Home Page Highjacked!

Yesterday I had new computer updates installed on my computer. Two of them before I went to work which looked ok. When I got home hubby says another one came in and he let it install (I have it set up to download, but NOT install until I look at it first). Since then we can't get our home page (Excite) to stay put (I know how to make it my home page). I get an ABOUT:BLANK in the address window and up top the title says SEARCH FOR...MSIE PROVIDED BY COMPAQ. I also can't get into several links in my favorites, let alone when I type then into the address bar. When I reboot my computer I get this message from NORTON: SCRIPT ALERT! OBJECT FILESYSTEM OBJECT ACTIVITY GET SPECIAL FOLDER FILE C:\DOCUMENTS\MS.WINDOWS.HTA. Norton is up-to-date on definitions. I ran Norton scan and it didn't find anything. I use WinXP's firewall and popup blocker. I ran AdAware. It found several things in registry and I just had it delete it all. I did a search here in the BBS on highjacks, but can't really find anything that pertains to my problem, unless I just didn't look hard enough. Do I HAVE to download HIGHJACK to fix this problem? I'm hoping there is a quick and easy solution for this. I'm not sure what other info to give you, but holler if you need anything else. Would like to fix this as soon as possible. I can't get into my favorite crossword puzzle site and will start having withdrawals soon!!!

Thanks in advance for any input.

 

Hi Panda,

Do I HAVE to download HIGHJACK to fix this problem?

Yes, sorry Don't forget to download it to a C:\ folder of it's own, not to the Desktop or a temp folder.

In the meantime, MS.WINDOWS.HTA rings a bell. That used to be a Windows security hole and haven't seen references to it in quite awhile.

Regards - Charles

 

Darn! OK. I downloaded it. Started a scan and THIS came up:

Now, here is the actual log:

So, now I hope someone can HELP ME!!!!

 

Hi Panda,

It's safe to fix all those R1 search/about blank page entries and also flush out your temp folders and the Internet cache and re-boot.

This BHO O2 - BHO: (no name) - {3E45E0D0-3730-4819-8C02-50910C260ECE} - C:\WINDOWS\system32\olgc.dll, can't find any references to it. One way to see what is/does maybe is to toggle it:

IE's tool Bar > Manage Add-ons and you can disable/re-enable add-ons from there.

Afterwards - post another log.

Regards - Charles

 

THANKS! Now comes the fun part. I have NO idea what I'm doing!!! How do I do that? The fix thingy? Do I run the program again and then click all the R1 lines to delete? {edit note: Yes, that's exactly what you do. Newt} I didn't really check out the program to see what it does. I just installed it, copied the log and pasted it here as instructed. I'm sorry, but you'll have to treat me like a 1st grader and walk me through it. I have a pretty good sence of programming and have played in the registry (with help from this BBS!) before, so I guess it can't be too hard.

Thanks, again, so much for your help. Just can't figure out how this happened since I keep all security programs up to date and this only happened AFTER I downloaded and installed the CRITICAL UPDATES that seemed so neccessary, even according to the news reports.

Patiently awaiting your instruction.....

 

In addition to charlesvar's advice.

O16 - DPF: {731918D2-517A-47E2-886A-3BC1380C591D} - http://webpdp.gator.com/v3/download...094_hd3ptdm.cab
O16 - DPF: {A031D222-B496-11D2-9CC8-00105A10AAF6} (WONWebLauncher Class) - http://www.flipside.com/cab/WONWebLauncherControl.cab
O18 - Filter: text/html - {D7BB8B89-78DC-4522-A5EC-D34B4A37C67C} - C:\WINDOWS\system32\olgc.dll
O18 - Filter: text/plain - {D7BB8B89-78DC-4522-A5EC-D34B4A37C67C} - C:\WINDOWS\system32\olgc.dll

 

Hi

Do you still have MS.WINDOWS.HTA ? in the recylebin perhaps, if so take it out for a second, rightclick on it > open with > choose a text editor, such as notepad, Look for
example http:\\ -------path to bad exe, and copy that back here please

 

Hi Panda,

Just can't figure out how this happened since I keep all security programs up to date and this only happened AFTER I downloaded and installed the CRITICAL UPDATES that seemed so neccessary, even according to the news reports.

Probably thru the Browser. I notice you have entries in the trusted zone. There, the defualts should be looked at.

Aside from that, I disable ActiveX - period, and toggle it at need. ActiveX is the worst feature in IE, it's deadly.

Regards - Charles

 

Problem still there. I deleted all that was told me to delete. (thanks, Newt!) I cleaned the caches. I rebooted. When windows comes up I still get that VIRUS ALERT SCRIPT warning from Norton.

Did a search for MS.WINDOWS.HTA and couldn't find it. It's not in my recycle bin, either.

I understand about the ActiveX. I heard stuff over the years about that. Sigh. Guess I'll disable that, too.

Here is the new log:

Logfile of HijackThis v1.99.0
Scan saved at 9:35:15 AM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Schmaili 5.1\schmaili.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HIGHJACK\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {3E45E0D0-3730-4819-8C02-50910C260ECE} - C:\WINDOWS\system32\olgc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe "
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Schmaili] C:\Program Files\Schmaili 5.1\schmaili.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Windows.hta
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: http://www.candystand.com
O15 - Trusted Zone: http://www.excite.com
O15 - Trusted Zone: http://www.farmerjack.com
O15 - Trusted Zone: http://www.gamesville.lycos.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Advisor - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Content Monitoring Tool - Unknown - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

Did we miss something????????

 

With all broswers closed have hijackthis fix these items
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {3E45E0D0-3730-4819-8C02-50910C260ECE} - C:\WINDOWS\system32\olgc.dll
O4 - Global Startup: Microsoft Windows.hta
==============
If Nav alerts to the changes you might have to temporaraly disable it.

Reboot
Post a new log and one from Dllcompare
http://forums.subratam.org/index.php?showtopic=1725
Let us know of any problems

 

Yeehaw!!!

It worked!!! (jumping up and down at desk...) Guess it was that R0 no name or maybe the 04 Global Startup that did it. In any case, my home page is back, my links are working and now I can play my crossword puzzles!!

I disabled Norton before I did a reboot and that SCRIPT message didn't come up this time. Can someone explain that one to me?

Here is the newest log:

Logfile of HijackThis v1.99.0
Scan saved at 10:35:11 AM, on 1/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.exe
C:\Program Files\SETI@home\SETI@home.exe
C:\Program Files\Schmaili 5.1\schmaili.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HIGHJACK\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe "
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~2\CHKADMIN.EXE
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain
O4 - HKLM\..\RunOnce: [Compaq_RBA] C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe -z
O4 - HKCU\..\Run: [seticlient] C:\Program Files\SETI@home\SETI@home.exe -min
O4 - HKCU\..\Run: [Schmaili] C:\Program Files\Schmaili 5.1\schmaili.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409
O15 - Trusted Zone: http://www.candystand.com
O15 - Trusted Zone: http://www.excite.com
O15 - Trusted Zone: http://www.farmerjack.com
O15 - Trusted Zone: http://www.gamesville.lycos.com
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {01111E00-3E00-11D2-8470-0060089874ED} (Support.com SmartIssue) - http://support.charter.com/sdccommon/download/tgctlsi.cab
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://support.charter.com/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) - http://makeover.substance.com/save/makeover.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {BA94245D-2AA0-4953-9D9F-B0EE4CC02C43} (Tilecity Control) - http://mirror.worldwinner.com/games/v40/tilecity/tilecity.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://www.streamingfaith.com/common/mbrowser/MINIBrowser.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://anu.popcap.com/games/popcaploader_v5.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Compaq Advisor - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: Compaq Local Alerter - Compaq Computer Corporation - C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\cpqdmi.exe
O23 - Service: Compaq DMI Web Agent - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~2\CPQWEB~1\WebDmi.exe
O23 - Service: Content Monitoring Tool - Unknown - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Win32Sl - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

BTW, when I ran the new scan on highjack for the latest fixes I noticed that the 016's you told me to fix were gone, BUT all the rest of the stuff you told me to fix was back! So, I just refixed them and it looks like they are gone now. I almost clicked the IGNORE button, but figured maybe I shouldn't. That way I can see if they come back or not.

So, I guess I'm all set. THANKS SO MUCH for all the help from everyone who jumped in.

ACTIVEX....where do I go for that and how do I toggle it? Brain cramp here for a minute.....

 

Hi

Lets hope its gone. Im unsure but sometimes our protection program prevent us from fixing what we need to.

Would you please open C:\HIGHJACK\Backups, zip the contents or the whole backup folder and send it to us as an attachment, if you now how put a password on it, I want to get a look at that HTA file and the dll.
Send >This address<
You will probaly need to temporaraly disable norton to be able to handle the files.


How to surf the Internet more safely with Internet Explorer: http://www.windows-help.net/features/surf-safe.html

 

Thanks, Lonny. I just sent you that folder. Norton didn't fuss. I have bookmarked that SAFE SURFING site and will learn it! I really appreciate all your help.

 

Not an expert but shouldn't wild tangent be removed?

O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll ",cdaEngineMain

 

Good question. I was wondering the same thing. I've had this computer for a little over 2 years now and have never played with Tangent, even though I used to with the old computer because they have a really neat pinball game. I just don't have time to play games all day any more, so have just ignored this one. Could it be causing problems, too? I just don't understand why all this happened right after I downloaded and installed the latest critical updates from M$. Go figure.

 

Wild Tangent often causes an error dealing with Rundle. If you are getting it I would dump it. Actually, I would dump it any way.