0

First off, I'd like to mention that I'm new to this so I'm not sure if I'm posting correctly. Please advise me if not.

The OS is WinXP Home, SP1
The make and model is Dell, Dimension 4400, P4-1.6G, 384mb RAM
Browser is IE, v6

Started having problems after installing Incredimail, may or may not be related. Incredimail removed using Add/Remove Programs, but still remains in Registry Editor.

Had (have?) CWS and Trojan.bookmarker.gen infections, used CWshredder and Norton instructions to get rid of most problems.

I'd like to post my first hijackthis log as well as the current one to make sure I didn't delete something I shouldn't have and to find out what else I need to fix.

Current problem is the .gen keeps coming back. Norton finds it but can't fix it. I go to the temp folder where it says the files are and delete them, but it also says there's a .dll in the System 32 folder but I can't find it; I've even tried the PV runme.bat.

Is it okay to post both logs here? Thanks for your help!

7
Contributors
46
Replies
47
Views
13 Years
Discussion Span
Last Post by DMR
0

Here is a copy of my first hjt log:

Logfile of HijackThis v1.97.7
Scan saved at 4:02:05 PM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~4\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Aadministrator\Desktop\Computer Care Kit\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\AADMIN~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6FC31A35-725D-4CA9-81D0-E4697F335906} - C:\WINDOWS\System32\bbeg.dll (file missing)
O2 - BHO: (no name) - {9ABD2CE8-B2D5-45B9-96D8-AA957810A3F6} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {B1B0C495-360A-48C3-8CA3-A40AF7CBE0A4} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

This is the most recent one:

Logfile of HijackThis v1.97.7
Scan saved at 6:56:01 PM, on 7/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\AIM95\aim.exe
C:\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9ABD2CE8-B2D5-45B9-96D8-AA957810A3F6} - (no file)
O2 - BHO: (no name) - {A1622CBE-080D-4E8F-923D-4FE602492584} - (no file)
O2 - BHO: (no name) - {B45B57C3-9D8F-4906-9F4B-2C0DF43F1D6D} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {E8FD3E37-1FDF-4F7B-A559-F4058AC17284} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {B1B0C495-360A-48C3-8CA3-A40AF7CBE0A4} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

If there's anything I deleted that I shouldn't have from the first one, please advise. I know there are still some things that need to be removed but I'd like to make sure which ones before I do anymore. Thanks again.

0

1. Quit any web browser program if open and then have HJT fix all of the entries ending in: (no file).

2. You can also kill this one:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

3. Are you behind a proxy? If not, fix these as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>

4. For every user account in C:\Documents and Settings, delete the contents of the following folders:

- Cookies
- Local Settings\Temp
- Local Settings\History
- Local Settings\Temporary Internet Files

5. Empty your Recycle Bin

6. Reboot

0

1. Quit any web browser program if open and then have HJT fix all of the entries ending in: (no file).

2. You can also kill this one:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

3. Are you behind a proxy? If not, fix these as well:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>

4. For every user account in C:\Documents and Settings, delete the contents of the following folders:

- Cookies
- Local Settings\Temp
- Local Settings\History
- Local Settings\Temporary Internet Files

5. Empty your Recycle Bin

6. Reboot

Hi, thanks a lot for your help.

Below is my latest hjt log. Before I got this reply, I purchased and ran XoftSpy. It found many things no other programs had, it even found several instances of BonziBuddy that I thought I had cleared out ages ago. It also found a CoolWebSearch item. The program doesn't let you save the scan (not that I could figure out anyway), but I used the print screen function and saved it into a Word doc if anyone is interested in seeing what I had. I haven't had any trouble (yet) since I ran it. The program cost me $40 which I was real hesitant to spend, but I was desperate. Hopefully the problems are gone for good!

You asked if I was behind a proxy but I'm afraid I'm not sure what that means. Would you mind explaining it? I use a cable internet connection if that helps. I deleted the other items you recommended. I'm sure there are more that I don't need, but I can get that figured out later.

