Sooo, that AOL Poster whom I’ve been helping didn’t feel comfortable performing those Registry Steps indicated on that detailed procedure on that other thread on the avast! Home / Pro Forum. She did the Steps only up to # 8, but really has too much trepidation proceeding any further. Understandable … we all have our comfort zone.

Anyway, another Poster suggested she try running HiJackThis and let her see the Log for checking and analyzing. The Poster asked me if this was legit and should she do it. I told her HiJackThis was legit and to go ahead and do it … send a copy of the Log to that other Poster for her to analyze it. Then I added that she send ME a copy of the Log also so that I could have someone here at the avast! Forums check it out also. Can’t hurt for her to have a 2nd opinion.

Maybe one of you all here can find some Norton / Symantec Troublemakers … or ANY OTHER Processes in her Log that shouldn’t be there. Here is her Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:13:26 PM, on 8/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar BHO - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM..\Run: [dlccmon.exe] “C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe”
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - C:\Documents and Settings\All Users\Application Data\AOL\ieToolbar\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip..{C709AE61-7140-4B76-ACB5-945C7F9E1970}: NameServer = 205.188.146.145
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

–
End of file - 7266 bytes

Hi Chim,

Check this one:
Unknown
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
Check this against virustotal

Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed!

She did not have the most recent service pack to protect her better, and another thing why she has no firewall installed. This is putting her at risk, install a free FW like ZA,

polonus

Hi Chim,

Please take Polonus’ advice above rather than mine as he is one of the experienced people on this forum.

However here is a website which evaluates the HijackThis logs and, although it’s in German, any red crosses or question marks could point to potential problems.

http://www.hijackthis.de

However I can only stress again please listen to gurus like Polonus rather than me. This was just for your information.

Perhaps Polonus can provide a better description or some advice regarding this website.

Good luck!

Avastfan1

So … this one BELOW had nothing to do with NAV 2005?

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

I thought maybe because it had, “Nav” in it, that it was Norton-related. But, what do I know about these things? ;D

Question: The one you want checked at VirusTotal … how would that work? How would it be uploaded being that it is a link instead of a File? You know … No File Path. Or can one Copy & Paste a URL into the VirusTotal Upload slot?

Anyway, that other AOL Poster who was also going to analyze the HJT Log, suggested these be Fixed:

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

Where you two were in agreement was on this one:

O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab

And looks like you two’s analysis also concurred that there was basically No Traces of Symantec / Norton … at least NOT in the Registry.

Bookmarked it. So you’ve never used it?
You’ve never witnessed its analysis’ effectiveness vs. that of a HUMAN? ;D Maybe I’ll check it a SiteAdvisor just to make sure.

Hi Chim,

The other fixes were for empty uninstalls (file missing) - you could fix them as they are not functional anymore.

polonus

Chim
did you mean to but this in the Virus and Worms forum?
where is the link to the other post?

good luck
these absentee malware removals are tough

did you finish up the norton and avg removals- leave no turn unstoned

to help with active x problems have her install spywareblaster by Javacool- accept no substitutes
BVVC of look-alikes

Cool! Then everyone’s on the same page. I’ll tell that lady to go ahead with the HJT Fixing part now.

Nnnnggg, actually I did mean to put this thread here in the General Topics Forum. But, now that you mention it, I guess it could have also fit in the Virus / Worms Forum. I just knew that after the fact … my NAV 2005 / AVG Trial Absolute Removal thread did NOT belong in the avast! Home / Pro Forum. I don’t know how I stuck it there in the first place.

But, anyway, yes, it IS tough getting rid of Malware with THREE Parties involved: The Party with the Infected Computer … the Party with the Know How for removing the Malware … and the Middle Man - ME. ;D Cuz I can’t force the Computer Infected Party into performing any of the solutions with which they don’t feel comfortable performing them. So, since that lady doesn’t feel at ease nor confident in performing that extended, detailed manual Norton Removal Procedure in its entirety … Woooooo! I’m NOT sure where to go from here. I THINK I’m just going to tell her to run the Latest version of Norton Removal Tool AGAIN, even though she had already previously run “a” Norton Removal Tool … and hope for the Best.

The AVG Trial version … she IS leaning more and more towards uninstalling it because she’s gonna have to PAY after that’s expired. She did start now showing some interest in avast! I’ll remind her it’s FREE. And after all, she did mention that the people at the AVG Forum were NOT very helpful because they only deal with AVG issues. So, that should hopefully finish steering her away from AVG.

I just need to ask here again: HOW can that lady tell whether she has a 32-Bit Machine or a 64-Bit Machine? This since she’s gonna have to know that in order to use the correct AVG Uninstaller. She has Windows XP.

No need to remind her it is free, remind her where the help is coming from, try getting that on the AVG forums ;D

I strongly doubt she has a 64bit OS, that really requires a concious decision to go for a 64bit OS. But the My Computer, View System Information, General tab would tell you that, see image, mine is 32bit and no mention but I think the 64bit version would say.

It is a 32 Bit machine, i’d almost bet money on that ;D

The lady said to relay a BIG Thanks to you all that helped.
I don’t know if she ultimately ran the Norton Removal Tool again or not. But, the other AOL Poster helped her totally uninstall the 2 AOL versions she had in there. Then only ONE was reinstalled and that one seems to be working much better now.

I knew ultimately, those 2 AOLs HAD to be uninstalled sooner or later. It was obvious there was now just too much of a Chop Chop, Patched Up, Jerry-rigged, McGyvered AOL Kluge situation that had materizlized after a Dell Computer Rep had previously originally tried to help her for over an hour.