Uninstall Did Not Remove Program

Forum Guidelines

Read this topic before posting a log.

DO NOT post a ComboFix log unless requested to.

Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

Uninstall Did Not Remove Program, Also an HJT for review.

Options

kpalys View Member Profile	Nov 22 2004, 11:10 AM Post #1
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	Hi, Thanks to all of you who help us out! I had downloaded a trial version of Super Utilities by Superlogix. After I reviewed the program, I decided I didn't want or need it. I uninstalled it, but it is still on my hard drive. How do I get rid of this or other programs like it? Also, I've included an HJT to ensure that all is well (?) on my PC. Thanks again for all of the help. Kathy

kpalys View Member Profile	Nov 22 2004, 11:15 AM Post #2
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	OOPs forgot to paste in the HJT ... here it is. Logfile of HijackThis v1.98.2 Scan saved at 10:03:13 AM, on 11/22/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SmartDisk\FlashPath\sdstat.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O1 - Hosts: comments (such as these) may be inserted on individual O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...ler/install.cab

kpalys View Member Profile	Nov 22 2004, 02:36 PM Post #3
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	An updated HJT log. I used the Wild Tangent program remover; however, I still see evidence of it on my Start / Programs list. I will not do anything else until I hear back about the best course of action. Also, I've tried to run Active Scan and it does not work. Thanks, Kathy Logfile of HijackThis v1.98.2 Scan saved at 1:33:34 PM, on 11/22/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SmartDisk\FlashPath\sdstat.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com O1 - Hosts: comments (such as these) may be inserted on individual O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...ler/install.cab

phawgg View Member Profile	Nov 22 2004, 03:01 PM Post #4
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	Hi, Kathy, I'll check your log. Describe, if you would please, the steps you take to run Active Scan and the results. The Wild Tangent can be uninstalled from the add/remove programs. If it says something like "it seems that the program has been uninstalled" when you go to remove it, just confirm you want it "removed from the list". try that. -------------------- patiently patrolling, plenty of persisant pests n' problems ...

kpalys View Member Profile	Nov 22 2004, 03:10 PM Post #5
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	Hi, Removed Wild Tangnet for Add/Remove. Active Scan: either from link to Active Scan or from Panda's website, I click on Scan Your PC button, Click on Next (for acceptance terms), click on send (with email address). Get Please wait a moment .... and it just seems to hang. I've let it run for up to 30 minutes with nothing happening. That seems way to long compared to the other online scans I have run. Am I too impatient? Kathy

phawgg View Member Profile	Nov 22 2004, 10:38 PM Post #6
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	kpalys, Under those circumstances I would be considered very impatient myself. I'd have given up in 5 minutes and moved on. Please make sure to work through the fixes in the exact order that they're presented below. You should also print out or copy this page to Notepad. Let's try this: Set your PC to: show hidden files. Additional information here. Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop. Set your PC to: show hidden files. Additional information here. Open your C:\HJT folder and double-click the icon. Close everything except HijackThis, nothing else on your desktop. Run Hijackthis: click Scan, and put a checkmark next to each of the following objects. R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com The reason ttp://red.clientapps.yahoo.com/customi....yahoo.com is always said to be removed, is because it is believed to be part of a java applet called redsherrif that acts as spyware. O1 - Hosts: comments (such as these) may be inserted on individual it looks like a modified host file is in place. Was this perhaps a result of trial & errror? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present This O6 entry should only appear if "your administrator" set particular policies regarding the way your home page "works" on purpose, or if you used Spybots Home Page and Option Lock down features in the Immunize section of Spybot. Did "they" (or you) do this? O16 - DPF: {3A7FE611-1994-4EF1-A09F-99456752289D} (WildTangent Active Launcher) - http://install.wildtangent.com/ActiveLaunc...iveLauncher.cab O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/partner...ler/install.cab When you're sure that files marked for deletion are correct, click the Fix button. Reboot your computer into Safe Mode by tapping F8 until the screen appears where you can use the up arrow to choose safe mode. Hit enter. Search for, locate and delete these files or folders (Do not be concerned if they do not exist, the previous steps may have eliminated them.) Do not delete the main folders C:\WINDOWS or C:\Program Files. The best way to find them is to use: Start-->Search-->select "all files & folders"-->select "more advanced options"-->check search "system folders", "hidden files & folders" & "sub-folders". Delete manually. C:\Program Files\Superlogix or Super Utilities<--this folder only C:\Program Files\Wild Tangent<--this folder only (In this way you can search for remnents of other programs that may remain, after you have uninstalled them using Add/Remove programs. Exercise care & caution, though. Ask specific questions if you are uncertain) Delete Temp Files To clean out your temp files use: Start-->Run-->type in: %temp% and press the ok button. This should open up the temp directory that your machine uses. Please delete all files and folders found in the temp folder. If you get an error when deleting a file, skip that file and delete all the others. Doing this in Safe Mode you should be able to delete all the files. Reboot your computer to go back to normal mode. Delete Temporary Internet Files Now I want you to Start-->Internet Explorer-->Tools-->Internet Options-->General tab-->Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, but when it is done your Temporary Internet Files will be deleted. Empty the recycle bin. Download this .zip file, HostFix. Unlike HJT, you may run this application from the desktop. examples of zip files after extraction to the desktop. Extract HostFix. Open the zipped-folder and choose to extract to your desktop. Click "Finish". Then open the unzipped folder and double-click on the HostFix.exe file. With the program open, click "YES". Run HijackThis again and post the new log as a reply to this post. (Include comments regarding any problems you might have had, and let us know if its working better. Some additional options may exist) This post has been edited by phawgg: Nov 22 2004, 10:58 PM -------------------- patiently patrolling, plenty of persisant pests n' problems ...

kpalys View Member Profile	Nov 23 2004, 12:37 AM Post #7
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	phawgg, I ran into problems with the last step of running HostFix. I received a Run Time Error '70' - Permission denied. In answer to a couple of your other questions: O1 - Hosts: comments (such as these) may be inserted on individual it looks like a modified host file is in place. Was this perhaps a result of trial & errror? - Since I am not sure what a host file is or what it does, if I made changes I wasn't aware that I did (dangerous huh!) The second, O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present ... or if you used Spybots Home Page and Option Lock down features in the Immunize section of Spybot. Did "they" (or you) do this? Yes, I did do this. Is this not a good thing to do (for future reference?) So, with the exception of the last step, all went well. Here is the re-run of the HJT log. Oh, and should I go back and "hide" the files I unhid? Logfile of HijackThis v1.98.2 Scan saved at 11:28:35 PM, on 11/22/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SmartDisk\FlashPath\sdstat.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab Continued thanks for all of your help. kpalys

phawgg View Member Profile	Nov 23 2004, 09:43 AM Post #8
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	QUOTE Oh, and should I go back and "hide" the files I unhid? Yes, you sure can. File options like that are entirely optional, Kathy. The questions to the remainder of your questions will be forthcoming. Thank you for your patience. ~Joe -------------------- patiently patrolling, plenty of persisant pests n' problems ...

phawgg View Member Profile	Nov 23 2004, 01:47 PM Post #9
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	Hi, kpalys, I noticed you are online now. Things are kinda busy presently, which is to explain that my reply to you is still in line to be checked. While we wait I hope you can enjoy some of the other forums... to read or just to practice postin' and meet some o' the others members. -------------------- patiently patrolling, plenty of persisant pests n' problems ...

kpalys View Member Profile	Nov 23 2004, 03:11 PM Post #10
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	Hi, Yeah, I've been on a lot lately. I am both fascinated and educated every time I log on! Not to worry, I know there are people with very serious problems so I know you will answer when you have the opportunity.

phawgg View Member Profile	Nov 23 2004, 11:19 PM Post #11
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	Thanks for understanding, kpalys "regarding the O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present" QUOTE Yes, I did do this. Is this not a good thing to do (for future reference?) It's quite alright. Using the tools provided with Spybot S&D is a good thing, and I encourage you to continue to employ them and understand them. Spybot S&D v1.3 IE Tweaks is where you locked files. Simply unlock them when you intend to make changes. "it looks like a modified host file is in place. Was this perhaps a result of trial & errror?" QUOTE Since I am not sure what a host file is or what it does, if I made changes I wasn't aware that I did (dangerous huh!) QUOTE I ran into problems with the last step of running HostFix. I received a Run Time Error '70' - Permission denied. Run-time error '70':Permission Denied is "typically the result of a security or permissions issue." according to microsoft. The problem was that your files were locked. They suggest the following procedure at that page: In Windows XP, follow these steps: 1. Run DCOM Config (DCOMCNFG.exe). 2. Click the Default Security tab. 3. Click the Edit Default button. 4. Click the Add button. 5. Click to select the Everyone account, and then click to select Allow Access in the Type of Access box. 6. Click Ok. 7. Click Ok again to close the Registry Values Permission dialog box. 8. Click Ok to close the DCOM Config Properties dialog box. 9. Test the application again. (Which would mean: Open the unzipped folder and double-click on the HostFix.exe file. With the program open, click "YES"). DO run HostFix, but without all the bother of the microsoft steps. It is designed to restore the default file that is provided when your Windows XP was first installed. You may already have that normal file in place, though. Probably do. Run HostFix and you will for sure. As an alternative after using HostFix, which now that your files are unlocked, should pose no problem... You could once again choose to include the use of Spybot S&D at this point. Open (in) advanced mode-->tools-->Host File. You will see these instructions there. "This function will block specific Internet servers known for bad behaviour (mostly sites installing spyware or using tracking functions). If you decide to use this function, and notice a site you really want to reach is no longer available, please check to see if it is listed here." Simply click "add list". Removal is just as easy, "remove list". To summarize: Unlocking first would allow you to run HostFix successfully. Once it has run, we know your original file is in place. Spybot can be run next if you'd like extra protection alongside of the original, which will remain there. Should you decide at anytime to remove the file spybot replaces it with, to use for blocking sites, the original will be there to fall back on. Please Run HijackThis again and post the new log as a reply to this post. (Include comments regarding any problems you might have had) -------------------- patiently patrolling, plenty of persisant pests n' problems ...

kpalys View Member Profile	Nov 23 2004, 11:41 PM Post #12
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	phawgg, Since I'm not sure, I will ask before I proceed: Your statement :In Windows XP, follow these steps: 1. Run DCOM Config (DCOMCNFG.exe)." do you mean Start, Run and type in the file name?

phawgg View Member Profile	Nov 24 2004, 02:38 AM Post #13
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	Thanks for askin', kpalys. No, don't run it... and Yes, that is how you would do it if you did. QUOTE They suggest the following procedure at that page: In Windows XP, follow these steps: QUOTE DO run HostFix, but without all the bother of the microsoft steps I just thought you wanted to know why the error message. Your PC didn't know you'd ticked a box or two in Spybot & that's the only thing "they" write as an answer to that error message. It's a sorta close-but-no-cigar answer that leads to more questions, the sorta thing I'm finding typical of most answers I find at the Help & Support Center. In all fairness, I'm just like you in that I simply use a OS I don't fully understand and probably never will. I try. You'll be safe following the steps. Don't bother with the run DCOM config. Information only. Sorry it confused you. (it might have done the same to me a month ago, I guess.) Your log is essentially clean, but I just want to be certain with the last log, for your sake. This post has been edited by phawgg: Nov 24 2004, 02:50 AM -------------------- patiently patrolling, plenty of persisant pests n' problems ...

kpalys View Member Profile	Nov 24 2004, 11:08 AM Post #14
Member Group: Members Posts: 33 Joined: 18-November 04 From: Minnesota Member No.: 5,397	Don't mind me ... as I re-read your last reply I see more clearly what you were saying. Was it a problem that I deleted the from the previous log? QUOTE O1 - Hosts: comments (such as these) may be inserted on individual Here is the newest log ... Logfile of HijackThis v1.98.2 Scan saved at 10:01:56 AM, on 11/24/2004 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\WINDOWS\system32\RUNDLL32.EXE C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\SmartDisk\FlashPath\sdstat.exe C:\Program Files\Microsoft Office\Office10\msoffice.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe C:\WINDOWS\system32\cisvc.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\fxssvc.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\WINDOWS\system32\DllHost.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\ETRUST~1\ETRUST~1\VetTray.exe O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Anti-Spam\QSP-2.1.212.0\QOELoader.exe" O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: FlashPath Monitor.lnk = C:\Program Files\SmartDisk\FlashPath\sdstat.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://ppupdates.ca.com/downloads/scanner/axscanner.cab O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab Thanks .....

phawgg View Member Profile	Nov 24 2004, 02:20 PM Post #15
Learning Daily Group: Members Posts: 4,543 Joined: 9-July 04 From: Washington State, USA Member No.: 1,322	kpalys, now that you have a clean log, you should disable & re-enable your System Restore to set a new restore point. This insures that there are no infected files found in a restore point left over from what we have just cleaned. Additional information & instructions are here. QUOTE Was it a problem that I deleted the (?) from the previous log? I don't see any problems in your log now. Some other steps to be taken are: 1. Use secure Internet Explorer settings Open IE and check tools-->internet options-->security-->click internet icon-->(default is medium). Click custom and check that these settings are: Download unsigned ActiveX controls - prompt Initialize and script ActiveX controls not marked as safe - disable Installation of desktop items - prompt Launching programs and files in IFRAME - prompt Navigate sub-frames across different domains - prompt 2. Use AntiVirus Software & Update Frequently. It's best to use only one. An excellent free program is AVG, if you need an option. This program can be set to automatically scan & either auto-update or you may choose to do that yourself. Virus definition updates with this program occur frequently, which is very good. 3. Use a Firewall , but use only one. If you install your own, disable the built-in winXP firewall. Excellent free programs available include: Sygate Kerio (others are also available) Choose one (if you do not already use a firewall). Keep your Firewall up & monitor it's configurations (fully understanding it's operation may require some thought & a little practice, but it helps greatly to have it installed and functioning) 4. Use Microsoft Windows Updates Frequently SP2 is the most recent Service Pack available. It provides all the updates issued since Windows XP was first released, including SP1 and all updates added to it More updates have already been to it, so to remain current in regards to security issues in particular, you should consider installing it. Information is more readily available now that involves any possible conflicts with your present software. You can read up on that information here. 5. Use Spybot S&D & Update Install and use this program with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with this program on a regular basis, just as you would an antivirus software. Check for updates when you do. A tutorial is available here. 7. Use SpywareBlaster & Update Install and use this program Adding a large list of sites/programs into your Browser settings, it protects you from running or downloading known malicious programs. You may customize it if required to accomodate your individual needs, and updates are also frequently issued with new definitions added Make it a habit to run and update on a regular basis. 7. Use Ad-Aware & Update Install, configure and use this program with the others. It is very well thought of in it's effectiveness, it complements the actions of the others. It provides for additional plug-in specialty tools as well as an upgrade if you choose them. Updates are frequent, so I suggest that you do both that and run the program regularly. 8. Use an alternative Browser Frequently. You may use several if you like. Consider using Firefox as an alternative to IE for fundamental security reasons. You can have both easily. Doing so will provide you with several benefits and options. Other alternative browsers are also available at no charge They do not have inherent vulnerabilities to the extent that IE does. They are not subject to the same attention by malware creators as IE, which is much more commonly used. All of these recommendations will provide a valuable service to you, and no conflicts exist when operating them together on your PC [winXP] Please enact them for your own sake at that of the Internet itself. 9. Use BleepingComputer Tutorials & Resources Frequently. "and check for updates..." While cleaning your PC important tutorials were offered to explain what was being done. Urgency to accomplish the task may have compromised your full understanding of what all was involved. There is always room for improvement when using a personal computer. Resources are available here and improving all the time. Some that deal with these recommendations & other topics include: Tutorials available for more in-depth considerations. Switching from Internet Explorer to Firefox Four Simple Steps for removing Spyware, Hijackers, Viruses, and other Malware Simple and easy ways to keep your computer safe and secure on the Internet Using Spybot - Search & Destroy to remove Spyware from Your Computer Using Ad-Aware SE to remove Spyware & Hijackers from Your Computer Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware Guide to Windows XP Recovery Features Steps to take when connecting a new computer to the Internet -------------------- patiently patrolling, plenty of persisant pests n' problems ...

« Next Oldest · HijackThis Logs and Virus/Trojan/Spyware/Malware Removal · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides