoej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wdntjxe] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [eddoaej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [rsvnaca] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [oafmuff] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [iaqtifr] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [pwekmvb] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [tpbrojm] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [dgechjd] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [wqpdyck] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [crmmreq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [jpadbmt] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [grkmygj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [rkbnpgj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [yrhojqo] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [bgtbhdq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [hgelles] c:\windows\xdiolan.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {23F9F3F9-FDB0-3EEF-EF7B-216C470ECC14} - http://69.50.182.94/1/gdnUS1882.exe
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.9.36.139/wg_webeye.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

mahalo!!

Edited by supermungky, 25 May 2005 - 01:47 AM.

#2
supermungky

Posted 25 May 2005 - 03:50 AM

Member

Topic Starter
Member
35 posts

yet another problem in the aftermath of the clicksearchclick.com infection:

Norton Auto-Protect will not "enable"

after trying and trying to get all the bits and pieces, I know something is still wrong here.

Can anyone help please....

Logfile of HijackThis v1.99.1
Scan saved at 11:48:02 PM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Documents and Settings\[MY NAME]\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [befxqer] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [xjhfdqk] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [bawyevt] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [alfjbhc] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wckbdlh] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [lhcfoej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wdntjxe] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [eddoaej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [rsvnaca] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [oafmuff] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [iaqtifr] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [pwekmvb] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [tpbrojm] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [dgechjd] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [wqpdyck] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [crmmreq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [jpadbmt] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [grkmygj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [rkbnpgj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [yrhojqo] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [bgtbhdq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [hgelles] c:\windows\xdiolan.exe
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {23F9F3F9-FDB0-3EEF-EF7B-216C470ECC14} - http://69.50.182.94/1/gdnUS1882.exe
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.9.36.139/wg_webeye.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

#3
Metallica

Posted 25 May 2005 - 03:56 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Since the problems are related and we can't afford to waste two people helping on the same issues, I have merged your threads.

Click here to download pskill.zip
http://www.sysintern...iles/pskill.zip

Extract pskill.exe to your system32 folder. It is a zip and the exe must be extracted to system32 for this to have any chance of working.

------------------------------
Download and Save Spywad Remove.zip to your C:\ Directory from this link:

http://spywarewarrio...ywad_Remove.zip

Open C:\ (Go to Start>Run and type C: Press enter) and extract the Spywad Folder from Spywad Remove.zip to C:\. This will create a folder --
C:\Spywad Remove. Open the folder. Double click on Remove Spywad.vbs If you have script blocking enabled you will get a warning about a malicious script. Please allow this script to run. It is not malicious.

It will open an Input box. Type the full path and file name :
c:\windows\xdiolan.exe

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Remove Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions.

It will restart Explorer.

** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

If the files deleted are all found to be part of the infection and nothing important has been deleted, you will be instructed to delete the entire Spywad Remove Folder after you have cleaned up all other User Profiles on that system.

Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click.

I have included another vbs to do this. It is named Other Profiles Regfix.vbs

Have each User sign in and run Other Profiles Regfix.vbs

Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted.

Then run hijackthis and remove the entries as directed by your Forum Advisor.

---------------------------------------------------------

After everything has been fixed, and you want to reset your wallpaper, open Display Properties > Desktop Tab. Choose a Wallpaper and apply. Close Display Properties. To see the change, click on the desktop and press F5.

Regards,

#4
supermungky

Posted 25 May 2005 - 04:13 AM

Member

Topic Starter
Member
35 posts

Thanks for the response and for grouping my inquiries.

When the info is entered into Remove Spywad, it tells me that c:\windows\xdiolan.exe doesn't exist.

#5
Metallica

Posted 25 May 2005 - 04:20 AM

Spyware Veteran

GeekU Moderator
33,101 posts

That means you probbably killed it off very good. :tazz:

Disable MicroSoft AntiSpywares resident protection for the time it takes to get your log clean. By guarding your settings it might hinder us.

Check the items listed below in HijackThis, close all windows except HijackThis and click Fix checked:

O4 - HKCU\..\Run: [befxqer] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wupd] C:\WINDOWS\System32\win32.exe
O4 - HKCU\..\Run: [xjhfdqk] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [bawyevt] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [alfjbhc] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wckbdlh] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [lhcfoej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [wdntjxe] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [eddoaej] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [rsvnaca] c:\windows\numbbol.exe
O4 - HKCU\..\Run: [oafmuff] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [iaqtifr] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [pwekmvb] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [tpbrojm] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [dgechjd] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [wqpdyck] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [crmmreq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [jpadbmt] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [grkmygj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [rkbnpgj] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [yrhojqo] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [bgtbhdq] c:\windows\hhnefyk.exe
O4 - HKCU\..\Run: [hgelles] c:\windows\xdiolan.exe

O16 - DPF: {23F9F3F9-FDB0-3EEF-EF7B-216C470ECC14} - http://69.50.182.94/1/gdnUS1882.exe

Reboot into safe mode and delete:
C:\WINDOWS\System32\win32.exe <= if present

Post back with a new HijackThs log

Regards,

#6
supermungky

Posted 25 May 2005 - 04:35 AM

Member

Topic Starter
Member
35 posts

Done. After performing those tasks:

1) Norton Auto-Protect still will not enable, and

2) seems like my USB ports shut down (mouse will not work and jump drive is not recognized.

since I've been transferring the HJT log via jump drive to this desktop, I cannot show you the log. But basically, it looks like everything checked is no longer on the log.

#7
supermungky

Posted 25 May 2005 - 04:38 AM

Member

Topic Starter
Member
35 posts

okay. USB issue resolved by rebooting again. standby for HJT log

#8
Metallica

Posted 25 May 2005 - 04:39 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Can you reinstall Norton?

I have no way of finding out what has been damaged and it would be like looking for a needle in a haystack.

Let me know how far that gets us.

Regards,

#9
supermungky

Posted 25 May 2005 - 04:41 AM

Member

Topic Starter
Member
35 posts

here it is:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:57 AM, on 5/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
C:\Program Files\eFax Messenger 3.5\J2GTray.exe
C:\WINDOWS\System32\RioMSC.exe
C:\Documents and Settings\\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - Global Startup: eFax DllCmd 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GDllCmd.exe
O4 - Global Startup: eFax Tray Menu 3.5.lnk = C:\Program Files\eFax Messenger 3.5\J2GTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (Web Camera Server Control) - http://200.9.36.139/wg_webeye.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...bio5_3_16_0.cab
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Rio MSC Manager (RioMSC) - Digital Networks North America, Inc. - C:\WINDOWS\System32\RioMSC.exe

Edited by supermungky, 25 May 2005 - 04:42 AM.

#10
supermungky

Posted 25 May 2005 - 04:57 AM

Member

Topic Starter
Member
35 posts

cannot reinstall Norton at this time because I need to find the disk. how does the HJT log look?

#11
Metallica

Posted 25 May 2005 - 04:58 AM

Spyware Veteran

GeekU Moderator
33,101 posts

Did you disable any startups while you were cleaning that might have been for NAV?

I'm looking for:

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

and probably some services.

But, like I said: it may be faster to re-install.

Regards,

#12
supermungky

Posted 25 May 2005 - 05:02 AM

Member

Topic Starter
Member
35 posts

in my initial haste to delete malicious items, I may have. I'll try re-installing when I get the disk from work. thanks.

#13
Metallica

Posted 25 May 2005 - 05:05 AM

Spyware Veteran

GeekU Moderator
33,101 posts

What did you use to remove them?
There may be backups.

Regards,

#14
supermungky

Posted 25 May 2005 - 05:12 AM

Member

Topic Starter
Member
35 posts

if I removed it by accident, it most likely would have been through HJT Fix function.

#15
Metallica

Posted 25 May 2005 - 05:17 AM

Spyware Veteran

GeekU Moderator
33,101 posts

In HijackThis click Config > Backups and look if you see a startup called ccApp

Select it and click Restore.
Then click Back and Scan
Post the new HijackThis log before you reboot, so we can check if we didn't get any bad boys back.

Regards,