need help with hijack log, thank you.

Hi paulaj neighbor


Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
O4 - HKLM\..\Run: [Windows ControlAd] C:\Program Files\Windows ControlAd\WinCtlAd.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\Program Files\Windows ControlAd\WinCtlAd.exe <Delete Folder

Restart your computer, Post back a fresh log please

Logfile of HijackThis v1.99.0
Scan saved at 9:28:50 AM, on 12/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Documents and Settings\paula1\Start Menu\Programs\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ToolHelper - {BBBE1C1A-89F7-4AF6-ABD1-F8FBCFA47408} - C:\PROGRA~1\ABLE2K~1\tbu15\ABLE2K~1.DLL
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Able2Know.com ToolBar - {EC52BEDA-CCF3-45E1-AFFD-03618DB9F10A} - C:\Program Files\Able2Know\tbu15\able2know.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Looks clean now, any further problems ?

Don77

Your the best! It purrs like a kitten :-) I'm so happy <is now dancing like a Russian, you know the one, arms crossed in front, bent knees, kicking one leg out at a time>

My brother cleaned my computer up some what but he wasn't sure which file was corrupt.

Do you work in the computer field?

Don, I'm curious, how do you know which HJT entries are problematic and which ones are not? Are you working from a list or just personal knowledge?

Hey cjhsa, why did't you help me Mr. Systems Administrator?

My x husband just received his bachelor degree in computer science yesterday. I think he will be in a similar field as you. I described what you wrote in your profile and he chuckled and said "that sounds familiar"
He taught himself how to program with in a year of the internet becoming public and made a star wars game long before you could buy them. I was a computer widow when I was married to him.

He's thinking about moving to CA. now.

I have a Mac. What the hell is all this hijack crap about anyway? I have never seen such garbage on my computer. PCs...How quaint.

Kicky
My brother found all of that crap. My puter has been running so slow for 3 weeks now it was taking minutes to go from page to page here.
I feel free as a bird now..........weeeeeeeeeee! <slides across floor with arms extended....oops! slips and falls>

Thats great Paula,,



Both in a way, Been doing HJT logs in a few different forums for almost a couple years now, Some you know right off the bat, Some you have to research a bit,
Have got some really great help in learning them from various forums,
But as you know these things change by the day, so you have to be careful,,

Paula, I do Unix stuff, but I also use PC's both at work and home. I'm learning about Spyware/Malware/etc. Been fighting viruses for years so it's a natural extension. But I bow to Don.

I don't feel I m worthy of a bow, I just try to do what I can,

You have done well grasshopper, I owe you one :-)

Just in time for X-Mas

What would grasshopper like?


My puter is not behaving this morning, i'm getting ugly!

It was fine yesterday and last night.

<lay's on the floor and kicks>

Paula, since you didn't post any info, let me suggest something. Run Spybot S&D, update with latest versions, and let it fix anything it finds. If it says it cannot remove something because it is in memory, let it start up at the next reboot. Reboot, log in and let it run.

If it comes up with a little window saying it is "creating a system restore point", but never comes back with a second window, hit "Ctrl-Alt-Del" and bring up Task Manager. In TM, select the Spybot process and then click "switch to". You should get a window saying "click OK to remove problems" or something like that. Click OK.

Now, let your session come up completely. Start Spybot S&D again, and run the immunizer. Immunize your system.

This should help.

winctlad
hi i was interested reading your removal of the winctlad which is nestled in my pc as we speak. I checked the box which you instructed and tried to reboot my pc in safe mode by the f8 key, a lot of dos text wizzed by then it just froze up in the middle of rebooting, i tried again and the same. In the end i had to reboot in normal mode which started up ok. Problem is though I can't delete the windows controlad folder as it is running, what the hell do i do cos I am in a catch 22 here !!! hope you can help me please !

oops ignore that last post it did reboot in the end after 2 minutes and i managed to delete winctlad !!!