Unsolved
This post is more than 5 years old
54 Posts
0
18535
Questionable entries in HJT log. Please review.
After some careless surfing the other day, and hours of cleaning out the resultant trash, on my hard drive, my HJT log now looks like this.  Still some questionable entries.  Please kindly advise me. Thank you.
Nancy B's HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 9:10:55 AM, on 10/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
D:\PROGRAMS2\SPYBOT_1-3\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAMS2\HIJACK_THIS_UPDATE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\VIEWERS\QUIKVIEW.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs2\Spybot_1-3\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRAMS\ICQ2003B\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRAMS\ICQ2003B\ICQ\ICQ.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O12 - Plugin for .PD6: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
Nancy B's HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 9:10:55 AM, on 10/1/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
D:\PROGRAMS2\SPYBOT_1-3\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
D:\PROGRAMS2\HIJACK_THIS_UPDATE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\VIEWERS\QUIKVIEW.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs2\Spybot_1-3\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRAMS\ICQ2003B\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRAMS\ICQ2003B\ICQ\ICQ.exe
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O12 - Plugin for .PD6: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
jamez kann
860 Posts
0
October 1st, 2004 16:00
Include your Hijackthis log in the post while explaining your problem at the same time.
http://radiosplace.com/
http://tomcoyote.com/hjt/#copyandpaste
Online Tools Resources
You can find almost everything here :) http://forums.subratam.org/index.php?showtopic=43
http://computercops.biz/downloads-cat-14.html
http://encyclopedia.thefreedictionary.com/Online%20Tools%20Resources
http://www.geekstogo.com/forum/index.php?showtopic=38
http://www.windowsbbs.com/showthread.php?t=31695
http://aumha.org/secure.htm
Kill Spyware Forums
http://forums.subratam.org/index.php?showforum=7
tools needed to get help http://forums.subratam.org/index.php?showtopic=7
Forum Led by: Forum Moderators,subratam,baskar1234(DELL REGULAR),efwis,Metallica,psyne, SpyDie, normmork, Admin,chrisRLG(DELL REGULAR)
http://www.bleepingcomputer.com/forums/forum22.html
Our Tutorials
http://www.bleepingcomputer.com/forums/forum6.html
How to submit a Hijackthis Log
http://www.bleepingcomputer.com/forums/topict956.html
HijackThis Tutorial - How to use HijackThis to remove Browser Hijackers & Spyware
http://www.bleepingcomputer.com/forums/tutorial42.html
Forum Led by: Moderators, Global Moderator, groovicus,Grinler(DELL REGULAR),harrywaldron,Papakid,
http://forums.net-integration.net/index.php?showforum=32
Forum Led by: Global Moderator, Administrators, Technical Experts, Technical Assistant, Team Spybot S&D, Technical Guide
TonyKlein,Eagle1,Galadriel,tashi,Archon_Wing,
Spybot Search & Destroy 1.X OFFICIAL FORUM
http://forums.net-integration.net/index.php?showforum=28
lavasoftsupport
http://www.lavasoftsupport.com/index.php?showforum=44
Forum Led by: SpyDie, Lavasoft Admins, Moderators
Newbies
http://www.lavasoftsupport.com/index.php?showforum=34
http://forum.gladiator-antivirus.com/index.php?showforum=170
Forum Led by: CalamityJane, LoPhatPhuud, FatsGordon,Hunter,TheSentinel,
Guidelines for Posting in This Forum, READ THIS FIRST PLEASE
http://forum.gladiator-antivirus.com/index.php?showtopic=10517
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index.php?showtopic=9857
jamez kann
860 Posts
0
October 1st, 2004 16:00
For immediate help or advice on hijackthis for further solutions before proceeding you could also visit the online experts on the chat
There may or may not be experts in the chat rooms depending on the time you log into those chat rooms
http://chat.skads.org/applet/
http://chat.subratam.org/
http://tech-touch.net/temp/indexold.php
http://www1.spywareinfo.com/chat/#chat
You will get a security warning click yes if you get it. IF you cant log in Press F5 on your keyboard to allow the page to refresh then try and connect also click on joine and in the name type #killspyware
http://www.net-integration.net/chat1.html
Midnight Star
4.8K Posts
0
October 1st, 2004 17:00
Nancy B.
Try doing a google search on "SpyDeleter". It didn't seem to have very favorable reviews. At first glance, here are some of the entries that look suspicious:
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
Remember to get a second opinion and do a little research before attempting to 'fix' these entries.
Good luck,
Mike.
cghost
302 Posts
0
October 1st, 2004 20:00
Hi,
You can fix these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.begin2search.com/googlesidesearch.html
If this is a site you want keepit, if it is a bad site fix it.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
These two are probably a problem:
http://www.spywarewarrior.com/rogue_anti-spyware.htm
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Not sure about these, you can do a Kaspersky scan on the files.
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRAMS\ICQ2003B\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - D:\PROGRAMS\ICQ2003B\ICQ\ICQ.exe
Explorer needs an update for best security.
Regards.
cg
Message Edited by cghost on 10-01-2004 04:28 PM
Nancy B.
54 Posts
0
October 2nd, 2004 01:00
I am especially grateful to cg for actually
giving me something I can work on. And yes cg,
I have become brutally aware that I need IE6.
When these present pests are cleaned out, I will
belatedly upgrade my browser AND install Zone
Alarm--even though I have dialup.
Hopefully I can get this cleared up soon.
Thanks again.
Nancy
Midnight Star
4.8K Posts
0
October 4th, 2004 17:00
Nancy,
These are the only entries that I see with "Your PC is infected...":
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
Since the executable files are missing, you should go ahead and delete these.
Mike.
Nancy B.
54 Posts
0
October 4th, 2004 17:00
I have removed as much of what cg suggested as I can.
I cannot get rid of the "Your PC is infected" entries.
Thank you for any addition help I might need with this log.
-Nancy
Logfile of HijackThis v1.98.2
Scan saved at 1:36:01 PM, on 10/4/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\USBMONIT.EXE
D:\PROGRAMS2\SPYBOT_1-3\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
D:\PROGRAMS2\HIJACK_THIS_UPDATE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\VIEWERS\QUIKVIEW.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\SYSTEM\USBMonit.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs2\Spybot_1-3\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O9 - Extra 'Tools' menuitem: Your PC is infected with Spyware - click here to fix your PC - {FB74C951-ACA1-4e33-A94C-A9261EB2CCB7} - https://www.spydeleter.com/order2.php?KBID=1004 (file missing)
O12 - Plugin for .PD6: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
joe53
1 Rookie
1 Rookie
•
5.8K Posts
0
October 4th, 2004 19:00
Hi Nancy:
It seems you are not the only one who is finding those '09-Extra button'
and '09-Extra Tools' entries hard to delete.
Grinler over at bleepingcomputer has suggested a fix involving creating
a small .reg file that seems to have worked for one poster: it is near the
bottom of the thread:
http://www.google.ca/search?q=cache:gh58tlhIA_0J:www.bleepingcomputer.com/forums/topictold1886.html+%7BFB74C951-ACA1-4e33-A94C-A9261EB2CCB7%7D&hl=en&lr=lang_en
Nancy B.
54 Posts
0
October 7th, 2004 21:00
I did as you suggested and even managed to get rid
of those pesty"Your computer is infected" entries.
Here is my current HJT log:
Logfile of HijackThis v1.98.2
Scan saved at 6:41:04 PM, on 10/7/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
D:\UTILITIES\NORTONSYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
D:\UTILITIES\DRIVERS\LOGITECH_CORDLESS\MOUSEWARE\SYSTEM\EM_EXEC.EXE
D:\PROGRAMS2\SPYBOT_1-3\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
D:\PROGRAMS2\HIJACK_THIS_UPDATE\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\VIEWERS\QUIKVIEW.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\PROGRAMS\ADOBE READER6\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [NAV Agent] D:\UTILIT~1\NORTON~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] D:\utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Programs2\Spybot_1-3\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O12 - Plugin for .PD6: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
Thank you for your help.
Nancy
cghost
302 Posts
0
October 8th, 2004 15:00
Hi Nancy,
Sounds like you have worked hard, the log looks clean.
For the record in case someone else uses this thread for research, I was advised that the two "icq" lines that I mentioned in my post above related to instant messenger and could have been left.
It was also suggested to me that I should ask if these two lines relate to your isp, just to be sure they were not a problem:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
Here is a thread for reading for additional information about security.
http://www.security-forums.com/forum/viewtopic.php?t=14711
Regards.
cg
Nancy B.
54 Posts
0
October 8th, 2004 16:00
and install Zone alarm--I was waiting until HJT read a clean system.
Thank you for your help, cg.
You asked:
Re:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.rcn.com/home/
O14 - IERESET.INF: START_PAGE_URL=http://start.rcn.com/home/
RCN is my ISP, but I use Yahoo for my home page. Â Perhaps in that
case, I can remove those references to RCN? Â Please advise.
And regarding those ICQ entries: I have no idea what happened to them.
Yes, I still have ICQ, but I only open it when I want to use it.Â
Strange about the disappearing entries. Â The nearest I can figure: they
seem to have disappeared when I upgraded my HJT program. Â Does that
make any sense?
And I checked out that link. Â Very informative. Â Thanks
Nancy