Go Back   Cyber Tech Help Support Forums > Software > Malware Removal

Notices

Malware Removal Discussion about Trojans, viruses, hoaxes, firewalls, spyware, and general Security issues. If you suspect your PC is infected with a virus, trojan or spyware app please include any supporting documentation or logs

Reply
 
Topic Tools
  #1  
Old February 26th, 2004, 02:02 PM
jadeelisha jadeelisha is offline
New Member
 
Join Date: Feb 2004
Location: Perth, WA
Age: 42
Posts: 27
Unhappy Hacker Or Not?

Is there anyway to detect if someone has a keystroke virus operating on my pc. On Wed. my hotmail account was hacked, so i changed ALL my net passwords (bank, mail, subscriptions etc) and then tonight my other email account was hacked. I get messages in my inbox stating that i have attempted to send a msg and it has failed, followed by the msg and intended recipient- all of which i never even tried to do. I am wondering if i have a keystroke virus on my pc. My passwords are combos of letters and numbers so its not like they are easy!

HELP!
Reply With Quote
  #2  
Old February 26th, 2004, 03:11 PM
2 fingers 2 fingers is offline
Senior Member
 
Join Date: Feb 2004
Location: ny
Age: 66
Posts: 120
I came here for help and in the process have learned a little about to trouble shoot PC problems....I think i remember in some of my Hijack This...logs that there were some keystroke bugs......and I figured that was one of those , that you are talking about....with spyware and keystroke watching viruses....its just supports my thinking I will never put my bank account online nor go into my 401K account the same way......bob
Reply With Quote
  #3  
Old February 26th, 2004, 04:21 PM
renegade600's Avatar
renegade600 renegade600 is offline
CTH Subscriber
 
Join Date: Sep 2003
O/S: Linux
Location: Osceola, Ar
Posts: 26,675
run spybot or adaware also download, install in its own folder, run and post the log from hijackthis and someone will look at it
Reply With Quote
  #4  
Old March 1st, 2004, 07:32 AM
jadeelisha jadeelisha is offline
New Member
 
Join Date: Feb 2004
Location: Perth, WA
Age: 42
Posts: 27
My Hijack This Log

I posted a msg about my emails being hacked. Here is my Hijack this log if anyone can help!

Logfile of HijackThis v1.97.7
Scan saved at 2:30:45 PM, on 1/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\Winword.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jade Muir\My Documents\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optusnet.com.au/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iPrimus
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll
O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JADEMU~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SaveNow] C:\PROGRA~1\SaveNow\SaveNow.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://216.82.66.200/build/preload.cab
O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://usa-download.nocreditcard.com...661/dialer.exe
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/Shar...in/AvSniff.cab
O16 - DPF: {2D0C7226-747E-11D6-83F0-00E04C4A2F90} (Mediachip ADPlayer Control) - http://videoad.sohu.com/video/MCADPlayer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...575.1933217593
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.exe
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://217.145.76.6/quickdl/proclaim/nsupd9x.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B34764B-DDA1-4575-B8A8-39CBC373A17B}: NameServer = 203.2.75.132 198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B34764B-DDA1-4575-B8A8-39CBC373A17B}: NameServer = 203.2.75.132 198.142.0.51

Thanks guys!
Jade

(ps be explicit in any instructions for i am techno challenged!)
Reply With Quote
  #5  
Old March 1st, 2004, 10:08 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi jadeelisha,

There`s afew diallers there, so just in case someone clicks on them ( the cost lots of dollars) get rid of those first.

Close ALL browser Windows and Windows Explorer windows, only have HijackThis running.

In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" .

O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab

O16 - DPF: {03C543A1-C090-418F-A1D0-FB96380D601D} (preload control) - http://216.82.66.200/build/preload.cab

O16 - DPF: {11111111-1111-1111-1111-111111111111} - http://usa-download.nocreditcard.co...1661/dialer.exe

O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_50006/btiein.cab

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - http://dload.ipbill.com/del/loader.exe

O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://217.145.76.6/quickdl/proclaim/nsupd9x.cab

Close Hijack This.

Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,
then press the "Enter" key)

Make sure you can see Hidden files and Folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Go to :
C:\Documents and Settings\Jade Muir\Local Settings\Temp

and empty all the files out of the TEMP folder. ( do not delete the folder,,,, just the files in it.)
Your looking for files like dia1.exe, dia2.exe, dload.exe, any shortcuts,

Also empty all temp folders for all users when the log on.

Also empty C:\windows\Temp folder.

Reboot computer.
Reply With Quote
  #6  
Old March 1st, 2004, 10:29 AM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi,

Please go to Control Panel---Add/Remove Pprograms, and uninstall/remove New.Net .
If it isn't listed, go here for removal instructions:
http://www.newdotnet.com/#remove

Reboot computer when New.Net is uninstalled.


Close ALL browser Windows and Windows Explorer windows, only have HijackThis running.

In HiJackThis, Check the boxes beside the below entries, then click on "Fix checked" .

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=%tb_id

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll


O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\System32\btiein.dll

O2 - BHO: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - C:\PROGRA~1\COMMON~1\BTLINK\btlink.dll

O2 - BHO: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

O4 - HKLM\..\Run: [WebInstall2] C:\WINDOWS\Temp\Adware\WebInstall.exe /R

O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\JADEMU~1\LOCALS~1\Temp\tb_setup.exe /dcheck

O4 - HKLM\..\Run: [SaveNow] C:\PROGRA~1\SaveNow\SaveNow.exe

O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup

O4 - HKLM\..\Run: [b3dupdate] C:\WINDOWS\BDE\b3dsetup.Exe -silent -p "C:\WINDOWS\BDE" -s setup.cab

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe


Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,
then press the "Enter" key)

Make sure you can see Hidden files and Folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


Then delete the below files and Folders:


C:\Program Files\DelFin ........( delete DelFin folder)

C:\WINDOWS\Temp\ ...........(Empty folder)

C:\Documents and Settings\Jade Muir\LOCAL Settings\Temp ........(Empty folder)

C:\PROGRAM Files\SaveNow ........( delete SaveNow folder)

C:\PROGRAM FiLEs\NEWDOTNet ........( delete NEWDOTNet folder)

C:\WINDOWS\BDE ........( delete BDE folder)

C:\PROGRAM Files\ezula ........( delete ezula folder)


Reboot computer, and post back a new HJT log to this thread, please.

Cheers.
Reply With Quote
  #7  
Old March 1st, 2004, 12:29 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi,
Also have HJT FIX the 2 below entries:

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

They don`t look right....and wont hurt anyway.

Cheers
Reply With Quote
  #8  
Old March 2nd, 2004, 03:23 AM
Commandr's Avatar
Commandr Commandr is offline
Senior Member
 
Join Date: Jan 2004
Location: The center of the Universe
Age: 39
Posts: 282
Quote:
Originally Posted by mike
Hi,
Also have HJT FIX the 2 below entries:

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

They don`t look right....and wont hurt anyway.

Cheers
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

Microsoft Office Indexing process used by Microsoft Office applications to index Office documents to speed up search operations. Your choice if you want to speed up your searches by hundreths of seconds.

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

This is the office assistant, usually the annoying paper clip. Recommended you fix him unless you use the office assistant.
Reply With Quote
  #9  
Old March 2nd, 2004, 09:36 AM
jadeelisha jadeelisha is offline
New Member
 
Join Date: Feb 2004
Location: Perth, WA
Age: 42
Posts: 27
Mike
OK I followed ur instruction (thankyou so much!) but i encountered some probs. Could not locate DelFin, SaveNow, NewDot, BDE or Ezula files. Also could not delete entire contents of my Temp File. And finally, the web connection to NewDot did not work! Anyway, here is my HJT log.....

Logfile of HijackThis v1.97.7
Scan saved at 4:23:55 PM, on 2/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\NPROTECT.EXE
C:\PROGRA~1\NORTON~3\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Jade Muir\My Documents\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://optusnet.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by iPrimus
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WeatherCast] C:\Program Files\WeatherCast\Weather.exe /q
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/Shar...in/AvSniff.cab
O16 - DPF: {2D0C7226-747E-11D6-83F0-00E04C4A2F90} (Mediachip ADPlayer Control) - http://videoad.sohu.com/video/MCADPlayer.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...575.1933217593
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by7fd.bay7.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B34764B-DDA1-4575-B8A8-39CBC373A17B}: NameServer = 203.2.75.132 198.142.0.51
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B34764B-DDA1-4575-B8A8-39CBC373A17B}: NameServer = 203.2.75.132 198.142.0.51

Jade
Reply With Quote
  #10  
Old March 2nd, 2004, 09:28 PM
mike mike is offline
CTH Subscriber
 
Join Date: Sep 2000
Posts: 3,302
Hi,
Your new log looks OK.

But can you double-check for the folders listed that you couldn`t find:
DelFin, SaveNow, NewDot, BDE or Ezula

Open Windows Explorer, ....They should be under C:\Program FIles .
And I thought at least one of them would be in Add/Remove PRograms.

Make sure you can see Hidden files and Folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Try emptying Temp folder in Safe Mode.

Also goto Add/Remove Programs and look for any unknown programs listed.
Uninstall/Remove any you didn`t install.
Post back if unsure about any progs listed.

The link to remove NewDotNet works OK for me.
If NEwDot Net is there somewhere , use the uninstall or removal link:
http://www.newdotnet.com/#remove
to remove it.
Removing NewDotNet willy-nilly can result in losing internet connection.



Cheers
Reply With Quote
Reply

Bookmarks

Topic Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Topics
Topic Topic Starter Forum Replies Last Post
hacker idr Malware Removal 2 April 14th, 2019 03:28 PM
R U a Hacker? Jintan Open Discussion 3 December 4th, 2011 12:28 AM
hacker? ikey Malware Removal 1 May 11th, 2009 07:47 AM
Could this be a hacker? please help. Terlain888 Applications 7 March 7th, 2007 06:42 AM
Hacker sirlarry07 Malware Removal 12 November 3rd, 2004 10:46 PM


All times are GMT +1. The time now is 05:54 AM.