Unsolved
This post is more than 5 years old
20 Posts
0
942
Gaobot!inf virus removal (is it possible?)
Have read a note by ChrisRLG on things to try to get rid of
Gaobot...and have done these. Now get a clean bill of health from Spybot and Ad-Aware (using default settings). At least my machine does not shut down now but still get Norton reporting the presence of W32.Gaobot!inf.... cannot do a LiveUpdate on Norton and machine dead slow for first 10 minutes at least....then it seems to operate fairly normally.
My Norton is up to date as of 2/4/05 but as stated I can't update it any more. However, the Norton tool to remove Gaobot finds nothing to remove even though Norton says I have it. I have booted in safe mode and tried to run the Norton removal too and it still doesn't find anything. I have searched other threads and seen that one or two other people have given up and resorted to reformatting.
My HJT file is here if anyone can help! Thanks!!
Logfile of HijackThis v1.97.7
Scan saved at 00:23:04, on 04/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco\VPNClient\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\SYSTEM32\Drivers\dadapp.exe
C:\WINNT\SYSTEM32\Drivers\DadTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\WINNT\system32\soundtasks.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O1 - Hosts: 64.237.53.4 my.search
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\WINNT\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [soundtasks] soundtasks.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: ICI PLC ICI Extranet Client.lnk = C:\Program Files\Cisco\VPNClient\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton Internet Security Professional.lnk = C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\IntroWiz.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Sametime Meeting Room Client ST30SP1 - http://134.239.53.100/sametime/stmeetingro...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://134.239.53.100/sametime/stmeetingro...STJNILoader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7996.0825231482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EC38B9-5290-45C4-A0F2-4CFAB1A9716B}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{41EC38B9-5290-45C4-A0F2-4CFAB1A9716B}: NameServer = 62.241.160.200 158.43.240.3
My Norton is up to date as of 2/4/05 but as stated I can't update it any more. However, the Norton tool to remove Gaobot finds nothing to remove even though Norton says I have it. I have booted in safe mode and tried to run the Norton removal too and it still doesn't find anything. I have searched other threads and seen that one or two other people have given up and resorted to reformatting.
My HJT file is here if anyone can help! Thanks!!
Logfile of HijackThis v1.97.7
Scan saved at 00:23:04, on 04/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco\VPNClient\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\SYSTEM32\Drivers\dadapp.exe
C:\WINNT\SYSTEM32\Drivers\DadTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\WINNT\system32\soundtasks.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINNT\system32\internat.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O1 - Hosts: 64.237.53.4 my.search
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\WINNT\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [soundtasks] soundtasks.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: ICI PLC ICI Extranet Client.lnk = C:\Program Files\Cisco\VPNClient\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton Internet Security Professional.lnk = C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\IntroWiz.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Sametime Meeting Room Client ST30SP1 - http://134.239.53.100/sametime/stmeetingro...gRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://134.239.53.100/sametime/stmeetingro...STJNILoader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7996.0825231482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EC38B9-5290-45C4-A0F2-4CFAB1A9716B}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{41EC38B9-5290-45C4-A0F2-4CFAB1A9716B}: NameServer = 62.241.160.200 158.43.240.3
Texruss
3.4K Posts
0
May 4th, 2004 22:00
It's here...Chris saw this one a few weeks ago:
C:\WINNT\system32\internat.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O1 - Hosts: 64.237.53.4 my.search
Comments: hostile redirect of HOST file entry
Scan in Hijackthis...check the box to the left of those three entries.
With no other windows open click Fix checked.
Boot in safe mode, enable hidden files and drill down in Explorer (type the word explorer at Start/Run box) and click OK:and delete
C:\windows\system32\internat.exe file
Reboot to SAFE mode
How to start the computer in Safe mode
Show hidden files.
Show hidden files and folders
Reboot to normal mode and scan with AV.
Post back a new HJT log after doing this.
After the final all clear is given by us you should flush your Restore Points for XP. That means disabling the Restore Point, rebooting to flush it, then re-enabling a new Restore Point. The reason why we need to do this is to purge the bad files hidden in System restore which can't be cleaned by your antivirus programs.
HTH,
Texruss
mark_p
20 Posts
0
May 5th, 2004 18:00
Bleedin' marvellous! Thanks!
On the surface all seems to be well. I don't have XP though so don't think I can flush my Restore Points. or can I? I have W2000.
Here is my currect HJT file
Thanks again.
Logfile of HijackThis v1.97.7
Scan saved at 20:17:26, on 05/05/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco\VPNClient\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISUM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\SymPxSvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\NISSERV.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINNT\system32\RUNDLL32.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINNT\SYSTEM32\Drivers\dadapp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\SYSTEM32\Drivers\DadTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\soundtasks.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\ATRACK.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\AIM95\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\WINNT\SYSTEM32\Drivers\dadapp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [iamapp] C:\PROGRA~1\SYMANT~1\SYMANT~1\IAMAPP.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Belkin Mouse 1.0\MOUSE32A.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [soundtasks] soundtasks.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\RunServices: [soundtasks] soundtasks.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - Global Startup: ICI PLC ICI Extranet Client.lnk = C:\Program Files\Cisco\VPNClient\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Norton Internet Security Professional.lnk = C:\Program Files\Symantec_Client_Security\Symantec Client Firewall\IntroWiz.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Yahoo! Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Sametime Meeting Room Client ST30SP1 - http://134.239.53.100/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {24CEC0BF-C8BC-4BCB-B804-226326B319EF} (JNILoader Control) - http://134.239.53.100/sametime/stmeetingroomclient/STJNILoader.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0309.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7d90ae05585062/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37996.0825231482
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash4/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{41EC38B9-5290-45C4-A0F2-4CFAB1A9716B}: NameServer = 62.241.160.200 158.43.240.3
O17 - HKLM\System\CS1\Services\Tcpip\..\{41EC38B9-5290-45C4-A0F2-4CFAB1A9716B}: NameServer = 62.241.160.200 158.43.240.3
Texruss
3.4K Posts
0
May 5th, 2004 19:00
No...you are correct...no Restore feature in W2K. Mea culpa (dang...5 mistakes in 900 posts...
my average just slumped a notch). >;->
Other than that...way to go! You got'em.
You look clean and hearty congratulations!
1. The main cleanup programs:
Spybot Search&dDestroy, Ad-aware Run weekly - or after a heavy internet session.
Chris has posted an excellent tutorial by dgosling on how to run Spybot S&D and also how to enable customized deep scanning functions for Adaware. Once you set these options they will be retained for future scans by Adaware.
Follow the directions in this detailed guide for Spybot and Adaware...go slow on the directions for the custom setup of Adaware:
http://www.cjwd.demon.co.uk/spybot-adaware.html
I also like to run Windows Disk Cleanup after cleaning with those two tools. Make sure you reboot if any reboot cleanup functions of Spybot and Adaware are advised by these tools (this may happen at the end of their cleanup).
Reboot and click on Start/Run/ type: cleanmgr
I check all the selected items to be deleted here.
2. Proactive programs: Spywareblaster & Spywareguard, first sets kill bits to stop known bad MSIE ActiveX scripts from installing, second acts like your AV to stop browser hijacks and installing of known baddies.
3. IE-Spyad, puts 4000 bad sites in your restricted (banned) sites list, to stop you accidentally getting sent to a bad site, it has optional list of "bad" adult sites to install as well.
Links for these at: http://www.cjwd.demon.co.uk/compsafetyonline.html
4. Don't forget keeping Windows updated. The automatic updates frequently fail so run it manually once a week or when new updates are publicized.
Windows Live Update Page
http://v4.windowsupdate.microsoft.com/en/default.asp
Free Windows Security CD (for those who qualify):
www.microsoft.com/security/protect/cd/order.asp
5. Keep your antivirus updated.
Free AVG Antivirus for home users: http://www.grisoft.com
6. Practice safe computer habits. Don't click on strange email attachments thinking your AV will defend you. Usually it will. Sometimes it won't when a new virus hits the Net and definitions take hours to create by the AV vendors. There is only one defense that works 100% for the safe protection of your machine's personal data and that is timely and accurate backups of your files. Hard drives die, viruses ruin your files, and other bad things can happen (fire, theft, etc..). Offsite backups are the best.
7. Don't forget our great analysis tool Hijackthis. We have a lot of gratitude we need to show towards the author Merijn. I hope he does great things in his future endeavors and is richly rewarded for his time and expertise in providing this super program.
Hijackthis (to analyse your system and submit a log file to expert forums):
http://tomcoyote.com/hjt
(for Hijackthis logs...please copy to and run Hijackthis.exe into a new folder you create in the root level of the C: drive. Name this folder HJT for best and safest results). (don't put in a temp folder, or the Windows desktop, etc...as it needs a safe folder to keep backup logs). Also when people post here and place it on the Desktop the log usually shows their full name since their Windows user profile is commonly named with their full name. We try not to disturb your privacy. *;-)
See this link for graphical instruction: http://russelltexas.com/spywareinfo/createhjtfolder.htm
Forums for help and analysis of your Hijackthis logfile:
http://forums.us.dell.com/supportforums
http://forums.tomcoyote.com
http://www.spywareinfo.com/forums
http://www.computercops.us/forums.html
http://forums.net-integration.net
http://boards.cexx.org
http://www.wilderssecurity.com
Good luck and safe computing!
Texruss