Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

IE6 slowed to a crawl

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

IE6 slowed to a crawl

Unread postby madmurph » June 28th, 2005, 11:24 am

Greetings again -- IE under account Tomas will barely load; very, very slow. Ran AdAware, MS AntiSpyware, and SpyBot -- all clean. The other account on this computer works fine. HJT log att'd; please advise and thank you in advance. Cheers, MM

Logfile of HijackThis v1.99.1
Scan saved at 8:13:41 AM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\Network Associates\VirusScan\VsStat.exe
E:\Program Files\Network Associates\VirusScan\Vshwin32.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\Network Associates\VirusScan\Avconsol.exe
E:\Program Files\Network Associates\VirusScan\Webscanx.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\HighPoint\RAID Administrator\raid.exe
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\Program Files\Microsoft Office\Office10\msoffice.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\System32\wuauclt.exe
E:\Documents and Settings\Tomás\My Documents\Computers\SpyWare\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAID Administrator.lnk = E:\Program Files\HighPoint\RAID Administrator\raid.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3272610096
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\System32\xhaht.dll
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - E:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal
Advertisement
Register to Remove

Unread postby askey127 » June 28th, 2005, 12:16 pm

Hi madmurph,
Welocome to the forum!

I'm checking your log. Be back shortly.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby askey127 » June 28th, 2005, 12:45 pm

madmurph,
Sign on to your machine as Tomas.
-----------------------------------------------------------
Set Your Computer to Show All Files
Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. In addition, if you have Windows XP, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
-----------------------------------------------------------
Disable Microsoft Anti-Spyware
- Open Microsoft AntiSpyware. Click on Tools, Settings.
- In the left pane, Click on Real-time Protection.
- Under Startup Options, Uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
- Under Real-time spyware threat protection, Uncheck Enable real-time spyware threat protection (recommended).
- After you uncheck these, Click on the Save button and close Microsoft AntiSpyware.
- Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
(Reverse this process after your malware removal is complete).
- Reboot your machine for the changes to take effect before running HJT.
-----------------------------------------------------------
Download the Pocket Killbox from http://forum.malwareremoval.com/viewtopic.php?t=320 and see the instructions as well.
-----------------------------------------------------------
Download and install CCleaner from here.
Don't run CCleaner yet.
-----------------------------------------------------------
Download a-squared free from here. Install and update. Do Not Install Background Guard as it may interfere with our fix.
Run it to scan all your drives and fix whatever it finds.
Note any files it detects but cannot remove.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entries:
(Some of these lines may be missing due to other actions)
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\System32\xhaht.dll
Make sure all other windows except HJT are closed, and Click Fix Checked.
-----------------------------------------------------------
Run CCleaner. Choose the Windows tab. Check everything EXCEPT be sure the Advanced part of the menu is all Unchecked. Choose Analyze. Let the Analyze portion finish. In heavily junk-laden older machines it could take up to 15 minutes. Then choose Run Cleaner. When cleaning is finished, click Exit.
-----------------------------------------------------------
Unregister dlls for removal.
Go to Start, Run OR Start, Programs, Accessories, Command Prompt. Enter each of the following lines in turn, followed by <Enter> .
regsvr32 /u E:\WINDOWS\System32\xhaht.dll
It's OK if not found, or 'errors' out. Note space between regsvr32 and /u, also space between /u and E:\Windows\S.......
-----------------------------------------------------------
Delete File(s) with Pocket Killbox
Start Killbox, Use standard file kill.(default settings).
Copy this file path into the box:

E:\WINDOWS\System32\xhaht.dll

Click the red X that looks like a stop sign, wait until a success message appears.

Note: if a file cannot be deleted, check delete on reboot for that file.
When finished exit Killbox and restart your PC.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Do System Scan and Save a Log File. When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby madmurph » June 29th, 2005, 12:57 pm

upon reboot, rec'd following errors at logon:
"file not found: E\Documents and settings\Tomas\Local settings\ab751b6e.exe"
Raid Administrator: failed to create empty document

and upon launching IE, a notification from a-squared regarding the file e:\Internet Explorer\iexplore.exe:

While executing the program a² detected a possible malicious behavior. The program tries to invisibly send data to the internet. If you are sure you want that program to continue its invisible datatransfers allow it. If you are unsure or you don't know that programm terminate it and send it in for further analysis.

ran a-squared again, it found E:\!Submit\xhat.dll, which I deleted. The folder is still there, but it is empty.

Before your instructions, I had done an XP Restore to a date a few day's ago, when the Internet was known to be working. That restored my connection speeds. However, after following the cleaning instructions, it is now back to incredibly slow.

HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:45 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Network Associates\VirusScan\VsStat.exe
E:\Program Files\Network Associates\VirusScan\Vshwin32.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\Network Associates\VirusScan\Avconsol.exe
E:\Program Files\Network Associates\VirusScan\Webscanx.exe
E:\WINDOWS\Mixer.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\Support.com\bin\tgcmd.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\a2\a2guard.exe
E:\Program Files\Microsoft Office\Office10\msoffice.exe
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\Program Files\Internet Explorer\iexplore.exe
E:\Documents and Settings\Tomás\My Documents\Computers\SpyWare\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "E:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [a-squared] "E:\Program Files\a2\a2guard.exe"
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAID Administrator.lnk = E:\Program Files\HighPoint\RAID Administrator\raid.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3272610096
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\System32\xhaht.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - E:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby askey127 » June 29th, 2005, 6:44 pm

madmurph,
A couple things:
The !Submit folder is an inactive folder used to hold removed malware so it can be sent safely for virus/trojan/worm inspection.
Virus or trojan notices in that folder can be ignored.
We need to find out whether the file xhaht.dll still exists on your machine, or whether it is gone.
If you are set to see all files, use Windows Explorer (F3) or Start, Search and note if you show anything.

-----------------------------------------------------------
Disable A-Squared Guard We didn't intend to install this feature. It may have prevented the HJT removal.
- Open a-square
- Click on Configure Background-Guard
- Deselect Enable background guard on system startup
- Close window
- Close a-square
(Reverse this process after your malware removal is complete).
-----------------------------------------------------------
Start Your Computer in Safe Mode.
-----------------------------------------------------------
Unregister the dll for removal.(If it's still there, otherwise skip)
Go to Start, Run OR Start, Programs, Accessories, Command Prompt. Enter each of the following lines in turn, followed by <Enter> .

regsvr32 /u E:\Windows\System32\xhaht.dll

Note if it 'errors' out.
-----------------------------------------------------------
File Deletion (Only if it'sstill there, Otherwise skip).
In Windows Explorer, navigate to this file. Delete the file, if present:

E:\Windows\system32\xhaht.dll

If you have any problem deleting a file, right click the file and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
Note the name and location of any file you cannot delete.

If there were any files you found but could not delete, then please follow these additional instructions:
Download Pocket Killbox and unzip it; save it to your Desktop.
Run it, and click the radio button that says Delete a file on reboot. Paste the full path of each file to delete, and click the red circle with a white cross in it.
The program will ask you if you want to reboot; answer "Yes".

Let the system reboot, into Safe Mode again..
-----------------------------------------------------------
Remove log item with HighjackThis. Start HijackThis. If the opening screen shows, choose None of the above, just start the program.
Click Scan. When the Scan is complete, Check the following entry:
O21 - SSODL: HWAqbliZanDCAZf - {ABCDEF13-0167-45B9-0AEE-43969F7CFA5B} - E:\WINDOWS\System32\xhaht.dll (file missing)
Make sure all other windows except HJT are closed, and Click Fix Checked.

Let me know what's going on and post another log.

If it's all still there, we need to take a different tack. Good if not.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby madmurph » June 29th, 2005, 9:07 pm

before disabling background guard, rec'd the same "malicious behavior" warning for the file: E:\Program Files\Broadjump\Client Foundation\CFD.exe

xhaht.dll file not found in file search or when running regsvr32

deleted 021 line without problem; HJT log as follows:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:46 PM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
E:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Network Associates\VirusScan\VsStat.exe
E:\Program Files\Network Associates\VirusScan\Vshwin32.exe
E:\WINDOWS\System32\MsPMSPSv.exe
E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
E:\Program Files\Network Associates\VirusScan\Webscanx.exe
E:\Program Files\Network Associates\VirusScan\Avconsol.exe
E:\WINDOWS\system32\userinit.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\Mixer.exe
E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
E:\Program Files\Support.com\bin\tgcmd.exe
E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\HighPoint\RAID Administrator\raid.exe
E:\Program Files\Sony Handheld\HOTSYNC.EXE
E:\Program Files\Microsoft Office\Office10\msoffice.exe
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\Documents and Settings\Tomás\My Documents\Computers\SpyWare\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cox High Speed Internet
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [AdaptecDirectCD] E:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BJCFD] E:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "E:\Program Files\Support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [MMTray] E:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: HotSync Manager.lnk = E:\Program Files\Sony Handheld\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RAID Administrator.lnk = E:\Program Files\HighPoint\RAID Administrator\raid.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O12 - Plugin for .pdf: E:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3272610096
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - E:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: McShield - Unknown owner - E:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby askey127 » June 29th, 2005, 10:15 pm

madmurph,

The CFD.exe program from BroadJump is probably getting flagged because it is designed to communicate with your ISP, probably independent of the browser. This is a behavior that security progs watch for.
You can uninstall it if you wish from the Control Panel, Add/Remove.
Read about it here:
http://castlecops.com/s420-CFD_exe.html
and here:
http://www.liutilities.com/products/wintaskspro/processlibrary/cfd/
and here:
http://www.auditmypc.com/process/cfd.asp

I don't see any issues specific to your log right now.
It looks like you have successfully removed the suspicious items.

How is it running? If there are additional issues that look like spyware, let me know.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby madmurph » June 29th, 2005, 11:04 pm

No issues. Seems to be running well, now. Thanx as always for the service you provide. BTW, what malware program is associated with the xhaht.dll ? Upon response, please close this thread. Cheers, Madmurph
User avatar
madmurph
Regular Member
 
Posts: 95
Joined: March 23rd, 2005, 1:13 am
Location: SoCal

Unread postby askey127 » June 30th, 2005, 7:39 am

Don't know. It looks like one of the malware files with a randomly generated name. There was no other clue I could find to a known parasite. It is always possible that it was a leftover from some previous infection on the machine.

We can close this thread.

askey127
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 13903
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA

Unread postby ChrisRLG » July 24th, 2005, 6:45 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 12 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware