Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

hijackthis log file


  • Please log in to reply

#1
paperboy

paperboy

    New Member

  • Member
  • Pip
  • 7 posts
here is the hijackthis log

Logfile of HijackThis v1.99.0
Scan saved at 12:40:04 PM, on 1/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\NAVNT\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\NAVNT\navapw32.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
c:\progra~1\intern~1\iexplore.exe
C:\PROGRA~1\NAVNT\npssvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NAVNT\alertsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.cdvjueqwr...zyKRWnldP2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.smlmofmmi...ScrDrSR0o8.htm");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\E MAN\Application Data\Mozilla\Profiles\default\fwfbwnci.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9BA3AC0F-B280-564E-2D2F-5CEEB426E02C} - C:\DOCUME~1\EMAN~1\APPLIC~1\SIGNPI~1\Deaf Inside.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NAVNT\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NAVNT\defalert.exe
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Internet Security\IAMAPP.EXE"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [01 32 Option Dog] C:\Documents and Settings\All Users\Application Data\live blue 01 32\Mess Internet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Move Mfcd] C:\DOCUME~1\EMAN~1\APPLIC~1\FASTLO~1\flawseek.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\NAVNT\navapw32.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NAVNT\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NAVNT\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NAVNT\npssvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks for any help you can be in removing the look-today tool bars.

Don
  • 0

Advertisements


#2
admin

admin

    Founder Geek

  • Administrator
  • 24,504 posts
We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.
  • 0

#3
paperboy

paperboy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks.....
installed service pack 1a and ran new log file

Logfile of HijackThis v1.99.0
Scan saved at 8:42:19 PM, on 1/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\NAVNT\navapsvc.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\NAVNT\npssvc.exe
C:\Program Files\NAVNT\navapw32.exe
C:\WINDOWS\wanmpsvc.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NAVNT\alertsvc.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.czfabdgpe...azyKRWnldP2.cgi
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.smlmofmmi...ScrDrSR0o8.htm");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\E MAN\Application Data\Mozilla\Profiles\default\fwfbwnci.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9BA3AC0F-B280-564E-2D2F-5CEEB426E02C} - C:\DOCUME~1\EMAN~1\APPLIC~1\SIGNPI~1\Deaf Inside.exe
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NAVNT\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NAVNT\defalert.exe
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Internet Security\IAMAPP.EXE"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKLM\..\Run: [01 32 Option Dog] C:\Documents and Settings\All Users\Application Data\live blue 01 32\Mess Internet.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\Run: [Move Mfcd] C:\DOCUME~1\EMAN~1\APPLIC~1\FASTLO~1\flawseek.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\NAVNT\navapw32.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NAVNT\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NAVNT\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NAVNT\npssvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Don
  • 0

#4
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
I presume that you ran through all the standard procedures before you posted your first log. You may like to print some of this out as you won't have internet access for some of the time you are fixing things.

Run HijackThis again. Check the following items. Close all open windows including this one. Click on Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.czfabdgpe...azyKRWnldP2.cgi
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://www.smlmofmmi...ScrDrSR0o8.htm");\nuser_pref("browser.startup.page", 1); (C:\Documents and Settings\E MAN\Application Data\Mozilla\Profiles\default\fwfbwnci.slt\prefs.js)
O2 - BHO: (no name) - {9BA3AC0F-B280-564E-2D2F-5CEEB426E02C} - C:\DOCUME~1\EMAN~1\APPLIC~1\SIGNPI~1\Deaf Inside.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [01 32 Option Dog] C:\Documents and Settings\All Users\Application Data\live blue 01 32\Mess Internet.exe
O4 - HKCU\..\Run: [Move Mfcd] C:\DOCUME~1\EMAN~1\APPLIC~1\FASTLO~1\flawseek.exe
4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O8 - Extra context menu item: Web Savings - file://C:\Program Files\WebSavingsfromEbates\System\Temp\ebateswebsavings_script0.htm
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....119/CTSUEng.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....12119/CTPID.cab


Open Control Panel Add/Remove programs. See if these programs are listed.

Broadjump Client foundation
Bigfix

If they are - uninstall them from there.

Disable SYSTEM RESTORE
On the Desktop, right-click the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot your computer into Safe Mode - by tapping F8 continually as soon as your computer beeps on start up. When the Menu Screen comes up - select Safe Mode without network and Windows XP as your operating system if asked. Safe Mode looks very ugly and everything will be large.

Open Windows Explorer and make sure that all hidden files are visible
Go to Explorer>Tools>Folder Options>View, select:

*Show hidden files and folders
*Display the contents of system folders

Uncheck:

*Hide protected operating system files

Next go to Search > All files and folders > More advanced options and click. These settings will help you if you need to Search for the files. They may not be hard to find.

Be sure the first three boxes are selected:

*Search System folders
*Search Hidden Files and folders
*Search SubFolders

Navigate to these locations and delete these files and folders in blue

C:\DOCUMENTS AND SETTINGS\EMAN~1 <your user name>\APPLICATION DATA\ SIGNPI~1\Deaf Inside.exe
C:\Documents and Settings\All Users\Application Data\ live blue 01 32\Mess Internet.exe whole file and folder
C:\DOCUMENTS AND SETTINGS\EMAN~1<your user name>\Application Data\ FastLoveweb\flawseek.exe

If these are present delete the folders, all the files will be deleted as well:

C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\BigFix\BigFix.exe

Navigate to
c:\Documents and settings\<your user name>\Local Settings\
Delete all the files in your \temp folder and \temporary internet folder
There will be a couple of files that Windows won't delete - usually desktop.ini and index.dat - they should be OK.

Reboot into normal mode

Turn your system restore back on
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run hijack this again and post the log here to make sure we got everything.
  • 0

#5
paperboy

paperboy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
thanks.............
it seems to be working......here is the current log file

I could not find:

4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJunp\Client Foundation\CFD.exe


Logfile of HijackThis v1.99.0
Scan saved at 9:23:07 PM, on 1/10/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\PROGRA~1\NAVNT\navapsvc.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\NAVNT\navapw32.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\NAVNT\npssvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NAVNT\alertsvc.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ahhrldbfd...zyKRWnldP2.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\E MAN\Application Data\Mozilla\Profiles\default\fwfbwnci.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NAVNT\npscheck.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NAVNT\defalert.exe
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Internet Security\IAMAPP.EXE"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\NAVNT\navapw32.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NAVNT\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NAVNT\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NAVNT\npssvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Don
  • 0

#6
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi paperboy

That looks a lot better now - just a couple of things left to do.

O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJunp\Client Foundation\CFD.exe hasn't shown up in this log so it shouldn't be a problem now.

Run HijackThis again and go to scan. Check the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.czfabdgpe...azyKRWnldP2.cgi
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot (this is unnecessary rather than a problem)
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.1...everContent.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab


Reboot and run another log to check if you are finally clean. Then we can make some recommendations for some prevention measures. Most are free.

This is a good place to start - So how did I get infected in the first place.
http://forums.net-in...?showtopic=3051

If your next log is clean - you can re-enable System Restore.
  • 0

#7
paperboy

paperboy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
i did as you said to do and here is the latest log

Logfile of HijackThis v1.99.0
Scan saved at 6:59:30 PM, on 1/16/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\CTSvcCDA.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\PROGRA~1\NAVNT\navapsvc.exe
C:\Program Files\CConnect\CConnect.exe
C:\Program Files\NAVNT\navapw32.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\NAVNT\npssvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\PROGRA~1\NAVNT\alertsvc.exe
C:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cox.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://oklahomacity.cox.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\E MAN\Application Data\Mozilla\Profiles\default\fwfbwnci.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [NPS Event Checker] C:\PROGRA~1\NAVNT\npscheck.exe
O4 - HKLM\..\Run: [iamapp] "C:\Program Files\Norton Internet Security\IAMAPP.EXE"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Audio\PROGRAM\CTMIX32.EXE /t
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: CorrectConnect.lnk = C:\Program Files\CConnect\CConnect.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\NAVNT\navapw32.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cox.net
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v43/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NAV Alert - Symantec Corporation - C:\PROGRA~1\NAVNT\alertsvc.exe
O23 - Service: NAV Auto-Protect - Symantec Corporation - C:\PROGRA~1\NAVNT\navapsvc.exe
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: NISUM - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: Norton Program Scheduler - Symantec Corporation - C:\PROGRA~1\NAVNT\npssvc.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

thanks
Don
  • 0

#8
ilago

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
That looks much better now :tazz:

You can re-enable System Restore.

Now for some prevention advice to try and stop you getting infected again.

Keep Windows fully up to date - use automatic updates to ensure you don't forget.

Keep Internet Explorer fully up to date if you prefer to use it.

Give some consideration to using Firefox or Mozilla as your browser. They are free and more secure than internet explorer. Firefox is easy to use and doesn't take long to get used to. http://www.mozilla.org

Don't click on OK or yes on any advert on a webpage or in spam email. Check up on that 'free' software you'd like to download before you install it.

Keep your antivirus program up to date and do regular scans!!

Keep your firewall up to date and read alerts before clicking Yes.

Keep Adaware up to date and do regular scans!!
Keep Spybot Search and Destroy up to date and do regular scans!!

These are free and will help to keep most spyware off your PC:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

SpywareGuard http://www.javacools...sgdownload.html - gives real time monitoring of common spyware changes.

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. The download is quite a long way down the page - but the page is worth reading for more information about spyware.
https://netfiles.uiu...ww/resource.htm

You can always ask here if you want to know more ;)
  • 0

#9
paperboy

paperboy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
THANKS!

You guys are the greatest.

Don
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP