Newbie
Aargh. Help with HijackThis log? I've run Spybot S&D, which didn't find or fix the following:
In my Control Panel > Add/Remove Programs are these unknown installed programs:
Context Display
LookSmart Search
Lycos Search
RON Display
TSA
TV Media
In Task Manager are:
ts.exe
tsl.exe
tsm.exe
*These three apparently come from a directory in C:\Program Files\Common Files\tsa; the tsa dir also includes a subdir called "rainbow."
I downloaded and ran HijackThis; log follows (have no idea how to interpret it). I'm also getting popups that aren't blocked by Google (all of a sudden - until yesterday it blocked everything fine) and my husband's account on WinXP is hanging on shutdown, trying to close tsl.exe (which has to be closed by Task Manager or it won't stop).
HijackThis log:
Logfile of HijackThis v1.98.1
Scan saved at 8:59:42 PM, on 8/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\tsa\tsm.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\WinZip8.1\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\tsa\ts.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\unzipped\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\blank.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINNT\system32\blank.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = C:\WINNT\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = C:\WINNT\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINNT\system32\blank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = C:\WINNT\system32\blank.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = C:\WINNT\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = C:\WINNT\system32\blank.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = C:\WINNT\system32\searchbar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.searchv.com/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = C:\WINNT\system32\searchbar.html
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar_en_2.0.107-big.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [1stDialer] A:\1stdialer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\Run: [Tsa] C:\PROGRA~1\COMMON~1\tsa\tsm.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Calendar.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkscal.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip8.1\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8....-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8...-ob-assets.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/Gt1nc.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nadp.org/CFIDE/classes/CFJava.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/co...y/iesnoopy.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex...86/ietimer.cab
O16 - DPF: {5E3E59C4-7847-11D0-9081-0080C76A0985} (IPTDImageControl.SImage) - http://activex.microsoft.com/activex...agecontrol.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_0_2_7.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/activex...b/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2429ED26-200E-487E-93BA-1059B137C881}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{2429ED26-200E-487E-93BA-1059B137C881}: NameServer = 205.188.146.146
Any help is greatly appreciated.
Thanks,
Psych
D-A-L Team Member (UK)
Hiya Psych,
Could you please download and run CWShredder which will get rid of the majority of CWS Browser Hijacker infections. Please ensure that you click Fix and click Ok to any prompts. Make sure you don't only scan.
Then post a new Hijack This log.
Newbie
Downloaded and ran CWShredder; here's the new log.
Logfile of HijackThis v1.98.1
Scan saved at 902 PM, on 8/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\system32\drivers\dcfssvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\PhoneTools\CapFax.EXE
C:\WINNT\System32\LXSUPMON.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\TurboNote\tbnote.exe
C:\Program Files\WinZip8.1\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 7.0\waol.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\My Documents\My Downloads\Installed Zips\HijackThis\HijackThis.exe
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.3\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar_en_2.0.107-big.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar_en_2.0.107-big.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CapFax] C:\Program Files\PhoneTools\CapFax.EXE
O4 - HKLM\..\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [1stDialer] A:\1stdialer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Startup: Calendar.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkscal.exe
O4 - Startup: WallMaster.lnk = C:\Program Files\WallMaster\wallmast.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: TurboNote.lnk = C:\Program Files\TurboNote\tbnote.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip8.1\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar_en_2.0.107-big.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .ipp: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .ipt: C:\Program Files\Internet Explorer\Plugins\npimth32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.8...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.8....-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.8...-ob-assets.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/Gt1nc.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nadp.org/CFIDE/classes/CFJava.cab
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} (SnoopyCtrl Class) - http://aol.ea.com/downloads/games/co...y/iesnoopy.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {59CCB4A0-727D-11CF-AC36-00AA00A47DD2} (Timer Object) - http://activex.microsoft.com/activex...86/ietimer.cab
O16 - DPF: {5E3E59C4-7847-11D0-9081-0080C76A0985} (IPTDImageControl.SImage) - http://activex.microsoft.com/activex...agecontrol.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {908F3C82-B57E-11D4-BF33-00A0CCE8754B} (TInterActXInstallObject) - http://www.mathxl.com/wizmodules/int...ctXInstall.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_0_2_7.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.microsoft.com/activex...b/ikcntrls.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2429ED26-200E-487E-93BA-1059B137C881}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{2429ED26-200E-487E-93BA-1059B137C881}: NameServer = 205.188.146.146
What's still there that shouldn't be?
Thanks again!
Psych
D-A-L Team Member (UK)
Hiya,
As advised in the Hijack This Logs posts, don't run CWShredder before posting a Hijack This log. Sometimes it actually temporarily removes the hijacker so that we can't see it when you post the log, then it returns. Could you give us details about the hijack please (eg, the website). This will help, then I or someone else will take a look at the log.
Newbie
Originally Posted by owen
Actually, you advised me to DL and run CWShredder, then post a new Hijack log:
>>>>>Hiya Psych,
Could you please download and run CWShredder which will get rid of the majority of CWS Browser Hijacker infections. Please ensure that you click Fix and click Ok to any prompts. Make sure you don't only scan.
Then post a new Hijack This log.
__________________
Owen,
www.isecurity.org.uk
Useful Diagnostics:
Disable System Restore
Post a Hijack This Log
Show Hidden Files and Folders
Thanks again...
Psych
Last edited by owen; 08-08-2004 at 03:39 PM.
D-A-L Team Member (UK)
Thats why posting multiple threads causes confusion. Next time please reply to this thread. If you can't find this thread, View your profile and click Find All Posts. You will then be able to find this thread again. I have merged the new posts with the old posts to keep everything together
Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O4 - HKLM\..\Run: [1stDialer] A:\1stdialer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/Gt1nc.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nadp.org/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Click Fix Checked
Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.
Go to the Control Panel and go to Add/Remove programs. Uninstall WildTangent (its spyware).
Then go to C:\Program Files and delete the following:
TvMedia
WildTangent
Reboot and post a fresh log
Newbie
Hokay <sigh>. Did everything up to and including "Fix Checked." Hijack fixed it all, I booted to Safe Mode, ensured I was showing hidden, tried to uninstall WT...and it did nothing. What I got when I tried was a really fast dialog box that I couldn't read--this thing was there and gone in a flash--and the entry remained the same. Tried multiple times and got the same deal. I was able to uninstall TVmedia--it appears to be gone, but...Close all browser windows, restart Hijack This and put a checkmark next to the following entries:
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O4 - HKLM\..\Run: [1stDialer] A:\1stdialer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaE ngineMain
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.netpaloffers.net/NetpalOffers/DMO1/Gt1nc.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://www.nadp.org/CFIDE/classes/CFJava.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
Click Fix Checked
Then boot into Safe Mode and ensure that you are showing Hidden Files and Folders.
Go to the Control Panel and go to Add/Remove programs. Uninstall WildTangent (its spyware).
Then go to C:\Program Files and delete the following:
TvMedia
WildTangent
Reboot and post a fresh log
...when I tried to delete the \Program Files\TvMedia dir in Explorer, (still in Safe Mode at this point), it said that Tvm.exe was in use by another program and it couldn't delete it. I also didn't delete the \Program Files\WildTangent dir because I thought it might have uninstall info that Add/Remove Programs needs, altho I couldn't find an uninstall.exe anywhere there.
Ideas? Also, what about the other progs in Control Panel that appeared out of nowhere--Context Display, LookSmart Search, Lycos Search, RON Display, and TSA? Shoud I try to uninstall them? Or delete the directories?
Thanks,
Psych
D-A-L Team Member (UK)
Could you delete the WildTangent dir if it doesn't uninstall. That way we will be able to get rid of it.
Newbie
Yes, was able to delete it. What about the other stuff? Also, after I had Hijack fix the stuff last time and uninstalled the TVmedia program, when I try to run any AOL games (under AOL's browser), I get a prompt that says "To display this page correctly, you need to download and install the following components: Java virtual machine." I'm assuming that either a) Hijack removed the component I need; b) AOL needs WildTangent, and I somehow did manage to uninstall it, although it's still there; or c) TVmedia has something to do with it. Should I DL and install the Java VM?
Last edited by PsychMajor; 12-08-2004 at 01:58 AM.
D-A-L Team Member (UK)
No, Java VM from Microsoft is not as secure as Java from Sun Microsystems. They actually own the Java Trademarks/Copyrights etc. Download Java from www.java.com.
Then post a fresh log
