1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Help! Trojan from AIM =(

Discussion in 'Virus & Other Malware Removal' started by limdawg, May 25, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. limdawg

    limdawg Thread Starter

    Joined:
    May 25, 2006
    Messages:
    3
    Agh! I clicked on one of those "photos from 6th grade" links on AIM and ever since... I've been getting popups and my computer has been lagging. I noticed something like "defender22" on my C: drive and I tried deleting it, but once I access internet, it just ends process explorer, installs the trojan, and then starts explorer as if nothing happened. But it's really annoying and my computer's really really slow now.

    If you guys could help me, that would be awesome. I've been freaking out the past couple of days and bleah.

    Here's the logfile:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:46:34 PM, on 5/25/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\Program Files\Network Monitor\netmon.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\regsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe
    C:\Program Files\a-squared\a2guard.exe
    C:\Program Files\BigFix\BigFix.exe
    c:\defender22.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
    O4 - HKLM\..\Run: [newname] c:\\newname22.exe
    O4 - HKLM\..\Run: [defender] c:\\defender22.exe
    O4 - HKLM\..\Run: [keyboard] c:\\keyboard22.exe
    O4 - HKCU\..\Run: [CyberDefender AntiSpyware] "C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe"
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\jt4007hme.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    Help? Thanks again. =) respond back if you need more infromation
     
  2. Sponsor

  3. holy_saiyan1

    holy_saiyan1

    Joined:
    Sep 12, 2003
    Messages:
    629
    There's a good program called AimFix that pretty much gets 99% of the trojans, etc. that you get through AIM. You can get it here. (direct link to download)

    Download it, run it, it's fairly simple and intuitive, but post back if you have any questions.

    After running AimFix, restart and run HiJack This again, and put the log up here, and we'll see what we got then.

    Also, you might consider downloading Spybot Search & Destroy orAd-Aware, and using them as your regular spyware removal program of choice. I personally prefer Spybot, because of its low memory footprint, but they're both good.
     
  4. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    50,968
    after running aimfix
    Download AlcanShorty_en.exe
    to your desktop

    double click the alcanShorty.exe file and follow prompts. It will make a folder on desktop called Alcan Shorty
    Open the folder & double click the run.bat

    This will download a file called BFU.exe and a BFU script. If your firewall asks for permission to connect then allow it

    a message box will pop up saying complete. Press OK
    Then BFU.exe will open.

    select the option to show log at completion

    Execute the script by clicking the Execute button.
    Note that you should see a progress bar while the script is being executed.

    If you have any questions about the use of BFU please read here:
    http://metallica.geekstogo.com/BFUinstructions.html


    when the script has finished press copy & that will make a copy of the report in your clipboard. paste that log back here

    along with a new HJT log please

    you also have L2M so after the bfu do this

    Please download Look2Me-Destroyer.exe to your desktop.

    * Close all windows before continuing.
    * Double-click Look2Me-Destroyer.exe to run it.
    * Put a check next to Run this program as a task.
    * You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
    * When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
    * Once it's done scanning, click the Remove L2M button.
    * You will receive a Done Scanning message, click OK.
    * When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
    * Your computer will then shutdown.
    * Turn your computer back on.
    * Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

    If you receive a message from your firewall about this program accessing the internet please allow it.

    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
     
  5. limdawg

    limdawg Thread Starter

    Joined:
    May 25, 2006
    Messages:
    3
    Okay, I did the AIM Log, BFU, and L2M. Here is the HJT file:

    Logfile of HijackThis v1.99.1
    Scan saved at 3:52:39 PM, on 5/26/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\regsvc.exe
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\a-squared\a2guard.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    And here's the L2M file:

    Look2Me-Destroyer V1.0.12

    Scanning for infected files.....
    Scan started at 5/26/2006 3:07:27 PM

    Infected! C:\WINDOWS\system32\jtjm0711e.dll
    Infected! C:\RECYCLER\NPROTECT\00367791.dll
    Infected! C:\RECYCLER\NPROTECT\00369221.dll
    Infected! C:\RECYCLER\NPROTECT\00369393.dll
    Infected! C:\RECYCLER\NPROTECT\00369861.dll
    Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll
    Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll
    Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll
    Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll
    Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll
    Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll
    Infected! C:\WINDOWS\system32\dvintf.dll
    Infected! C:\WINDOWS\system32\f8j2li1o18.dll
    Infected! C:\WINDOWS\system32\ivetpp.dll
    Infected! C:\WINDOWS\system32\jtjm0711e.dll
    Infected! C:\WINDOWS\system32\mwvcp50.dll
    Infected! C:\WINDOWS\system32\szndcmsg.dll

    Attempting to delete infected files...

    Attempting to delete: C:\WINDOWS\system32\jtjm0711e.dll
    C:\WINDOWS\system32\jtjm0711e.dll Deleted successfully!

    Attempting to delete: C:\RECYCLER\NPROTECT\00367791.dll
    C:\RECYCLER\NPROTECT\00367791.dll Deleted successfully!

    Attempting to delete: C:\RECYCLER\NPROTECT\00369221.dll
    C:\RECYCLER\NPROTECT\00369221.dll Deleted successfully!

    Attempting to delete: C:\RECYCLER\NPROTECT\00369393.dll
    C:\RECYCLER\NPROTECT\00369393.dll Deleted successfully!

    Attempting to delete: C:\RECYCLER\NPROTECT\00369861.dll
    C:\RECYCLER\NPROTECT\00369861.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll
    C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll
    C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll
    C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll
    C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll
    C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll Deleted successfully!

    Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll
    C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\dvintf.dll
    C:\WINDOWS\system32\dvintf.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\f8j2li1o18.dll
    C:\WINDOWS\system32\f8j2li1o18.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\ivetpp.dll
    C:\WINDOWS\system32\ivetpp.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\jtjm0711e.dll
    C:\WINDOWS\system32\jtjm0711e.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\mwvcp50.dll
    C:\WINDOWS\system32\mwvcp50.dll Deleted successfully!

    Attempting to delete: C:\WINDOWS\system32\szndcmsg.dll
    C:\WINDOWS\system32\szndcmsg.dll Deleted successfully!

    Making registry repairs.

    Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{1BC33C5D-AE4E-4C77-B5E8-9A4F82941B07}"
    HKCR\Clsid\{1BC33C5D-AE4E-4C77-B5E8-9A4F82941B07}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{D53187E7-CB4A-47E5-9E22-0FEC77663097}"
    HKCR\Clsid\{D53187E7-CB4A-47E5-9E22-0FEC77663097}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{64DD4318-B449-4A5F-A7B9-0B5A12B6FFF0}"
    HKCR\Clsid\{64DD4318-B449-4A5F-A7B9-0B5A12B6FFF0}

    Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved "{C511D9C6-497F-4B1C-B5FB-719F4DF01298}"
    HKCR\Clsid\{C511D9C6-497F-4B1C-B5FB-719F4DF01298}

    Restoring Windows certificates.

    Replaced hosts file with default windows hosts file


    Restoring SeDebugPrivilege for Administrators - Succeeded

    I don't know why, but I couldn't figure out how to access the BFU logfile? If you still need it, I think I can find it...

    but my computer is running so much faster and I haven't been getting any popups (yet, at least)! If you guys could check the logfile and make sure that there are no more unwanted things on my computer, that'd be great. Just respond and tell me if I still need to download anything or whatever, to fix stuff.

    Eternal thanks so much dvk01 and holy_saiyan for the help. Next time I have a problem I'll make sure to come back here and I'll refer any friends here =)
     
  6. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    50,968
    still more there

    next

    Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
    • Click the Free Trial link under "Downloads/SpySweeper" to download the program.
    • Install it. Once the program is installed, it will open.
    • It will prompt you to update to the latest definitions, click Yes.
    • Once the definitions are installed, click Options on the left side.
    • Click the Sweep Options tab.
    • Under What to Sweep please put a check next to the following:
      • Sweep Memory
      • Sweep Registry
      • Sweep Cookies
      • Sweep All User Accounts
      • Enable Direct Disk Sweeping
      • Sweep Contents of Compressed Files
      • Sweep for Rootkits
      • Please UNCHECK Do not Sweep System Restore Folder.
    • Click Sweep Now on the left side.
    • Click the Start button.
    • When it's done scanning, click the Next button.
    • Make sure everything has a check next to it, then click the Next button.
    • It will remove all of the items found.
    • Click Session Log in the upper right corner, copy everything in that window.
    • Click the Summary tab and click Finish.
    • Paste the contents of the session log you copied into your next reply.
    Also post a new Hijack This log.
     
  7. dvk01

    dvk01 Derek Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    50,968
    this looks like a new one so

    please go to http://www.thespykiller.co.uk/forum/index.php?board=1.0 and upload these files so I can examine them and distribute them to antivirus companies.
    Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

    Files to submit:

    c:\windows\system32\podsregk.exe
     
  8. limdawg

    limdawg Thread Starter

    Joined:
    May 25, 2006
    Messages:
    3
    okay, downloaded spy sweeper and here's the logfile:

    ********
    5:46 PM: | Start of Session, Friday, May 26, 2006 |
    5:46 PM: Spy Sweeper started
    5:46 PM: Sweep initiated using definitions version 686
    5:46 PM: Starting Memory Sweep
    5:53 PM: Memory Sweep Complete, Elapsed Time: 00:06:34
    5:53 PM: Starting Registry Sweep
    5:53 PM: Found Adware: zenosearchassistant
    5:53 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\ (2 subtraces) (ID = 147930)
    5:53 PM: Found Adware: navexcel navhelper
    5:53 PM: HKLM\software\microsoft\internet explorer\toolbar\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 169512)
    5:54 PM: Found Adware: command
    5:54 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\0000\ (6 subtraces) (ID = 1016064)
    5:54 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (8 subtraces) (ID = 1016072)
    5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
    5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1008\software\navexcel ltd\ (14 subtraces) (ID = 135548)
    5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1006\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
    5:54 PM: HKU\WRSS_Profile_S-1-5-21-1532886375-166745521-1182671931-1006\software\navexcel ltd\ (14 subtraces) (ID = 135548)
    5:54 PM: HKU\S-1-5-21-1532886375-166745521-1182671931-1005\software\microsoft\internet explorer\toolbar\webbrowser\ || {5aa06644-bc46-4220-a460-47a6eb47c96d} (ID = 135541)
    5:54 PM: Found Adware: lopdotcom
    5:54 PM: HKU\S-1-5-18\software\microsoft\windows\currentversion\run\ || usrr (ID = 131890)
    5:54 PM: Registry Sweep Complete, Elapsed Time:00:01:17
    5:54 PM: Starting Cookie Sweep
    5:54 PM: Found Spy Cookie: hbmediapro cookie
    5:54 PM: teik [email protected][2].txt (ID = 2768)
    5:54 PM: Found Spy Cookie: uproar cookie
    5:54 PM: teik [email protected][2].txt (ID = 3613)
    5:54 PM: Found Spy Cookie: atlas dmt cookie
    5:54 PM: teik [email protected][1].txt (ID = 2253)
    5:54 PM: Found Spy Cookie: belnk cookie
    5:54 PM: teik [email protected][1].txt (ID = 2292)
    5:54 PM: teik [email protected][2].txt (ID = 2293)
    5:54 PM: Found Spy Cookie: trafficmp cookie
    5:54 PM: teik [email protected][2].txt (ID = 3581)
    5:54 PM: Found Spy Cookie: adserver cookie
    5:54 PM: teik [email protected][1].txt (ID = 2142)
    5:54 PM: tiffany [email protected][2].txt (ID = 2253)
    5:54 PM: Found Spy Cookie: fastclick cookie
    5:54 PM: tiffany [email protected][2].txt (ID = 2651)
    5:54 PM: Found Spy Cookie: mediaplex cookie
    5:54 PM: tiffany [email protected][1].txt (ID = 6442)
    5:54 PM: Found Spy Cookie: yieldmanager cookie
    5:54 PM: [email protected][2].txt (ID = 3751)
    5:54 PM: [email protected][2].txt (ID = 2253)
    5:54 PM: Found Spy Cookie: findwhat cookie
    5:54 PM: [email protected][1].txt (ID = 2674)
    5:54 PM: Found Spy Cookie: top-banners cookie
    5:54 PM: [email protected][1].txt (ID = 3548)
    5:54 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
    5:54 PM: Starting File Sweep
    5:55 PM: Found Adware: dollarrevenue
    5:55 PM: a0092602.exe (ID = 298760)
    5:55 PM: dc27.exe (ID = 298754)
    5:55 PM: dc31.exe (ID = 298760)
    5:56 PM: a0090866.exe (ID = 298760)
    5:56 PM: a0092527.exe (ID = 298760)
    5:56 PM: Found Adware: targetsaver
    5:56 PM: a0090882.exe (ID = 193501)
    5:56 PM: a0092600.exe (ID = 298756)
    5:56 PM: a0092598.exe (ID = 185985)
    5:56 PM: 00369738.exe (ID = 231443)
    5:56 PM: Found Adware: surfsidekick
    5:56 PM: a0090879.exe (ID = 297346)
    5:57 PM: a0090758.exe (ID = 298754)
    5:57 PM: 00369993.exe (ID = 298754)
    5:57 PM: Found Adware: zquest
    5:57 PM: a0090754.exe (ID = 290920)
    5:57 PM: a0090880.dll (ID = 297347)
    5:57 PM: a0090872.exe (ID = 195128)
    5:57 PM: dc22.exe (ID = 293)
    5:58 PM: a0090750.exe (ID = 215896)
    5:58 PM: dc28.exe (ID = 298760)
    5:58 PM: dc33.exe (ID = 298757)
    5:59 PM: a0090868.exe (ID = 298757)
    6:00 PM: 00369701.exe (ID = 298758)
    6:01 PM: Found Adware: look2me
    6:01 PM: a0092643.exe (ID = 65739)
    6:02 PM: dc37.exe (ID = 298754)
    6:02 PM: a0090749.exe (ID = 298758)
    6:02 PM: a0090761.exe (ID = 298757)
    6:02 PM: a0090869.exe (ID = 185985)
    6:02 PM: a0092593.vbs (ID = 231442)
    6:02 PM: a0090867.exe (ID = 293)
    6:02 PM: a0090873.dll (ID = 195129)
    6:03 PM: a0090747.exe (ID = 298754)
    6:09 PM: a0091754.exe (ID = 185985)
    6:09 PM: a0092599.exe (ID = 185985)
    6:09 PM: a0090883.exe (ID = 290920)
    6:09 PM: 00369698.exe (ID = 298757)
    6:09 PM: a0090885.exe (ID = 293)
    6:09 PM: a0092511.exe (ID = 65739)
    6:10 PM: 32408_icont.exe.bak (ID = 65739)
    6:10 PM: 32382_command.exe.bak (ID = 144946)
    6:10 PM: 00369759.exe (ID = 185985)
    6:10 PM: a0092585.exe (ID = 298757)
    6:10 PM: a0092586.exe (ID = 298758)
    6:10 PM: a0090756.exe (ID = 293)
    6:11 PM: a0090759.exe (ID = 298760)
    6:11 PM: a0090763.exe (ID = 185985)
    6:22 PM: class-barrel (ID = 78229)
    6:23 PM: asappsrv.dll (ID = 144945)
    6:23 PM: 00369767.exe (ID = 298760)
    6:23 PM: vocabulary (ID = 78283)
    6:25 PM: a0092568.exe (ID = 65722)
    6:31 PM: drsmartload[1].exe (ID = 298760)
    6:31 PM: dc50.exe (ID = 298760)
    6:34 PM: a0090752.exe (ID = 193995)
    6:38 PM: Found Adware: purityscan
    6:38 PM: ati2evxx.exe (ID = 296574)
    6:38 PM: 00367789.dll (ID = 159)
    6:38 PM: a0090877.exe (ID = 215896)
    6:38 PM: drsmartload45a.exe (ID = 298783)
    6:39 PM: a0092614.dll (ID = 159)
    6:39 PM: defender22[1].exe (ID = 298754)
    6:39 PM: drsmartload46a.exe (ID = 298784)
    6:40 PM: a0092641.exe (ID = 144946)
    6:41 PM: a0090884.exe (ID = 168558)
    6:46 PM: 00369764.exe (ID = 298756)
    6:46 PM: a0090874.exe (ID = 195130)
    6:50 PM: mte3ndi6odoxng[1].exe (ID = 185985)
    6:51 PM: dc53.exe (ID = 185985)
    6:52 PM: 00369173.dll (ID = 159)
    6:53 PM: newname22[1].exe (ID = 298758)
    6:53 PM: a0090881.exe (ID = 193995)
    6:53 PM: dc54.exe (ID = 298758)
    6:53 PM: dc56.exe (ID = 298754)
    6:54 PM: a0090875.exe (ID = 195131)
    6:55 PM: keyboard22[1].exe (ID = 298757)
    6:55 PM: a0090876.exe (ID = 195132)
    6:58 PM: 00369914.dll (ID = 163672)
    7:00 PM: a0092615.dll (ID = 163672)
    7:01 PM: dc60.exe (ID = 298760)
    7:08 PM: installer[1].exe (ID = 168558)
    7:09 PM: dc55.exe (ID = 168558)
    7:27 PM: drsmartload45a[1].exe (ID = 298783)
    7:27 PM: dc34.exe (ID = 185985)
    7:27 PM: dc29.exe (ID = 298757)
    7:27 PM: dc57.exe (ID = 298783)
    7:27 PM: 00369889.dll (ID = 159)
    7:29 PM: 00369695.dll (ID = 166754)
    7:29 PM: 00369915.dll (ID = 163672)
    7:30 PM: a0092613.dll (ID = 163672)
    7:30 PM: 00369391.dll (ID = 159)
    7:31 PM: a0092616.dll (ID = 159)
    7:31 PM: 00369258.dll (ID = 159)
    7:31 PM: a0090865.exe (ID = 296030)
    7:32 PM: 00369260.dll (ID = 159)
    7:33 PM: 00369912.dll (ID = 159)
    7:35 PM: 00369606.dll (ID = 159)
    7:35 PM: 00369913.dll (ID = 163672)
    7:36 PM: dc36.exe (ID = 168558)
    7:36 PM: 00369916.dll (ID = 163672)
    7:36 PM: drsmartload46a[1].exe (ID = 298784)
    7:36 PM: dc58.exe (ID = 298784)
    7:36 PM: dc52.exe (ID = 298757)
    7:36 PM: 00369792.dll (ID = 297348)
    7:36 PM: a0092584.dll (ID = 166754)
    7:36 PM: 00369692.__t (ID = 166754)
    7:36 PM: drsmartload44a[1].exe (ID = 298756)
    7:36 PM: dc35.exe (ID = 298758)
    7:36 PM: dc51.exe (ID = 298756)
    7:37 PM: dc45.dll (ID = 166754)
    7:37 PM: 00369917.dll (ID = 159)
    7:37 PM: warebundle.exe (ID = 168558)
    7:37 PM: 00367689.dll (ID = 159)
    7:37 PM: dc44._ (ID = 166754)
    7:37 PM: dc40.exe (ID = 298783)
    7:37 PM: dc41.exe (ID = 298784)
    7:37 PM: dc32.exe (ID = 298756)
    7:47 PM: oal5xaprkhprkhudvk.vbs (ID = 185675)
    7:47 PM: dc48.cfg (ID = 91140)
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:47 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:48 PM: Warning: Unhandled Archive Type
    7:57 PM: File Sweep Complete, Elapsed Time: 02:02:30
    7:57 PM: Full Sweep has completed. Elapsed time 02:10:50
    7:57 PM: Traces Found: 183
    12:11 AM: Removal process initiated
    12:12 AM: Quarantining All Traces: look2me
    12:12 AM: Quarantining All Traces: lopdotcom
    12:12 AM: Quarantining All Traces: purityscan
    12:12 AM: Quarantining All Traces: dollarrevenue
    12:12 AM: Quarantining All Traces: surfsidekick
    12:12 AM: Quarantining All Traces: zquest
    12:12 AM: Quarantining All Traces: command
    12:13 AM: Quarantining All Traces: navexcel navhelper
    12:13 AM: Quarantining All Traces: targetsaver
    12:13 AM: Quarantining All Traces: zenosearchassistant
    12:13 AM: Quarantining All Traces: adserver cookie
    12:13 AM: Quarantining All Traces: atlas dmt cookie
    12:13 AM: Quarantining All Traces: belnk cookie
    12:13 AM: Quarantining All Traces: fastclick cookie
    12:13 AM: Quarantining All Traces: findwhat cookie
    12:13 AM: Quarantining All Traces: hbmediapro cookie
    12:13 AM: Quarantining All Traces: mediaplex cookie
    12:13 AM: Quarantining All Traces: top-banners cookie
    12:13 AM: Quarantining All Traces: trafficmp cookie
    12:13 AM: Quarantining All Traces: uproar cookie
    12:13 AM: Quarantining All Traces: yieldmanager cookie
    12:13 AM: Removal process completed. Elapsed time 00:02:04
    ********
    5:44 PM: | Start of Session, Friday, May 26, 2006 |
    5:44 PM: Spy Sweeper started
    5:45 PM: Your spyware definitions have been updated.
    5:46 PM: | End of Session, Friday, May 26, 2006 |

    And here's the HJT logfile:

    Logfile of HijackThis v1.99.1
    Scan saved at 12:16:21 AM, on 5/27/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\a-squared\a2guard.exe
    C:\Program Files\BigFix\BigFix.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
    O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
    O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
    O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
    O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
    O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    thanks for the extended help. are there any more problems? =( my computer hasn't been acting strangely but it seems that the spy sweeper caught a lot of spyware/adware with my computer.

    by the way, dvk01, i don't understand what you want me to upload to that forum? if you could explain that better, that'd be great.

    thanks again :) btw. just a quick question... how can you look at the logfile and know what's good and what's bad?
     
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/470212