There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
 
Malware Removal & HijackThis Logs
Tag Cloud
adware audio bios blue screen boot bsod computer connection crash dell desktop driver email error excel firefox freeze google hard drive hardware hijackthis install internet laptop linux malware network no sound outlook problem recovery router screen server slow sound speakers spyware startup trojan usb video virus vista webcam windows windows 7 windows vista windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Malware Removal & HijackThis Logs >
Help! Trojan from AIM =( (New)

Tip: Click here to scan for System Errors and Optimize PC performance
[ Sponsored Link ]

Closed Thread
 
Thread Tools
limdawg's Avatar
Junior Member with 3 posts.
  
Join Date: May 2006
25-May-2006, 10:43 PM #1
Help! Trojan from AIM =(
Agh! I clicked on one of those "photos from 6th grade" links on AIM and ever since... I've been getting popups and my computer has been lagging. I noticed something like "defender22" on my C: drive and I tried deleting it, but once I access internet, it just ends process explorer, installs the trojan, and then starts explorer as if nothing happened. But it's really annoying and my computer's really really slow now.

If you guys could help me, that would be awesome. I've been freaking out the past couple of days and bleah.

Here's the logfile:

Logfile of HijackThis v1.99.1
Scan saved at 9:46:34 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\regsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
c:\defender22.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
O4 - HKLM\..\Run: [newname] c:\\newname22.exe
O4 - HKLM\..\Run: [defender] c:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard22.exe
O4 - HKCU\..\Run: [CyberDefender AntiSpyware] "C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\jt4007hme.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Help? Thanks again. =) respond back if you need more infromation
Register for free to hide this ad!
holy_saiyan1's Avatar
Senior Member with 645 posts.
  
Join Date: Sep 2003
Location: Appalachia
Experience: Mind-Taker
26-May-2006, 12:13 AM #2
There's a good program called AimFix that pretty much gets 99% of the trojans, etc. that you get through AIM. You can get it here. (direct link to download)

Download it, run it, it's fairly simple and intuitive, but post back if you have any questions.

After running AimFix, restart and run HiJack This again, and put the log up here, and we'll see what we got then.

Also, you might consider downloading Spybot Search & Destroy orAd-Aware, and using them as your regular spyware removal program of choice. I personally prefer Spybot, because of its low memory footprint, but they're both good.
__________________
Join Team MozillaZine , the best Folding@Home team, hands down! While your computer snoozes, Folding@Home folds virtual proteins in search of cancer cures! Go to http://weblogs.mozillazine.org/folding/ to find out how you can help!
dvk01's Avatar
Moderator with 27,563 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
26-May-2006, 10:54 AM #3
after running aimfix
Download AlcanShorty_en.exe
to your desktop

double click the alcanShorty.exe file and follow prompts. It will make a folder on desktop called Alcan Shorty
Open the folder & double click the run.bat

This will download a file called BFU.exe and a BFU script. If your firewall asks for permission to connect then allow it

a message box will pop up saying complete. Press OK
Then BFU.exe will open.

select the option to show log at completion

Execute the script by clicking the Execute button.
Note that you should see a progress bar while the script is being executed.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

when the script has finished press copy & that will make a copy of the report in your clipboard. paste that log back here

along with a new HJT log please

you also have L2M so after the bfu do this

Please download Look2Me-Destroyer.exe to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new...b/MSWINSCK.OCX
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
limdawg's Avatar
Junior Member with 3 posts.
  
Join Date: May 2006
26-May-2006, 04:12 PM #4
Okay, I did the AIM Log, BFU, and L2M. Here is the HJT file:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:39 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\regsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

And here's the L2M file:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/26/2006 3:07:27 PM

Infected! C:\WINDOWS\system32\jtjm0711e.dll
Infected! C:\RECYCLER\NPROTECT\00367791.dll
Infected! C:\RECYCLER\NPROTECT\00369221.dll
Infected! C:\RECYCLER\NPROTECT\00369393.dll
Infected! C:\RECYCLER\NPROTECT\00369861.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll
Infected! C:\WINDOWS\system32\dvintf.dll
Infected! C:\WINDOWS\system32\f8j2li1o18.dll
Infected! C:\WINDOWS\system32\ivetpp.dll
Infected! C:\WINDOWS\system32\jtjm0711e.dll
Infected! C:\WINDOWS\system32\mwvcp50.dll
Infected! C:\WINDOWS\system32\szndcmsg.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\jtjm0711e.dll
C:\WINDOWS\system32\jtjm0711e.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\NPROTECT\00367791.dll
C:\RECYCLER\NPROTECT\00367791.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\NPROTECT\00369221.dll
C:\RECYCLER\NPROTECT\00369221.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\NPROTECT\00369393.dll
C:\RECYCLER\NPROTECT\00369393.dll Deleted successfully!

Attempting to delete: C:\RECYCLER\NPROTECT\00369861.dll
C:\RECYCLER\NPROTECT\00369861.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dvintf.dll
C:\WINDOWS\system32\dvintf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f8j2li1o18.dll
C:\WINDOWS\system32\f8j2li1o18.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ivetpp.dll
C:\WINDOWS\system32\ivetpp.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\jtjm0711e.dll
C:\WINDOWS\system32\jtjm0711e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mwvcp50.dll
C:\WINDOWS\system32\mwvcp50.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\szndcmsg.dll
C:\WINDOWS\system32\szndcmsg.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{1BC33C5D-AE4E-4C77-B5E8-9A4F82941B07}"
HKCR\Clsid\{1BC33C5D-AE4E-4C77-B5E8-9A4F82941B07}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{D53187E7-CB4A-47E5-9E22-0FEC77663097}"
HKCR\Clsid\{D53187E7-CB4A-47E5-9E22-0FEC77663097}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{64DD4318-B449-4A5F-A7B9-0B5A12B6FFF0}"
HKCR\Clsid\{64DD4318-B449-4A5F-A7B9-0B5A12B6FFF0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{C511D9C6-497F-4B1C-B5FB-719F4DF01298}"
HKCR\Clsid\{C511D9C6-497F-4B1C-B5FB-719F4DF01298}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

I don't know why, but I couldn't figure out how to access the BFU logfile? If you still need it, I think I can find it...

but my computer is running so much faster and I haven't been getting any popups (yet, at least)! If you guys could check the logfile and make sure that there are no more unwanted things on my computer, that'd be great. Just respond and tell me if I still need to download anything or whatever, to fix stuff.

Eternal thanks so much dvk01 and holy_saiyan for the help. Next time I have a problem I'll make sure to come back here and I'll refer any friends here =)
dvk01's Avatar
Moderator with 27,563 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
26-May-2006, 05:14 PM #5
still more there

next

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
dvk01's Avatar
Moderator with 27,563 posts.
  
Join Date: Dec 2002
Location: Loughton, Essex, UK
26-May-2006, 05:15 PM #6
this looks like a new one so

please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:

c:\windows\system32\podsregk.exe
__________________
Derek Microsoft MVP/Windows - Security Thespykiller | Security & Privacy
I am helping you, please help me by donating to help keep the Hedgehog Rescue Centre running
limdawg's Avatar
Junior Member with 3 posts.
  
Join Date: May 2006
27-May-2006, 12:22 AM #7
okay, downloaded spy sweeper and here's the logfile:

********
5:46 PM: | Start of Session, Friday, May 26, 2006 |
5:46 PM: Spy Sweeper started
5:46 PM: Sweep initiated using definitions version 686
5:46 PM: Starting Memory Sweep
5:53 PM: Memory Sweep Complete, Elapsed Time: 00:06:34
5:53 PM: Starting Registry Sweep
5:53 PM: Found Adware: zenosearchassistant
5:53 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\ (2 subtraces) (ID = 147930)
5:53 PM: Found Adware: navexcel navhelper
5:53 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 169512)
5:54 PM: Found Adware: command
5:54 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
5:54 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1008\software\navexcel ltd\ (14 subtraces) (ID = 135548)
5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1006\software\navexcel ltd\ (14 subtraces) (ID = 135548)
5:54 PM: HKU\S-1-5-21-1532886375-166745521-1182671931-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
5:54 PM: Found Adware: lopdotcom
5:54 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || usrr (ID = 131890)
5:54 PM: Registry Sweep Complete, Elapsed Time:00:01:17
5:54 PM: Starting Cookie Sweep
5:54 PM: Found Spy Cookie: hbmediapro cookie
5:54 PM: teik lim@adopt.hbmediapro[2].txt (ID = 2768)
5:54 PM: Found Spy Cookie: uproar cookie
5:54 PM: teik lim@ads.uproar[2].txt (ID = 3613)
5:54 PM: Found Spy Cookie: atlas dmt cookie
5:54 PM: teik lim@atdmt[1].txt (ID = 2253)
5:54 PM: Found Spy Cookie: belnk cookie
5:54 PM: teik lim@belnk[1].txt (ID = 2292)
5:54 PM: teik lim@dist.belnk[2].txt (ID = 2293)
5:54 PM: Found Spy Cookie: trafficmp cookie
5:54 PM: teik lim@trafficmp[2].txt (ID = 3581)
5:54 PM: Found Spy Cookie: adserver cookie
5:54 PM: teik lim@z1.adserver[1].txt (ID = 2142)
5:54 PM: tiffany lim@atdmt[2].txt (ID = 2253)
5:54 PM: Found Spy Cookie: fastclick cookie
5:54 PM: tiffany lim@fastclick[2].txt (ID = 2651)
5:54 PM: Found Spy Cookie: mediaplex cookie
5:54 PM: tiffany lim@mediaplex[1].txt (ID = 6442)
5:54 PM: Found Spy Cookie: yieldmanager cookie
5:54 PM: system@ad.yieldmanager[2].txt (ID = 3751)
5:54 PM: system@atdmt[2].txt (ID = 2253)
5:54 PM: Found Spy Cookie: findwhat cookie
5:54 PM: system@findwhat[1].txt (ID = 2674)
5:54 PM: Found Spy Cookie: top-banners cookie
5:54 PM: system@media.top-banners[1].txt (ID = 3548)
5:54 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
5:54 PM: Starting File Sweep
5:55 PM: Found Adware: dollarrevenue
5:55 PM: a0092602.exe (ID = 298760)
5:55 PM: dc27.exe (ID = 298754)
5:55 PM: dc31.exe (ID = 298760)
5:56 PM: a0090866.exe (ID = 298760)
5:56 PM: a0092527.exe (ID = 298760)
5:56 PM: Found Adware: targetsaver
5:56 PM: a0090882.exe (ID = 193501)
5:56 PM: a0092600.exe (ID = 298756)
5:56 PM: a0092598.exe (ID = 185985)
5:56 PM: 00369738.exe (ID = 231443)
5:56 PM: Found Adware: surfsidekick
5:56 PM: a0090879.exe (ID = 297346)
5:57 PM: a0090758.exe (ID = 298754)
5:57 PM: 00369993.exe (ID = 298754)
5:57 PM: Found Adware: zquest
5:57 PM: a0090754.exe (ID = 290920)
5:57 PM: a0090880.dll (ID = 297347)
5:57 PM: a0090872.exe (ID = 195128)
5:57 PM: dc22.exe (ID = 293)
5:58 PM: a0090750.exe (ID = 215896)
5:58 PM: dc28.exe (ID = 298760)
5:58 PM: dc33.exe (ID = 298757)
5:59 PM: a0090868.exe (ID = 298757)
6:00 PM: 00369701.exe (ID = 298758)
6:01 PM: Found Adware: look2me
6:01 PM: a0092643.exe (ID = 65739)
6:02 PM: dc37.exe (ID = 298754)
6:02 PM: a0090749.exe (ID = 298758)
6:02 PM: a0090761.exe (ID = 298757)
6:02 PM: a0090869.exe (ID = 185985)
6:02 PM: a0092593.vbs (ID = 231442)
6:02 PM: a0090867.exe (ID = 293)
6:02 PM: a0090873.dll (ID = 195129)
6:03 PM: a0090747.exe (ID = 298754)
6:09 PM: a0091754.exe (ID = 185985)
6:09 PM: a0092599.exe (ID = 185985)
6:09 PM: a0090883.exe (ID = 290920)
6:09 PM: 00369698.exe (ID = 298757)
6:09 PM: a0090885.exe (ID = 293)
6:09 PM: a0092511.exe (ID = 65739)
6:10 PM: 32408_icont.exe.bak (ID = 65739)
6:10 PM: 32382_command.exe.bak (ID = 144946)
6:10 PM: 00369759.exe (ID = 185985)
6:10 PM: a0092585.exe (ID = 298757)
6:10 PM: a0092586.exe (ID = 298758)
6:10 PM: a0090756.exe (ID = 293)
6:11 PM: a0090759.exe (ID = 298760)
6:11 PM: a0090763.exe (ID = 185985)
6:22 PM: class-barrel (ID = 78229)
6:23 PM: asappsrv.dll (ID = 144945)
6:23 PM: 00369767.exe (ID = 298760)
6:23 PM: vocabulary (ID = 78283)
6:25 PM: a0092568.exe (ID = 65722)
6:31 PM: drsmartload[1].exe (ID = 298760)
6:31 PM: dc50.exe (ID = 298760)
6:34 PM: a0090752.exe (ID = 193995)
6:38 PM: Found Adware: purityscan
6:38 PM: ati2evxx.exe (ID = 296574)
6:38 PM: 00367789.dll (ID = 159)
6:38 PM: a0090877.exe (ID = 215896)
6:38 PM: drsmartload45a.exe (ID = 298783)
6:39 PM: a0092614.dll (ID = 159)
6:39 PM: defender22[1].exe (ID = 298754)
6:39 PM: drsmartload46a.exe (ID = 298784)
6:40 PM: a0092641.exe (ID = 144946)
6:41 PM: a0090884.exe (ID = 168558)
6:46 PM: 00369764.exe (ID = 298756)
6:46 PM: a0090874.exe (ID = 195130)
6:50 PM: mte3ndi6odoxng[1].exe (ID = 185985)
6:51 PM: dc53.exe (ID = 185985)
6:52 PM: 00369173.dll (ID = 159)
6:53 PM: newname22[1].exe (ID = 298758)
6:53 PM: a0090881.exe (ID = 193995)
6:53 PM: dc54.exe (ID = 298758)
6:53 PM: dc56.exe (ID = 298754)
6:54 PM: a0090875.exe (ID = 195131)
6:55 PM: keyboard22[1].exe (ID = 298757)
6:55 PM: a0090876.exe (ID = 195132)
6:58 PM: 00369914.dll (ID = 163672)
7:00 PM: a0092615.dll (ID = 163672)
7:01 PM: dc60.exe (ID = 298760)
7:08 PM: installer[1].exe (ID = 168558)
7:09 PM: dc55.exe (ID = 168558)
7:27 PM: drsmartload45a[1].exe (ID = 298783)
7:27 PM: dc34.exe (ID = 185985)
7:27 PM: dc29.exe (ID = 298757)
7:27 PM: dc57.exe (ID = 298783)
7:27 PM: 00369889.dll (ID = 159)
7:29 PM: 00369695.dll (ID = 166754)
7:29 PM: 00369915.dll (ID = 163672)
7:30 PM: a0092613.dll (ID = 163672)
7:30 PM: 00369391.dll (ID = 159)
7:31 PM: a0092616.dll (ID = 159)
7:31 PM: 00369258.dll (ID = 159)
7:31 PM: a0090865.exe (ID = 296030)
7:32 PM: 00369260.dll (ID = 159)
7:33 PM: 00369912.dll (ID = 159)
7:35 PM: 00369606.dll (ID = 159)
7:35 PM: 00369913.dll (ID = 163672)
7:36 PM: dc36.exe (ID = 168558)
7:36 PM: 00369916.dll (ID = 163672)
7:36 PM: drsmartload46a[1].exe (ID = 298784)
7:36 PM: dc58.exe (ID = 298784)
7:36 PM: dc52.exe (ID = 298757)
7:36 PM: 00369792.dll (ID = 297348)
7:36 PM: a0092584.dll (ID = 166754)
7:36 PM: 00369692.__t (ID = 166754)
7:36 PM: drsmartload44a[1].exe (ID = 298756)
7:36 PM: dc35.exe (ID = 298758)
