Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hi Jack this log

Started by acdcrc , Oct 07 2004 06:33 AM

  • Please log in to reply

#1
acdcrc
Posted 07 October 2004 - 06:33 AM

acdcrc

    New Member

  • Member
  • Pip
  • 9 posts
Sorry but I forgot the Hi jack log. Ooops.!

I would be rapt if someone could help me get rid of Adware.CDT.


Logfile of HijackThis v1.98.2
Scan saved at 9:55:04 PM, on 7/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\golum\services.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BHODemon 2\BHODemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [Golum] C:\WINDOWS\System32\golum\services.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [NdkjOwEe] C:\documents and settings\roger2\local settings\temp\NdkjOwEe.exe
O4 - HKLM\..\Run: [3por8] C:\documents and settings\roger2\local settings\temp\3por8.exe
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Shcs] C:\Documents and Settings\Roger2\Application Data\f?nd.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Startup: BHODemon 2.0.lnk = C:\Program Files\BHODemon 2\BHODemon.exe
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {05A80B5C-1C5A-51DF-9DE3-187A4F3544DF} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {07614CF6-F83B-2A35-0CBF-56C832D66978} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {09385BFA-54FB-5156-9E3A-623D77018EDD} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitsto...p/PCPitStop.CAB
O16 - DPF: {0EBE77E8-0B66-54B8-A69E-5FE54C6F8EC0} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...d7510b28ebf1261
O16 - DPF: {17492A7B-D656-39E7-71BF-4DA14A54E7E6} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {1DB8A98C-8E23-29F6-6713-10AD2E7CF568} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {2221BFC5-E613-56B8-F113-042C1C6103D0} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {28170FAF-DF95-7E7E-C215-7BDC4BBA840F} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2A745F61-C6BD-2294-8C14-700A1C9CE5BB} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2BA04D2A-D732-4694-C8E0-5DE844BB518B} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2C28931E-F60D-2712-B42F-21602773BA04} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2F2986D2-8746-2409-8205-16A20601D4B6} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {4A374FCB-258F-12CA-0879-3754072E0804} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4AA502A7-80F3-0128-D9C2-4DF36AAD8E9D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4C7D41EC-70DC-4168-DA34-0EC36FF24DF3} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4FD2CF62-5FD3-5BA3-A13B-4BCA294ACADE} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {55BF7D94-A9A9-7A46-7BE7-2DF758DB8037} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {5B5AE2CC-CE20-0ABD-74D6-01FE7B0CC6A8} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {5CD8E3A8-C669-6D5A-E0BB-5C9200803772} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {62B61F87-F1B1-769B-6739-3F783A421F4D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {636451B6-6767-4191-4D51-3A2911AE6520} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093344930196
O16 - DPF: {68C79730-3924-674C-FF5A-6C7D27B4A1B1} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {6C0D52B1-0B88-72BA-6812-6FFA0F596F5B} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {6E76033B-57A1-6DEF-AAAA-579511C9E1CD} - http://69.50.188.54/1/rdgAU208.exe
O16 - DPF: {6F1B6D05-F750-1CA9-266E-3893331DB310} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {733A9976-5257-65C4-6B79-22AC64CE2C41} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {73472526-496F-7580-28CC-019924BC9A0D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {734934A2-B8C8-59F1-35C4-659D079E53F1} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {749DAE54-E066-5262-41ED-795108CB5C63} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {75942526-BF6B-03BA-743C-52851703C42D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {7F8D2990-5EF0-1716-2773-6D8F229C2FA4} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
  • 0

Advertisements

#2
admin
Posted 07 October 2004 - 11:24 PM

admin

    Founder Geek

  • Community Leader
  • 24,639 posts
It appears you have two antivirus programs installed (AVG & Norton). This will provide less protection--not more. Please uninstall one program, and run a full system scan.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.coolsearch.biz/
O1 - Hosts: 3466690378 view.atdmt.com
O1 - Hosts: 3466690378 click.atdmt.com
O1 - Hosts: 3466690378 leader.linkexchange.com
O4 - HKLM\..\Run: [TrayX] C:\WINDOWS\winppr32.exe /sinc <- SoBog Virus
O4 - HKLM\..\Run: [Golum] C:\WINDOWS\System32\golum\services.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [NdkjOwEe] C:\documents and settings\roger2\local settings\temp\NdkjOwEe.exe
O4 - HKLM\..\Run: [3por8] C:\documents and settings\roger2\local settings\temp\3por8.exe
O4 - HKCU\..\Run: [Shcs] C:\Documents and Settings\Roger2\Application Data\f?nd.exe
O16 - DPF: {05A80B5C-1C5A-51DF-9DE3-187A4F3544DF} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {07614CF6-F83B-2A35-0CBF-56C832D66978} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {09385BFA-54FB-5156-9E3A-623D77018EDD} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {0EBE77E8-0B66-54B8-A69E-5FE54C6F8EC0} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...d7510b28ebf1261
O16 - DPF: {17492A7B-D656-39E7-71BF-4DA14A54E7E6} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {1DB8A98C-8E23-29F6-6713-10AD2E7CF568} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {2221BFC5-E613-56B8-F113-042C1C6103D0} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {28170FAF-DF95-7E7E-C215-7BDC4BBA840F} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2A745F61-C6BD-2294-8C14-700A1C9CE5BB} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2BA04D2A-D732-4694-C8E0-5DE844BB518B} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2C28931E-F60D-2712-B42F-21602773BA04} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {2F2986D2-8746-2409-8205-16A20601D4B6} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156...r/axscanner.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {4A374FCB-258F-12CA-0879-3754072E0804} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4AA502A7-80F3-0128-D9C2-4DF36AAD8E9D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4C7D41EC-70DC-4168-DA34-0EC36FF24DF3} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4FD2CF62-5FD3-5BA3-A13B-4BCA294ACADE} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {55BF7D94-A9A9-7A46-7BE7-2DF758DB8037} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {5B5AE2CC-CE20-0ABD-74D6-01FE7B0CC6A8} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {5CD8E3A8-C669-6D5A-E0BB-5C9200803772} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {62B61F87-F1B1-769B-6739-3F783A421F4D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {636451B6-6767-4191-4D51-3A2911AE6520} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {68C79730-3924-674C-FF5A-6C7D27B4A1B1} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {6C0D52B1-0B88-72BA-6812-6FFA0F596F5B} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {6E76033B-57A1-6DEF-AAAA-579511C9E1CD} - http://69.50.188.54/1/rdgAU208.exe
O16 - DPF: {6F1B6D05-F750-1CA9-266E-3893331DB310} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {733A9976-5257-65C4-6B79-22AC64CE2C41} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {73472526-496F-7580-28CC-019924BC9A0D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {734934A2-B8C8-59F1-35C4-659D079E53F1} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {749DAE54-E066-5262-41ED-795108CB5C63} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {75942526-BF6B-03BA-743C-52851703C42D} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {7F8D2990-5EF0-1716-2773-6D8F229C2FA4} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} (Sinstaller Class) - http://dm.screensave.../sinstaller.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab

Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\winppr32.exe <- SoBog Virus
C:\WINDOWS\System32\golum <- this folder
C:\Program Files\Windows SyncroAd <- this folder
C:\Documents and Settings\Roger2\Application Data\f?nd.exe

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working. <_<
  • 0

#3
acdcrc
Posted 07 October 2004 - 11:46 PM

acdcrc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your advice.
will let you know how what happens.

Have a good weekend!
  • 0

#4
acdcrc
Posted 08 October 2004 - 03:27 PM

acdcrc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I have done everything as per your advices and the puter seems better but I still have Adware.CDT on the puter.

Here is my latest log.

thankyou so much for your help to date.
I am rapt that you have been able to help me. <_<

Logfile of HijackThis v1.98.2
Scan saved at 7:27:24 AM, on 9/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitsto...p/PCPitStop.CAB
O16 - DPF: {230ACB24-10D6-5074-FD33-20771D24C4B9} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4D0799A0-7A70-5A3E-F298-773B647E56D9} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {576DAEC7-1BE0-4F9E-9B21-138B7732DB62} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093344930196
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
  • 0

#5
-=jonnyrotten=-
Posted 08 October 2004 - 03:38 PM

-=jonnyrotten=-

    Member 2k

  • Retired Staff
  • 2,678 posts
Remove these with hijack this also.

O16 - DPF: {230ACB24-10D6-5074-FD33-20771D24C4B9} - http://69.50.188.54/1/gdnIN208.exe
O16 - DPF: {4D0799A0-7A70-5A3E-F298-773B647E56D9} - http://69.50.188.54/1/gdnAU208.exe
O16 - DPF: {576DAEC7-1BE0-4F9E-9B21-138B7732DB62} - http://69.50.188.54/1/gdnAU208.exe

Next let's start with a free program. Ad-aware.

Using Ad-aware: Open Ad-Aware and use the Check for updates now link. Download and accept the latest reference file. When finished click the Start button. When done scanning, the Abort button will change to Next. Click the Next button. Right-click in the Scanning Results window and click "Select all objects". Then click the "Next" button and confirm that you want to delete the selected entries.

When finished, Reboot your computer. Finally, reply to this post with a new HiJackThis log so we can look for any nasties that may have been missed. <_<

CLICK HERE to download Ad-aware

-=jonnyrotten=- :D
  • 0

#6
acdcrc
Posted 10 October 2004 - 02:02 AM

acdcrc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
many thanks for that.
I have updated both Adaware and Spybot.
however Norton still detects Adware.CDT (file named mediatickets0 and Spyware.iwantsearch (file name rundlq32)

how do i get rid of these nastys. <_<
here is my latest log

many thanks for your help so far.
Logfile of HijackThis v1.98.2
Scan saved at 5:39:41 PM, on 10/10/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe
C:\WINDOWS\LTMSG.exe
C:\PROGRA~1\KEMailKb\KEMailKb.EXE
C:\Program Files\OptusNet DSL Internet\DSC.exe
C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ebay.com.au/
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-au\msnappau.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [KEMailKb] C:\PROGRA~1\KEMailKb\KEMailKb.EXE
O4 - HKLM\..\Run: [Desktop Service Centre] C:\Program Files\OptusNet DSL Internet\DSC.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\System32\twink64.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspa...va/cfs40300.cab
O16 - DPF: Yahoo! Pyramids - http://download.game...ts/y/pyt1_x.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www1.pcpitsto...p/PCPitStop.CAB
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://files.ea.com/...h/v2/EARTPX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093344930196
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
  • 0

#7
coachwife6
Posted 10 October 2004 - 09:56 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
What is this? If you don't know, get rid of it in Hijack this.

C:\PROGRA~1\KEMailKb\KEMailKb.EXE

Go to add/remove programs and look for anything involving media tickets installer.

Then post a fresh log and let us know how the system is working.
  • 0

#8
acdcrc
Posted 10 October 2004 - 04:25 PM

acdcrc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
This relates to my keyboard.

I will advise after i follow your advice.

Norton tell me theses(adware and spyware) are in C:Windows\ downloaded programs folder, but when I access then in both normal and safe mode i cannot locate any files named media tickets or rundlq.
The adware and spyware was allready on my puter before I installed Norton.
I have checked out Nortons site and have taken on borad their advise to get rid of the registry names but the daily scan still tells me they are on my system. <_<
  • 0

#9
Yarnouth
Posted 10 October 2004 - 04:35 PM

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Have you got system restore enabled?
  • 0

#10
acdcrc
Posted 10 October 2004 - 04:37 PM

acdcrc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Yes.
  • 0

#11
Yarnouth
Posted 10 October 2004 - 04:46 PM

Yarnouth

    Visiting Staff

  • Member
  • PipPipPip
  • 508 posts
Ok disable it and run another scan in safe mode. Instructions:


To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Please reboot into safe mode - How do I boot into "Safe" mode?.
Be sure you're able to view hidden files

3. Run a Virus scan in safe mode.

4. Reboot

5. Turn ON System Restore.

After this please let us know how your system is working.
  • 0

#12
acdcrc
Posted 11 October 2004 - 06:05 AM

acdcrc

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks for your advice.
I turned off System restore and logged on to safe mode and did a complete scan.
However Norton still showed Adware.CDT and Spyware.Iwantsearch.

This was not good and norton was unable to delete them.
However I checked out the forum on the website and found a topic from Danny 7 in relation to Rundlq32.
I took the advise from the respondent admin who advised Danny to press start ther run and put in regsvr32 /u occache.
I did this and lo and behold there was media tickets and rundlq32 files.
before deleting I scanned c:windows\ downloaded program file folder with norton which showed that these vermin were there.
after i removed these files to the recycle bin and keyed in regsvr32 occache.dll i rescanned the file and to my great satisfaction no more Adware.CDT or Spyware!!!! <_<

Mate Good on you and thankyou very much for your help .
I will do another complete search overnight and then send a hijack log, but am confident that I have removed these nasties> :D
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP