Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Realsearch and 69sexsearch Strike Again

Started by redsoxpharmd , Jan 12 2005 10:39 PM

  • Please log in to reply

#1
redsoxpharmd
Posted 12 January 2005 - 10:39 PM

redsoxpharmd

    New Member

  • Member
  • Pip
  • 2 posts
Done all the preliminary checks...checked other posts....but my Hijackthis log does not look similar to anything I've seen. Any help would be GREATLY appreciated! :tazz:


Logfile of HijackThis v1.99.0
Scan saved at 9:38:36 PM, on 1/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\eamat.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\WINDOWS\system32\wuclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jamie\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [528D55CE] C:\WINDOWS\system32\eamat.exe
O4 - HKLM\..\Run: [90A1116B] C:\WINDOWS\system32\DSLADLRS.exe
O4 - HKLM\..\Run: [A74614D6] C:\WINDOWS\system32\WAVSRV.exe
O4 - HKLM\..\Run: [C087D6EE] C:\WINDOWS\system32\LUSRESSN.exe
O4 - HKLM\..\Run: [168CFC86] C:\WINDOWS\system32\ISCAPIF.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AB4D484B] C:\WINDOWS\system32\atATMFCAP.exe
O4 - HKLM\..\Run: [5CACC0F6] C:\WINDOWS\system32\SRpaMRptsv.exe
O4 - HKLM\..\Run: [4ABB5C5E] C:\WINDOWS\system32\DSBAapiSY.exe
O4 - HKLM\..\Run: [E52F54C6] C:\WINDOWS\system32\3D1AMF.exe
O4 - HKLM\..\Run: [C96E16FB] C:\WINDOWS\system32\ACCTPA2AG.exe
O4 - HKLM\..\Run: [E1D34D7E] C:\WINDOWS\system32\EVDGSRPR.exe
O4 - HKLM\..\Run: [1084DE5E] C:\WINDOWS\system32\3D3FRFRG.exe
O4 - HKLM\..\Run: [C08C2E0E] C:\WINDOWS\system32\SFSAP.exe
O4 - HKLM\..\Run: [4075B8D6] C:\WINDOWS\system32\SERENNET.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [90A1116B] C:\WINDOWS\system32\DSLADLRS.exe
O4 - HKCU\..\Run: [A74614D6] C:\WINDOWS\system32\WAVSRV.exe
O4 - HKCU\..\Run: [C087D6EE] C:\WINDOWS\system32\LUSRESSN.exe
O4 - HKCU\..\Run: [528D55CE] C:\WINDOWS\system32\eamat.exe
O4 - HKCU\..\Run: [168CFC86] C:\WINDOWS\system32\ISCAPIF.exe
O4 - HKCU\..\Run: [AB4D484B] C:\WINDOWS\system32\atATMFCAP.exe
O4 - HKCU\..\Run: [5CACC0F6] C:\WINDOWS\system32\SRpaMRptsv.exe
O4 - HKCU\..\Run: [4ABB5C5E] C:\WINDOWS\system32\DSBAapiSY.exe
O4 - HKCU\..\Run: [E52F54C6] C:\WINDOWS\system32\3D1AMF.exe
O4 - HKCU\..\Run: [C96E16FB] C:\WINDOWS\system32\ACCTPA2AG.exe
O4 - HKCU\..\Run: [E1D34D7E] C:\WINDOWS\system32\EVDGSRPR.exe
O4 - HKCU\..\Run: [1084DE5E] C:\WINDOWS\system32\3D3FRFRG.exe
O4 - HKCU\..\Run: [C08C2E0E] C:\WINDOWS\system32\SFSAP.exe
O4 - HKCU\..\Run: [4075B8D6] C:\WINDOWS\system32\SERENNET.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O15 - Trusted Zone: http://*.69sexsearch.com
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2687D503-0FAD-47A7-9A0C-D4CF137C7691}: NameServer = 63.227.242.16,207.108.224.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2687D503-0FAD-47A7-9A0C-D4CF137C7691}: NameServer = 63.227.242.16,207.108.224.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
ilago
Posted 14 January 2005 - 08:59 PM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi redsoxpharmd

Download Deldomains.inf from here http://www.mvps.org/.../DelDomains.inf and save it so you can find it easily.

Please make a new folder for HijackThis and run it from there so it isn't running from your desktop.

You may need to print this out so you can keep track of the deletions when you are working in Safe Mode and not connected to the internet.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this process in the list, select it and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

eamat.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and click on Fix checked.


R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://realsearch.cc/?a=2
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://realsearch.cc/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://realsearch.cc/?a=2
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://realsearch.cc/?a=2
O4 - HKLM\..\Run: [528D55CE] C:\WINDOWS\system32\eamat.exe
O4 - HKLM\..\Run: [90A1116B] C:\WINDOWS\system32\DSLADLRS.exe
O4 - HKLM\..\Run: [A74614D6] C:\WINDOWS\system32\WAVSRV.exe
O4 - HKLM\..\Run: [C087D6EE] C:\WINDOWS\system32\LUSRESSN.exe
O4 - HKLM\..\Run: [168CFC86] C:\WINDOWS\system32\ISCAPIF.exe
O4 - HKLM\..\Run: [AB4D484B] C:\WINDOWS\system32\atATMFCAP.exe
O4 - HKLM\..\Run: [5CACC0F6] C:\WINDOWS\system32\SRpaMRptsv.exe
O4 - HKLM\..\Run: [4ABB5C5E] C:\WINDOWS\system32\DSBAapiSY.exe
O4 - HKLM\..\Run: [E52F54C6] C:\WINDOWS\system32\3D1AMF.exe
O4 - HKLM\..\Run: [C96E16FB] C:\WINDOWS\system32\ACCTPA2AG.exe
O4 - HKLM\..\Run: [E1D34D7E] C:\WINDOWS\system32\EVDGSRPR.exe
O4 - HKLM\..\Run: [1084DE5E] C:\WINDOWS\system32\3D3FRFRG.exe
O4 - HKLM\..\Run: [C08C2E0E] C:\WINDOWS\system32\SFSAP.exe
O4 - HKLM\..\Run: [4075B8D6] C:\WINDOWS\system32\SERENNET.exe
O4 - HKCU\..\Run: [Windows Update Client ] C:\WINDOWS\system32\wuclient.exe
O4 - HKCU\..\Run: [90A1116B] C:\WINDOWS\system32\DSLADLRS.exe
O4 - HKCU\..\Run: [A74614D6] C:\WINDOWS\system32\WAVSRV.exe
O4 - HKCU\..\Run: [C087D6EE] C:\WINDOWS\system32\LUSRESSN.exe
O4 - HKCU\..\Run: [528D55CE] C:\WINDOWS\system32\eamat.exe
O4 - HKCU\..\Run: [168CFC86] C:\WINDOWS\system32\ISCAPIF.exe
O4 - HKCU\..\Run: [AB4D484B] C:\WINDOWS\system32\atATMFCAP.exe
O4 - HKCU\..\Run: [5CACC0F6] C:\WINDOWS\system32\SRpaMRptsv.exe
O4 - HKCU\..\Run: [4ABB5C5E] C:\WINDOWS\system32\DSBAapiSY.exe
O4 - HKCU\..\Run: [E52F54C6] C:\WINDOWS\system32\3D1AMF.exe
O4 - HKCU\..\Run: [C96E16FB] C:\WINDOWS\system32\ACCTPA2AG.exe
O4 - HKCU\..\Run: [E1D34D7E] C:\WINDOWS\system32\EVDGSRPR.exe
O4 - HKCU\..\Run: [1084DE5E] C:\WINDOWS\system32\3D3FRFRG.exe
O4 - HKCU\..\Run: [C08C2E0E] C:\WINDOWS\system32\SFSAP.exe
O4 - HKCU\..\Run: [4075B8D6] C:\WINDOWS\system32\SERENNET.exe


Open Windows Explorer and find the deldomains.inf file that you downloaded earlier. Right-click and select > Install
This will remove all entries in the "Trusted Zone" and "Ranges" also. You may need to replace any entries that you had in trusted zones already.


Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up. When the Safe Mode screen menu comes up - Choose Safe Mode and WindowsXP as your operating system. You don't need any networking.

Open Windows Explorer and go to >Tools>Folder Options>View, select:

Show hidden files and folders
Display the contents of system folders

Uncheck:

Hide protected operating system files

Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:

Search System folders
Search Hidden Files and folders
Search SubFolders

Delete all the files noted in bold below. Some may not be there but use the search function in Windows Explorer to make sure.

C:\WINDOWS\system32\eamat.exe
C:\WINDOWS\system32\DSLADLRS.exe
C:\WINDOWS\system32\WAVSRV.exe
C:\WINDOWS\system32\LUSRESSN.exe
C:\WINDOWS\system32\ISCAPIF.exe
C:\WINDOWS\system32\atATMFCAP.exe
C:\WINDOWS\system32\SRpaMRptsv.exe
C:\WINDOWS\system32\DSBAapiSY.exe
C:\WINDOWS\system32\3D1AMF.exe
C:\WINDOWS\system32\ACCTPA2AG.exe
C:\WINDOWS\system32\EVDGSRPR.exe
C:\WINDOWS\system32\3D3FRFRG.exe
C:\WINDOWS\system32\SFSAP.exe
C:\WINDOWS\system32\SERENNET.exe
C:\WINDOWS\system32\wuclient.exe

Reboot into normal mode and run a fresh HijackThis log and post it so it can be checked.
  • 0

#3
redsoxpharmd
Posted 20 January 2005 - 09:11 PM

redsoxpharmd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts
ilago,

So far, so good...the log:

Thank You So Much,
redsoxpharmd

Logfile of HijackThis v1.99.0
Scan saved at 8:07:17 PM, on 1/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
c:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] c:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O16 - DPF: ppctlcab - http://ppupdates.ca....er/ppctlcab.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2687D503-0FAD-47A7-9A0C-D4CF137C7691}: NameServer = 63.227.242.16,207.108.224.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2687D503-0FAD-47A7-9A0C-D4CF137C7691}: NameServer = 63.227.242.16,207.108.224.1
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
ilago
Posted 21 January 2005 - 11:55 PM

ilago

    Visiting Staff

  • Visiting Consultant
  • 363 posts
Hi redsoxpharmd

I'm glad to hear things are better now. Just a couple more things.

Open HijackThis again and click on Do System Scan Only

Check these and click fix checked.


O4 - HKLM\..\Run: [XPSP2 Firewall] C:\WINDOWS\system32\xpsp2fw.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)

Reboot into Safe Mode and delete this file

C:\WINDOWS\system32\xpsp2fw.exe

Check that this file from your previous log is not there. They both need to be deleted.

C:\WINDOWS\system32\wuclient.exe

Reboot into normal mode. Do a Live Update for Nortons and run a full system scan. If it finds anything let it quarantine or fix it.

Do a fresh HijackThis log for a final check.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP