HJT Log...from new subscriber

whosulator · 06-30-2004, 01:57 PM

I've spent most of the day on this particular laptop and I think I've got most everything cleaned up on it. I just wanted to post the HJT log to see if there's anything else I need to get rid of.
Here's the log.....Thanks in advance for the help.

Logfile of HijackThis v1.97.7
Scan saved at 1:42:27 PM, on 6/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\NAgent\NSCAGENT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\documents and settings\sangle\local settings\temp\q6.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\NDrv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\WINNT\System32\leprno.exe
C:\Documents and Settings\sangle\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINNT\System32\NDrv.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [Windows Service] winsvc.exe
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [q6.exe] C:\documents and settings\sangle\local settings\temp\q6.exe
O4 - HKLM\..\Run: [pq4U36X] itihela2.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [leprno] C:\WINNT\System32\leprno.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Y9v8RWbpg] ivgrint.exe
O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us

Any and all help is greatly appreciated....Thanks

~~Lobos~~ · 06-30-2004, 03:06 PM

Hi whosulator

It still looks like you still have some things to get rid of but do this first see if the av scans can clean some of this up

Run an online antivirus check from at least one and preferably 2 of the following sites....select autoclean click below

Housecall
Panda scan
RAV

Lobos

whosulator · 07-01-2004, 09:22 AM

Hi Lobos...I'm running (I think) Housecall virus scan right now on the laptop and it's been running for over an hour and not showing any progress? It just says it's 'Scanning System Files' and shows '0' for Total Scanned and Infected Files. Is this the way it's supposed to work or should I can it and try one of the other scans you suggested....
Thanks...Whosulator

Sorry Lobos...my bad. There was a window that popped under the main ie window re: cleaning an msblast.worm that I had to click 'ok' on to continue the scan. The scan is running fine. I'll post another HJT log when the scans are done...

Thanks again...
Whosulator

whosulator · 07-01-2004, 02:55 PM

Ok Lobos...here's the log after the scans (which I had trouble getting through)...anyway, let me know what to get rid of.

Logfile of HijackThis v1.97.7
Scan saved at 2:47:23 PM, on 7/1/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\NAgent\NSCAGENT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
C:\documents and settings\sangle\local settings\temp\q6.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\System32\dvdupgrd.exe
C:\WINNT\System32\bdhela3k.exe
C:\Documents and Settings\sangle\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [Windows Service] winsvc.exe
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [q6.exe] C:\documents and settings\sangle\local settings\temp\q6.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKLM\..\Run: [pq4U36X] ilsetup.exe
O4 - HKLM\..\Run: [bdhela3k] C:\WINNT\System32\bdhela3k.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us

Did it get any better??

~~Lobos~~ · 07-01-2004, 10:37 PM

ok more cleaning

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll

O4 - HKLM\..\Run: [Windows Service] winsvc.exe

O4 - HKLM\..\Run: [q6.exe] C:\documents and settings\sangle\local settings\temp\q6.exe

O4 - HKLM\..\Run: [pq4U36X] ilsetup.exe
O4 - HKLM\..\Run: [bdhela3k] C:\WINNT\System32\bdhela3k.exe
O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe

-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:

How to see Hidden files and Folders

reboot into safe mode

How to boot into safe mode

delete

this file

C:\WINNT\System32\bdhela3k.exe

these folders

C:\Program Files\SEP
C:\Program Files\TV Media
-------------------------------------------------------

then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it

as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this
while in the temp folder, select view and select details.
then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page.
select all the files/folders except the today ones and delete them all.

1) Open Control Panel
2) Click on Internet Options
3) On the General Tab, in the middle of the screen, click on Delete Files
4) You may also want to check the box "Delete all offline content"
5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files
6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive

empty your recyle bin

come back and post a fresh log and tell me how you computers running

Lobos

whosulator · 07-02-2004, 09:19 AM

Ok Lobos...Here's another HJT log after the fix...

Logfile of HijackThis v1.97.7
Scan saved at 8:41:00 AM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\NAgent\NSCAGENT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINNT\System32\dvdupgrd.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\Documents and Settings\sangle\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us

I'm also getting the 'Windows XP - Help and Support' browser window with 'Cannot display the page' and 'The page you are trying to view has an incorrect address and can not be displayed. Please try another page' after every boot or reboot (have been since before I first posted) and am not sure if it's related or not, thought I'd ask....I attached a .gif showing the window

I also went into 'Add/Remove' programs just to see what was in there and I saw quite a few programs that weren't there before I started this process. Here's the list...
Context Display
IE Host
Look Smart Search
Lycos Search
Max Speed
midDAdle
PGate Basic
RON Display
SEP
URL Display

How did this stuff get there? None of it was there before??

Other than that the laptop seems to be running fine, haven't gone into IE yet, afraid at this point that I might make things worse.

Thanks so much for your help so far on this...
Whosulator

greyknight17 · 07-02-2004, 10:03 AM

Do an online virus scan at TrendMicro or RAV Antivirus.

[/b]Check and fix the following:

R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing)
O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll47
O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe

Reboot into Safe Mode (hit F8 key until menu shows up). Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Do a search for the following and delete them if they exist:

C:\Program Files\TV Media\ -- delete entire folder
C:\Program Files\Common Files\midaddle\ -- delete entire folder

Reboot and post a new HJT log file.

Could you remove those entries in the Add/Remove Program’s list? If not, a free registry cleaner should be able to remove those entries. Just do a search on google for free registry cleaner.

whosulator · 07-02-2004, 10:16 AM

Thanks for the response...I'm just about ready to run the 'Housecall' scan but was wondering, I didn't attempt to uninstall any of those items in Add/Remove programs so I do that before running the scan and doing the HJT fix...

thanks....Whosulator

greyknight17 · 07-02-2004, 10:22 AM

Which programs are we talking about here? The ones you said are listed in your Add/Remove or the TV Media one? For either one, it's probably best to use HJT to remove them. It should be removing both the program itself and the associated registry file entries. So you may continue using HJT to fix it. You should only uninstall them first if told to do so.

whosulator · 07-02-2004, 01:23 PM

Thanks to Lobos and Greyknight17 I think she's all cleaned up...
Here's the last HJT log....
I'm still getting that XP Help & Support window though, any ideas why and how to get rid of it??

Logfile of HijackThis v1.97.7
Scan saved at 1:18:25 PM, on 7/2/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\NAgent\NSCAGENT.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\ZipToA.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\tp4mon.exe
C:\WINNT\System32\ltmsg.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\progra~1\scansoft\paperp~1\pptd40nt.exe
C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program files\ThinkPad\Utilities\tponscr.exe
C:\Documents and Settings\sangle\Desktop\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe
O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async
O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us

06-30-2004, 01:57 PM	#1 (permalink)
whosulator Registered User Join Date: Jun 2004 Location: NV Posts: 7 OS: all of the above	HJT Log...from new subscriber I've spent most of the day on this particular laptop and I think I've got most everything cleaned up on it. I just wanted to post the HJT log to see if there's anything else I need to get rid of. Here's the log.....Thanks in advance for the help. Logfile of HijackThis v1.97.7 Scan saved at 1:42:27 PM, on 6/30/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\NAgent\NSCAGENT.EXE C:\WINNT\System32\svchost.exe C:\WINNT\System32\ZipToA.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\tp4mon.exe C:\WINNT\System32\ltmsg.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\progra~1\scansoft\paperp~1\pptd40nt.exe C:\documents and settings\sangle\local settings\temp\q6.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\Program Files\Messenger\msmsgs.exe C:\WINNT\System32\NDrv.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program files\ThinkPad\Utilities\tponscr.exe C:\WINNT\System32\leprno.exe C:\Documents and Settings\sangle\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file) R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file) O2 - BHO: (no name) - {1B7D753B-1981-4bd2-91F3-6D055EE113A0} - C:\WINNT\System32\NDrv.dll O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe O4 - HKLM\..\Run: [Windows Service] winsvc.exe O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe O4 - HKLM\..\Run: [q6.exe] C:\documents and settings\sangle\local settings\temp\q6.exe O4 - HKLM\..\Run: [pq4U36X] itihela2.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [leprno] C:\WINNT\System32\leprno.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Y9v8RWbpg] ivgrint.exe O4 - HKCU\..\Run: [NDrv] C:\WINNT\System32\NDrv.exe O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us Any and all help is greatly appreciated....Thanks

07-01-2004, 09:22 AM	#3 (permalink)
whosulator Registered User Join Date: Jun 2004 Location: NV Posts: 7 OS: all of the above	Following instructions Hi Lobos...I'm running (I think) Housecall virus scan right now on the laptop and it's been running for over an hour and not showing any progress? It just says it's 'Scanning System Files' and shows '0' for Total Scanned and Infected Files. Is this the way it's supposed to work or should I can it and try one of the other scans you suggested.... Thanks...Whosulator Sorry Lobos...my bad. There was a window that popped under the main ie window re: cleaning an msblast.worm that I had to click 'ok' on to continue the scan. The scan is running fine. I'll post another HJT log when the scans are done... Thanks again... Whosulator Last edited by whosulator : 07-01-2004 at 09:22 AM.

07-01-2004, 02:55 PM	#4 (permalink)
whosulator Registered User Join Date: Jun 2004 Location: NV Posts: 7 OS: all of the above	Another HJT log after scans Ok Lobos...here's the log after the scans (which I had trouble getting through)...anyway, let me know what to get rid of. Logfile of HijackThis v1.97.7 Scan saved at 2:47:23 PM, on 7/1/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\NAgent\NSCAGENT.EXE C:\WINNT\System32\svchost.exe C:\WINNT\System32\ZipToA.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\tp4mon.exe C:\WINNT\System32\ltmsg.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\Program files\ThinkPad\Utilities\tponscr.exe C:\progra~1\scansoft\paperp~1\pptd40nt.exe C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe C:\documents and settings\sangle\local settings\temp\q6.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\WINNT\System32\dvdupgrd.exe C:\WINNT\System32\bdhela3k.exe C:\Documents and Settings\sangle\Desktop\HijackThis.exe R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file) R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file) O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe O4 - HKLM\..\Run: [Windows Service] winsvc.exe O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async O4 - HKLM\..\Run: [q6.exe] C:\documents and settings\sangle\local settings\temp\q6.exe O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe O4 - HKLM\..\Run: [pq4U36X] ilsetup.exe O4 - HKLM\..\Run: [bdhela3k] C:\WINNT\System32\bdhela3k.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM) O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us Did it get any better??

07-02-2004, 10:16 AM	#8 (permalink)
whosulator Registered User Join Date: Jun 2004 Location: NV Posts: 7 OS: all of the above	Hello greyknight17.... Thanks for the response...I'm just about ready to run the 'Housecall' scan but was wondering, I didn't attempt to uninstall any of those items in Add/Remove programs so I do that before running the scan and doing the HJT fix... thanks....Whosulator

07-02-2004, 01:23 PM	#10 (permalink)
whosulator Registered User Join Date: Jun 2004 Location: NV Posts: 7 OS: all of the above	I think we've got it now.... Thanks to Lobos and Greyknight17 I think she's all cleaned up... Here's the last HJT log.... I'm still getting that XP Help & Support window though, any ideas why and how to get rid of it?? Logfile of HijackThis v1.97.7 Scan saved at 1:18:25 PM, on 7/2/2004 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\System32\ibmpmsvc.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe C:\NAgent\NSCAGENT.EXE C:\WINNT\System32\svchost.exe C:\WINNT\System32\ZipToA.exe C:\WINNT\Explorer.EXE C:\WINNT\System32\tp4mon.exe C:\WINNT\System32\ltmsg.exe C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe C:\Program Files\Iomega\DriveIcons\ImgIcon.exe C:\progra~1\scansoft\paperp~1\pptd40nt.exe C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program files\ThinkPad\Utilities\tponscr.exe C:\Documents and Settings\sangle\Desktop\HijackThis.exe O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9 O4 - HKLM\..\Run: [TpHotkey] C:\PROGRA~1\ThinkPad\UTILIT~1\tphkmgr.exe O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\BRMFLPRO\SetDefPrt.exe O4 - HKLM\..\Run: [DVDUpgrade] DVDUpgrd.exe /async O4 - HKLM\..\Run: [vptray] C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\vptray.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...608.4895486111 O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = lcb.state.nv.us O17 - HKLM\Software\..\Telephony: DomainName = lcb.state.nv.us O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = lcb.state.nv.us O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = lcb.state.nv.us

06-30-2004, 03:06 PM	#2 (permalink)
~~Lobos~~ Troubled Join Date: Apr 2004 Location: California Posts: 943 OS: Windows XP	Hi whosulator It still looks like you still have some things to get rid of but do this first see if the av scans can clean some of this up Run an online antivirus check from at least one and preferably 2 of the following sites....select autoclean click below Housecall Panda scan RAV Lobos

07-01-2004, 10:37 PM	#5 (permalink)
~~Lobos~~ Troubled Join Date: Apr 2004 Location: California Posts: 943 OS: Windows XP	ok more cleaning Run hijack this put a check next to these close all browsers and hit fix Make sure not to miss one R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file) R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file) O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll O4 - HKLM\..\Run: [Windows Service] winsvc.exe O4 - HKLM\..\Run: [q6.exe] C:\documents and settings\sangle\local settings\temp\q6.exe O4 - HKLM\..\Run: [pq4U36X] ilsetup.exe O4 - HKLM\..\Run: [bdhela3k] C:\WINNT\System32\bdhela3k.exe O4 - HKLM\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe O4 - HKCU\..\RunOnce: [TV Media] C:\Program Files\TV Media\Tvm.exe ----------------------------------------------------------------------------------------------------------------------------------- To enable the viewing of Hidden files follow these steps: How to see Hidden files and Folders reboot into safe mode How to boot into safe mode delete this file C:\WINNT\System32\bdhela3k.exe these folders C:\Program Files\SEP C:\Program Files\TV Media ------------------------------------------------------- then go to C:\Documents and Settings\USER NAME\Local Settings\Temp and select everything in that folder and delete it as XP will not let you delete files less than 24 hours old as it thinks it might need them please also do this while in the temp folder, select view and select details. then right click a blank part and select arrange icons by, and select show in groups and modified, that will give a list of all files in date order with today at the top of the page. select all the files/folders except the today ones and delete them all. 1) Open Control Panel 2) Click on Internet Options 3) On the General Tab, in the middle of the screen, click on Delete Files 4) You may also want to check the box "Delete all offline content" 5) Click on OK and wait for the hourglass icon to stop after it deletes the temporary internet files 6) You can now click on Delete Cookies and click OK to delete cookies that websites have placed on your hard drive empty your recyle bin come back and post a fresh log and tell me how you computers running Lobos

07-02-2004, 10:03 AM	#7 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,252 OS: Windows 98 & Windows XP Home/Pro My System	Do an online virus scan at TrendMicro or RAV Antivirus. [/b]Check and fix the following: R3 - URLSearchHook: (no name) - {707E6F76-9FFB-4920-A976-EA101271BC25} - C:\Program Files\TV Media\TvmBho.dll (file missing) O2 - BHO: WinPage Affiliate - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Program Files\Common Files\midaddle\midaddle.dll47 O4 - HKLM\..\Run: [Dsi] C:\WINNT\System32\dp-him.exe Reboot into Safe Mode (hit F8 key until menu shows up). Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Do a search for the following and delete them if they exist: C:\Program Files\TV Media\ -- delete entire folder C:\Program Files\Common Files\midaddle\ -- delete entire folder Reboot and post a new HJT log file. Could you remove those entries in the Add/Remove Program’s list? If not, a free registry cleaner should be able to remove those entries. Just do a search on google for free registry cleaner.

07-02-2004, 10:22 AM	#9 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,252 OS: Windows 98 & Windows XP Home/Pro My System	Which programs are we talking about here? The ones you said are listed in your Add/Remove or the TV Media one? For either one, it's probably best to use HJT to remove them. It should be removing both the program itself and the associated registry file entries. So you may continue using HJT to fix it. You should only uninstall them first if told to do so.