7:36 PM: dc51.exe (ID = 298756)
7:37 PM: dc45.dll (ID = 166754)
7:37 PM: 00369917.dll (ID = 159)
7:37 PM: warebundle.exe (ID = 168558)
7:37 PM: 00367689.dll (ID = 159)
7:37 PM: dc44._ (ID = 166754)
7:37 PM: dc40.exe (ID = 298783)
7:37 PM: dc41.exe (ID = 298784)
7:37 PM: dc32.exe (ID = 298756)
7:47 PM: oal5xaprkhprkhudvk.vbs (ID = 185675)
7:47 PM: dc48.cfg (ID = 91140)
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:47 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:48 PM: Warning: Unhandled Archive Type
7:57 PM: File Sweep Complete, Elapsed Time: 02:02:30
7:57 PM: Full Sweep has completed. Elapsed time 02:10:50
7:57 PM: Traces Found: 183
12:11 AM: Removal process initiated
12:12 AM: Quarantining All Traces: look2me
12:12 AM: Quarantining All Traces: lopdotcom
12:12 AM: Quarantining All Traces: purityscan
12:12 AM: Quarantining All Traces: dollarrevenue
12:12 AM: Quarantining All Traces: surfsidekick
12:12 AM: Quarantining All Traces: zquest
12:12 AM: Quarantining All Traces: command
12:13 AM: Quarantining All Traces: navexcel navhelper
12:13 AM: Quarantining All Traces: targetsaver
12:13 AM: Quarantining All Traces: zenosearchassistant
12:13 AM: Quarantining All Traces: adserver cookie
12:13 AM: Quarantining All Traces: atlas dmt cookie
12:13 AM: Quarantining All Traces: belnk cookie
12:13 AM: Quarantining All Traces: fastclick cookie
12:13 AM: Quarantining All Traces: findwhat cookie
12:13 AM: Quarantining All Traces: hbmediapro cookie
12:13 AM: Quarantining All Traces: mediaplex cookie
12:13 AM: Quarantining All Traces: top-banners cookie
12:13 AM: Quarantining All Traces: trafficmp cookie
12:13 AM: Quarantining All Traces: uproar cookie
12:13 AM: Quarantining All Traces: yieldmanager cookie
12:13 AM: Removal process completed. Elapsed time 00:02:04
********
5:44 PM: | Start of Session, Friday, May 26, 2006 |
5:44 PM: Spy Sweeper started
5:45 PM: Your spyware definitions have been updated.
5:46 PM: | End of Session, Friday, May 26, 2006 |

And here's the HJT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 12:16:21 AM, on 5/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

thanks for the extended help. are there any more problems? =( my computer hasn't been acting strangely but it seems that the spy sweeper caught a lot of spyware/adware with my computer.

by the way, dvk01, i don't understand what you want me to upload to that forum? if you could explain that better, that'd be great.

thanks again :-) btw. just a quick question... how can you look at the logfile and know what's good and what's bad?
Closed Thread Bookmark and Share

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Smart Search

Find your solution!

« Previous Thread | Malware Removal & HijackThis Logs | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.

Thread Tools


Twitter Twitter! | Podcast | Mobile | Advertise
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -5. The time now is 05:56 PM.
Copyright © 1996 - 2009 TechGuy, Inc. All rights reserved.
Powered by vBulletin, Copyright © 2000 - 2009, Jelsoft Enterprises Ltd.
 Powered by Cermak Technologies, Inc.