You didn't comment on whether or not I deleted anything important between my original log and the more recent one, is all okay?

Here's the latest, thanks again!

Logfile of HijackThis v1.97.7
Scan saved at 5:31:09 PM, on 7/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Utilities\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

Oh, one more thing, is it safe to remove all the references to incredimail in the Regisry Editor since the program has been removed?

0

I purchased and ran XoftSpy. It found many things no other programs had

Thats because the program installed the things it said it found ,when you installed the program ,to Dupe you into buying it !!!!

There is a list of bogus spyware removal tool for sale on the net and your makes the list ,Check it here for the discription of the one you bought ,[
http://www.spywarewarrior.com/rogue_anti-spyware.htm
]Sorry to here you were duped into buying something that can be had for free and are better ..like Spy-bot ,ad-aware ,Spywareblaster ,spywareguard.IE-Spyad.to name a few .

0

Thats because the program installed the things it said it found ,when you installed the program ,to Dupe you into buying it !!!!

There is a list of bogus spyware removal tool for sale on the net and your makes the list ,Check it here for the discription of the one you bought ,[
http://www.spywarewarrior.com/rogue_anti-spyware.htm
]Sorry to here you were duped into buying something that can be had for free and are better ..like Spy-bot ,ad-aware ,Spywareblaster ,spywareguard.IE-Spyad.to name a few .

Well, looks as if I've been taken. But I found XoftSpy via a link from this site so that gave me the little extra nudge of encouragement I needed to break down and make the purchase. That really irritates me that "companies" can lie like that to sell something. Not to mention that the problem has returned. So how do I go about removing XoftSpy and get rid of the trojan.bookmarker.gen? This thread is getting kind of long now, should I start a new one?

0

But I found XoftSpy via a link from this site so that gave me the little extra nudge of encouragement...

If you're talking about that recent post (I can't remember which one) where a user said XoftSpy fixed things that Ad aware, SpyBot, etc. couldn't- beware. We don't verify, audit, or edit user comments on a particular program; just because "someone" said it works, don't bite that worm without checking it out yourself.

And yes, caperjack is right- the program is, at the very least, known to give false-positives to entice you to buy the full version.

0

So how do I go about removing XoftSpy and get rid of the trojan.bookmarker.gen? This thread is getting kind of long now, should I start a new one?

No don't start a new thread .

Download and run this fully working 30 day trial version Trojan Hunter.
http://www.misec.net/trojanhunter/?aff=12129
.................................................

Oh, one more thing, is it safe to remove all the references to incredimail in the Regisry Editor since the program has been removed?

Yes ,you can edit the registry and delete all incredimail stuff.
Don't forget to backup you registry first !:)

Also hijack this should be in afolder and not just on the c like this .
C:\HijackThis.exe
create a new folder call it HJK or something like that , and move it there .so it looks like this
C:\HJK\HijackThis.exe

To night when i have more time i will start from your first post and read this thread over again an see if i can see what I'm missing .

0

No don't start a new thread .

Download and run this fully working 30 day trial version Trojan Hunter.
http://www.misec.net/trojanhunter/?aff=12129
.................................................


Yes ,you can edit the registry and delete all incredimail stuff.
Don't forget to backup you registry first !:)

Also hijack this should be in afolder and not just on the c like this .
C:\HijackThis.exe
create a new folder call it HJK or something like that , and move it there .so it looks like this
C:\HJK\HijackThis.exe

To night when i have more time i will start from your first post and read this thread over again an see if i can see what I'm missing .

Thanks a lot; I appreciate the help. I would also like to mention that when Norton finds this trojan, it says there is a .dll file in the system32 folder. The name is always different (adm.dll & lcji.dll are a couple of examples), but when I try to find these files (while Norton is still showing it), they aren't there. I'd still like to know what "behind a proxy means."

0

A proxy is where you use something like a 3rd party to access the web, similar to a web filter.
You have the about:blank hijacker which deposits a hidden dll that reinstalls itself if not removed completely. I will leave instructions at the end of my post for you to do.
First though, you will need to run hijackthis & remove an 02 entry from the log & also any randomly named files from the 04 section of the log. You should be able to pick them. Do not remove the RO & R1 entries though.

****************************

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.

Post the results from about:buster & a fresh scan from hijackthis, after a reboot.

0

A proxy is where you use something like a 3rd party to access the web, similar to a web filter.
You have the about:blank hijacker which deposits a hidden dll that reinstalls itself if not removed completely. I will leave instructions at the end of my post for you to do.
First though, you will need to run hijackthis & remove an 02 entry from the log & also any randomly named files from the 04 section of the log. You should be able to pick them. Do not remove the RO & R1 entries though.

****************************

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.

Post the results from about:buster & a fresh scan from hijackthis, after a reboot.

I haven't read your reply, I just noticed something and wanted to get it in here. I found in my System 32 folder a file named lsass.exe (,C:\WINDOWS\system32\lsass.exe) isn't that a sasser worm? Why isn't it showing up on the hjt scan? I'll go back and read your reply now.

0

A proxy is where you use something like a 3rd party to access the web, similar to a web filter.
You have the about:blank hijacker which deposits a hidden dll that reinstalls itself if not removed completely. I will leave instructions at the end of my post for you to do.
First though, you will need to run hijackthis & remove an 02 entry from the log & also any randomly named files from the 04 section of the log. You should be able to pick them. Do not remove the RO & R1 entries though.

****************************

Download About:buster from http://malwarebytes.biz/AboutBuster.zip and unzip it to your desktop.

Download & instal Adaware from here
& update it before scanning.
In settings under 'scanning,' have it set to
'scan within archives,'
'scan active processes,'
'scan registry,'
'deepscan registry'
'scan my IE Favourites for banned URL's,'
'scan my host's file.'
In 'tweaks' under 'scanning engine' set it to 'unload recognised processes during scanning.'
Also in 'tweaks' under 'cleaning engine' set it to 'Automatically try to unregister objects prior to deletion' & 'let Windows remove files in use at next reboot.'

Click here for instructions on how to boot into safe mode.

Boot up in safe mode.

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds.

Still in safe mode, do a full system scan with Adaware. When the scan is finished select *next* & place a check in the boxes to the left of what is found & click *next* again. Let it delete those entries.

Reboot your computer in normal mode.

Post the results from about:buster & a fresh scan from hijackthis, after a reboot.

Right now I'm running TrojanHunter (Evaluation Ver), it's finished the C drive and didn't find anything but came up with a few warnings like "Warning: Unable to unpack UPX-packed file C:\Program Files\AdbeRdr60_enu_full.exe"

I have Adaware installed already and update it and run it frequently. It rarely finds anything anymore. I'll run it from Safe Mode and see what happens. I'll download and run the about buster as well.

I don't see any entries in the 02 or 04 sections that don't look like they belong there (with the possible exception of ypager); I'm afraid you'll need to be more specific.

I'm still not real clear on the 3rd party thing either. Would my cable company be considered a 3rd party?

Sorry if I seem naive, but I'm trying to learn anyway :).

0

I haven't read your reply, I just noticed something and wanted to get it in here. I found in my System 32 folder a file named lsass.exe (,C:\WINDOWS\system32\lsass.exe) isn't that a sasser worm? Why isn't it showing up on the hjt scan? I'll go back and read your reply now.

Not the sasser ,thats a legit windows file ,the sasser one is spelt different like lssaass or something simular to the orignal.

0

Okay, I spent most of the day scanning in Safe Mode, here are the results:

AdAware -- I changed the tweak to 'Automatically try to unregister objects prior to deletion,' everything else was already set as you requested. It didn't find anything.

Trojan Hunter -- Didn't show anything, I'm not that familiar with the program (eval ver), could it have fixed anything without notifying me?

Trojan Remover -- Nothing

CWShredder -- Nothing

Pest Patrol -- Found 6 items on my E drive, all related to GameSpy. I used Add/Remove Programs to remove GameSpy.

Spybot -- Fixed 2 problems (it says nothing done, but I did the fix after copying the files):
DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\S-1-5-21-823518204-329068152-682003330-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004=W=3


Windows Media Player: Client ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-823518204-329068152-682003330-500\Software\Microsoft\MediaPlayer\Player\Settings\Client ID=


AboutBuster -- I don't think it found anything either, but again I'm not familiar with this program; here are the results:
-- Scan 1 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!


-- Scan 2 --------
About:Buster Version 1.5
Main Service Key Not Found!
Attempted Clean Of Temp folder.
Pages Reset... Done!


Latest HJT log:
Logfile of HijackThis v1.97.7
Scan saved at 7:56:07 PM, on 7/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Utilities\HijackThis.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Utilities\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB 

Trojan Hunter didn't find anything in Safe Mode, but in Normal Mode, it came up with a few warnings like "Warning: Unable to unpack UPX-packed file C:\Program Files\AdbeRdr60_enu_full.exe"

I don't see any entries in the 02 or 04 sections that don't look like they belong there (with the possible exception of ypager); I'm afraid you'll need to be more specific.

I'm still not real clear on the 3rd party thing either. Would my cable company be considered a 3rd party?

Sorry if I seem naive, but I'm trying to learn.

Edited by happygeek: fixed formatting

0

With the proxy, to better explain it, I have a program called *proxomitron* on my computer. I use it to filter out anything on a website that I do not want loaded. It works through port 8080 on my computer, not the regular port. Another is a remote proxy where things are filtered out before getting to you, can be adult oriented material etc. This works through whichever port the remote site proxy requests. One I used a while ago operated through port 3195.
The two R1 lines in your log indicate that you are using a proxy of some kind.

There is nothing bad in your log.

AdbeRdr60_enu_full.exe is adobe reader, so do not be concerned.

Are you still having problems.

0

With the proxy, to better explain it, I have a program called *proxomitron* on my computer. I use it to filter out anything on a website that I do not want loaded. It works through port 8080 on my computer, not the regular port. Another is a remote proxy where things are filtered out before getting to you, can be adult oriented material etc. This works through whichever port the remote site proxy requests. One I used a while ago operated through port 3195.
The two R1 lines in your log indicate that you are using a proxy of some kind.

There is nothing bad in your log.

AdbeRdr60_enu_full.exe is adobe reader, so do not be concerned.

Are you still having problems.

For some reason, this reply was hidden until I just clicked on "First unread."

As explained here, I don't believe I'm using a proxy -- not that I'm aware of anyway. Can anything bad happen if I delete them?

Yes, I'm still having the same problem, although it seems less frequently.

0

update hijackthis to version 1.98. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. Remove 1.97 from the folder it is in & replace it with 1.98. Post a new log from this version.

0

I noticed there are a few differences between the hjt logs from my user account and another user account, so I'm going to post both logs (using v1.98 now):

Logfile of HijackThis v1.98.0
Scan saved at 12:51:43 AM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Utilities\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Utilities\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

Logfile of HijackThis v1.98.0
Scan saved at 5:16:05 PM, on 7/31/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Utilities\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 12.242.16.8:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.*.*.*;<local>
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Office\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Office\Microsoft Works\wkssb.exe /AllUsers
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Utilities\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

0

First log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing

***********************

Second log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
*******************************************

Is Comcast you service provider? That is what comes up when I check the IP next to the proxy in your log.

0

First log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing

***********************

Second log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
*******************************************

Is Comcast you service provider? That is what comes up when I check the IP next to the proxy in your log.

Yes Comcast is my service provider, would that mean I'm "behind a proxy?"

I fixed the other items you suggested, and I also changed some of my security settings (activex & java). I'll run it for awhile and see if my problem is gone or not. I'll let you know either way. Thanks again!

0

First log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - Default URLSearchHook is missing

***********************

Second log.
Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked':

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
*******************************************

Is Comcast you service provider? That is what comes up when I check the IP next to the proxy in your log.

Well, I fixed the items you suggested, but my problem remains. I won't bother posting another hjt log since it hasn't changed other than those few items. Any other ideas?

0

Could you possibly go into more detail on the problem you are having? There is nothing else (that I can see) in your log.

0

Could you possibly go into more detail on the problem you are having? There is nothing else (that I can see) in your log.

Well, I first started out having a browser hijacking problem, about:blank. I don't have that problem anymore, though I'm afraid it will return if I don't get this resolved.

After reopening my browser (IE6) several times, I get a message from Norton (see attachment) saying "High Risk," and gives the virus name "Trojan.bookmarker.gen."

I've gone through all Norton's suggested steps to remove it but it keeps coming back. Putting the cursor over the Object Name gives the location as being in the C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files, then the file name. I go to that folder and clear everything, then click OK on the Norton warning; the same message comes up again, but with a different file name so I click OK again (since I've already cleared that folder), and then I get a final message that says there is also a .dll file in the System32 folder. The .dll always has a different name (examples are in a prior post), but I can never find it in the System32 folder (I've also tried using the Search function for it and PV's runme.bat, but nothing finds the .dll that Norton says is there), so I click OK again and everything is fine till after the browser is reopened a few more times then it comes back.

I haven't tried it, but I'm afraid that if I don't keep clearing out the temp folder, it will eventually turn into the about:blank hijack again.

Is this enough info or do you need something else? This is the most frustrating bug I've ever had to deal with; it just won't go away!

0

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

0

Click here to download and install Registrar Lite. Install, run, copy and paste this line to reglite's address bar:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs

and hit the "go" tab. Find: "Appinit_Dlls" value on the right side panel, DoubleClick, copy and post here the information in the 'Value' field.

Here are the results you asked for:
C:\WINDOWS\System32\ctlek.dll

By the way, I updated and ran Norton AV this morning in Safe Mode; it found one item: c:\windows\system32\notepad.exe.bak and called it Adware.Mainsearch. It was able to delete it and I haven't had the problem since, but I've gone through streches before without getting it but it eventually comes back. Don't know if this fixed it for good or not. Also, I'd like to mention that I ran NAV in Safe Mode last week and it didn't find this item, so either the file is new or the updates added it.

0

Here are the results you asked for:
C:\WINDOWS\System32\ctlek.dll

By the way, I updated and ran Norton AV this morning in Safe Mode; it found one item: c:\windows\system32\notepad.exe.bak and called it Adware.Mainsearch. It was able to delete it and I haven't had the problem since, but I've gone through streches before without getting it but it eventually comes back. Don't know if this fixed it for good or not. Also, I'd like to mention that I ran NAV in Safe Mode last week and it didn't find this item, so either the file is new or the updates added it.

Norton didn't fix the problem, it's back again. :(

0

-Run reglite : type--
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
into the address bar, or expand the same key.

-Rename the Folder Windows
to NotWindows highlighted as a purple folder
in the left hand pane of reglite.

-Click "AppInit_DLLs" again and clear the data value:
C:\WINDOWS\System32\ctlek.dll <- delete this line , (the name may have changed since you played with it)
'Apply' and 'ok' to set.

-Rename the NotWindows folder back to its
original name Windows

-Restart computer

Check in the system32 folder if the culprit dll is visible.

If it is, delete it.

0

I hope you guys solve this because I have a ladies PC here that has almost the identical problem. :sad:

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.