Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91818 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

Help! -- these popups are driving me crazy 8'(


  • This topic is locked This topic is locked
12 replies to this topic

#1 halbroome

halbroome

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 04 November 2005 - 02:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:57:39 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\MXOALDR.EXE
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fnord Explorer
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123380463149
O20 - Winlogon Notify: BITS - C:\WINNT\system32\enl6l13s1.dll (file missing)
O20 - Winlogon Notify: URL - C:\WINNT\system32\j8p00i7me8.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    Advertisements

Register to Remove


#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 04 November 2005 - 06:43 PM

Hello halbroome, Welcome to the forum.


This is what I suggest you do.



Please do not delete anything unless instructed to.



Download CWShredder from my signature below. Unzip it on the desktop.
Open CWShredder and with ALL other windows closed, click fix.


Go here and run at least one of the online scans, allow them to delete whatever they find:

TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed
Reboot when done.

Next:

Even if you've already run these, make SURE they're up-to-date and run per instructions.

Make sure you have the up-to-date versions of Spybot V 1.4 and Ad-aware SE Build 1.06 . All are free and available below.

Download Spybot, install and update. Then download Ad-aware, install, and update.

Spybot:

Install the program and launch it.

Go to Start > Programs >Spybot > Search & Destroy and choose Spybot S&D

Close ALL windows except Spybot S&D
Click the button to "Search for Updates" and download and install the Updates.
Next click the button "Check for Problems"
When Spybot is complete, it will be showing "RED" (RED) entries "BLACK" entries and "GREEN" (GREEN) entries in the window
Put a check mark beside the RED (RED) entries ONLY.
Choose "Fix Selected Problems" and allow Spybot to fix the RED (RED) entries.

Ad-Aware FULL SCAN:

Install the program and launch it.

1. Launch Ad-Aware SE and run the WebUpdate feature. (Click on the Globe icon > Click connect > Click OK > Click Finish.)
2. Set up the Configurations as follows:
-- Click the Gear wheel at the top of the Ad-Aware window
-- Click General > Safety & Settings: Check (Green) all three.
-- Click Tweak > Cleaning Engine > UNcheck "Always try to unload modules before deletion".
3. Click "Proceed"
4. Click "Scan Now"
5. Deselect "Search for negligible risk entries" as negligible risk entries (MRU's) are not considered to be a threat.
6. Select "Search for low-risk threats"
7. Run the scanner using the Full Scan (Perform full system scan) mode.
8. When the scan has completed, select Next.
9. In the Scanning Results window, select the "Scan Summary" tab.
10. Check the box next to each "target family" you wish to remove.
11. Click next > Click OK.



Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#3 halbroome

halbroome

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 04 November 2005 - 06:50 PM

Thanks -- this is a great service! Before I do your instructions, I should say I've tried Adaware and Spybot and even had them installed when I did the log (should have rebooted, probably). I had removed them as it was suggested to do so for the fix! But I'll reinstall, update and try what you suggest. In doing my prior attempts with those, Norton, and MSantispyBeta, I uncovered the Coolweb virus . . . CWshredder subsequently would uncover and remove CWS.Jksearch, but it always comes back. Off to try your response! back with log update. Thanks again, hal

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 04 November 2005 - 07:12 PM

OK. Hope they are finished with the server updates :thumbup:

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#5 halbroome

halbroome

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 04 November 2005 - 08:44 PM

Ok, followed your instructions to the letter (installed and updated Spybot, AdAware etc.):

Then ran Trend Micro:

"Nothing found"

When I rebooted I got a familiar RUNDLL error message:

"Exception occurred when running C:\system32\[filename-that-changes].dll",GetVersion"

Then ran Spybot:

NO IMMEDIATE THREATS

(all this time popups are occurring spontaneously! they do seem to occur more when I'm browsing, but
can even open up when I have the browser collapsed and away from the computer! Very annoying to
try and type when they suddenly spring up and take the active screen position 8'( )

Then ran ADAware:

found one problem (status 3):

1 Tracking cookie [this pointed to some realmedia site; I've quarantined many such cookies so far]

At this point I cleared everything out with the Windows Clean, and also Norton's Clean; rebooted.

Upon booting up, another RUNDLL error -- identical to the exception above except for [new file name.dll].

Here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 8:29:46 PM, on 11/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\MXOALDR.EXE
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\system32\rundll32.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fnord

Explorer
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -

C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [MaxtorOneTouch]

C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2

NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\USB SBAudigy2

NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control

Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec

Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe

/Consumer
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram

Optimizer\fro.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton

SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE

CfgWiz
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM

Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL

Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no

file)
O9 - Extra 'Tools' menuitem: AOL Toolbar -

{4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -

http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -

http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -

http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program

Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} -

C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage

Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.micros...6/client/muweb_

site.cab?1123380463149
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

http://a840.g.akamai...cro.com/houseca

ll/xscan53.cab
O20 - Winlogon Notify: BITS - C:\WINNT\system32\enl6l13s1.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINNT\system32\l64qlgh5164.dll
O23 - Service: Ati HotKey Poller - Unknown owner -

C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation

- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program

Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec

Corporation - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec

Corporation - C:\Program Files\Norton SystemWorks\Norton

AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec

Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program

Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development

Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program

Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton

SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation -

C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec

Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation -

C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program

Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 04 November 2005 - 08:52 PM

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, click on the Scanner run a full scan and let it clean everything it finds. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan. Please turn word wrap off in Notepad.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#7 halbroome

halbroome

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 05 November 2005 - 12:52 AM

I found the virus -- "Look2me" -- and know where in the registry it
is hiding now; Ewido can't remove it, and I won't delete the registry
keys (well, I'M AFRAID TO DELETE THE REGISTRY KEYS!) as you told
me not to do that until I run it by you. Here's the story:

I went into safe mode as an administrator (I have a personal
account, too, all on the same laptop). Ran Ewido and discovered
51 instances of the "Look2me" virus. 50 were deleted by Ewido,
but as you can see from the log, "xhob2res.dll" wasn't deleted:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:00:02 PM, 11/4/2005
+ Report-Checksum: 3A3A34A7

+ Scan result:

[664] C:\WINNT\system32\xhob2res.dll -> Spyware.Look2Me : Error during cleaning
[720] C:\WINNT\system32\mjacm.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422156.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422224.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422225.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422698.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422699.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422715.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422716.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422777.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00422868.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423185.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423186.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423404.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423405.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423441.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423442.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423861.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00423914.dll -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424314.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424315.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424316.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424317.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424349.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424350.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424664.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424665.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424709.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424734.DLL -> Spyware.Look2Me : Cleaned with backup
C:\RECYCLER\NPROTECT\00424735.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\ccetcfg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\crmpatui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\dnnetlib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\fpp0037me.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\GGCollection.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\guard.tmp -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\hCshlib.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\igmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\ihv6mon.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\kadinben.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\kcdsmsno.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\krdnec.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\l6j8lg1u16.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\lv6u09j9e.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\LYDIS11n.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mjacm.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\p46s0ej7eho.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\qkvd.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\uxnphost.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\wepasf.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\wgdap32.dll -> Spyware.Look2Me : Cleaned with backup


::Report End

Rebooted, then discovered CWWshredder STILL found CWS.Jksearch ! Hmmph. So I
cleaned all the temp files out and rebooted into safe mode, this time going
into my personal XP account and running two scans. The first was memory-only:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:20:40 PM, 11/4/2005
+ Report-Checksum: 9D454B4F

+ Scan result:

[652] C:\WINNT\system32\mkxml.dll -> Spyware.Look2Me : Error during cleaning
[728] C:\WINNT\system32\mkxml.dll -> Spyware.Look2Me : Error during cleaning


::Report End

Two files with the same name! "Look_2_me" I guess. So, as I ran a third
scan (full), I then used Registrar.lite to search for "mkxml.dll" in the registry.
Found it in the following place:

Hkey_local_machine\software\classes\CLID\{Abunchof#s}\InprocServer32\\ThreadingModel

Under this, mkxml.dll existed with the value "Apartment." So it must replicate
in "threads," where if in one place it is deleted, its twin continues on elsewhere.

For "xhob2res.dll" from the first safe mode scan also existed in
a similar registry key too, and was still present (as Ewido had failed to delete it).

I'm typing this as the 2nd safe mode full scan operates. Finished, here's the log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:22:51 AM, 11/5/2005
+ Report-Checksum: 52A89381

+ Scan result:

[652] C:\WINNT\system32\mkxml.dll -> Spyware.Look2Me : Error during cleaning
[728] C:\WINNT\system32\mkxml.dll -> Spyware.Look2Me : Error during cleaning
C:\RECYCLER\NPROTECT\00424831.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{8002FAC4-987A-423F-A02F-FD2F3B3F135B}\RP1\A0000002.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINNT\system32\mqrui.dll -> Spyware.Look2Me : Cleaned with backup


::Report End

I note it is in my system restore files; fine, I can delete those when I have
it all clean and make a new restore. mkxml.dll wasn't removed, but I know
where it is in the registry now!

Rebooted into normal mode, cleaned out temp files with Norton, and
ran HiJackthis -- BTW -- THE POPUPS ARE STILL THERE! GRRR!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:31:40 AM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\MXOALDR.EXE
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\system32\wuauclt.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fnord Explorer
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123380463149
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: Nls - C:\WINNT\system32\ennul1591.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 05 November 2005 - 04:32 AM

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

Exit Spy Sweeper.

Empty Recycle Bin

Reboot and "copy/paste" a new HJT log as well as the Resullts from Spy Sweeper file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#9 halbroome

halbroome

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 05 November 2005 - 02:20 PM

After rebooting for Spysweeper's search, I immediately made a system restore
and deleted the old files. I then used MS Clean and Norton Clean, and took
Spysweeper's suggestion to reset my IE browser settings. Then I made
the HiJackThis log attached below the Spy Sweeper log below. E: drive
is my Cd-r/w drive, so ignore that it couldn't access that.

NO MORE a-d-a-ware POPUPS SO FAR! THANK YOU!

However: CWshredder is still finding CWS.Jksearch.

So I suspect I'm not finished quite yet: xhob2res.dll is also still in my
registry, although mkxml.dll is gone (or renamed). What now?

Here are the current logs for Spy Sweeper / HiJackThis:

********
8:45 AM: | Start of Session, Saturday, November 05, 2005 |
8:45 AM: Spy Sweeper started
8:45 AM: Sweep initiated using definitions version 567
8:45 AM: Starting Memory Sweep
8:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 AM: Found Adware: icannnews
8:45 AM: Detected running threat: C:\WINNT\system32\aeferror.dll (ID = 83)
8:46 AM: Detected running threat: C:\WINNT\system32\fn4021hmg.dll (ID = 83)
8:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:46 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:47 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 AM: Memory Sweep Complete, Elapsed Time: 00:02:54
8:48 AM: Starting Registry Sweep
8:48 AM: Found Trojan Horse: kitten free sex dialer
8:48 AM: HKLM\software\sds software\ (8 subtraces) (ID = 129640)
8:48 AM: Registry Sweep Complete, Elapsed Time:00:00:12
8:48 AM: Starting Cookie Sweep
8:48 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:48 AM: Starting File Sweep
8:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:48 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:49 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:49 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:50 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:51 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:52 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:53 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:54 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:55 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:56 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:57 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:58 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:59 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:00 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:02 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:03 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:04 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:05 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:06 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:07 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:08 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: Warning: Failed to access drive E:
9:09 AM: File Sweep Complete, Elapsed Time: 00:20:56
9:09 AM: Full Sweep has completed. Elapsed time 00:24:06
9:09 AM: Traces Found: 11
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:09 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:10 AM: Removal process initiated
9:10 AM: Quarantining All Traces: icannnews
9:10 AM: icannnews is in use. It will be removed on reboot.
9:10 AM: C:\WINNT\system32\aeferror.dll is in use. It will be removed on reboot.
9:10 AM: C:\WINNT\system32\fn4021hmg.dll is in use. It will be removed on reboot.
9:10 AM: Quarantining All Traces: kitten free sex dialer
9:10 AM: Warning: Launched explorer.exe
9:10 AM: Warning: Quarantine process could not restart Explorer.
9:11 AM: Preparing to restart your computer. Please wait...
9:11 AM: Removal process completed. Elapsed time 00:00:44
********
8:43 AM: | Start of Session, Saturday, November 05, 2005 |
8:43 AM: Spy Sweeper started
8:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:43 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:44 AM: Your spyware definitions have been updated.
8:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 AM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
8:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 AM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
8:45 AM: | End of Session, Saturday, November 05, 2005 |

*************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 9:26:13 AM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\support.com\bin\tgcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\RunDll32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\MXOALDR.EXE
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\wuauclt.exe
C:\hijack\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fnord Explorer
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123380463149
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 05 November 2005 - 02:44 PM

I take it you've worked with the registry before?


I suggest you do this:

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.net/
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\support.com\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


Close ALL windows and browsers except HijackThis and click "Fix checked"


Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#11 halbroome

halbroome

    New Member

  • New Member
  • Pip
  • 6 posts

Posted 05 November 2005 - 04:05 PM

Worked with registry? As an English major sidetracked into Silicon valley for eight years, yea, but I'm happily teaching in my major now 8'). I do love computer work, though, and hope to teach online classes
at some point; was a music webcaster with a weekly show this year until the station shut down.

My computer is working very smoothly! No freezes in the browser as I had prior to the popup problems;
I suppose there were a variety of viruses. After you declare me "clean" I'll have AdAware, MSantispybeta,
and Norton up and fully updated, and then attach my external hard drives (3 of them) and go through
this whole procedure again to make sure everything is clean; might as well make use of my 2-week
trials of Ewido and Spy Sweeper, no?

I had noticed that Quicktime running -- I had removed that program, I thought!

Here's the current HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:55:48 PM, on 11/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\WDC\SetIcon.exe
C:\WINNT\system32\RunDll32.exe
C:\WINNT\MXOALDR.EXE
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\AGRSMMSG.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\Program Files\Dantz\Retrospect\retrorun.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\snmp.exe
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\wuauclt.exe
C:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fnord Explorer
O3 - Toolbar: Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINNT\MXOALDR.EXE
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [MaxtorOneTouch] C:\PROGRA~1\Maxtor\OneTouch\Utils\OneTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\USB SBAudigy2 NX\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\USB SBAudigy2 NX\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [Free Ram Optimizer] C:\Program Files\AceLogix\Free Ram Optimizer\fro.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1123380463149
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: WRNotifier - C:\WINNT\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: Retrospect Launcher (RetroLauncher) - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\retrorun.exe
O23 - Service: Retrospect Helper - Dantz Development Corporation - C:\Program Files\Dantz\Retrospect\rthlpsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

#12 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 05 November 2005 - 04:17 PM

If it were my PC, I'd go into the registry and kill this one: xhob2res.dll
Other then that:



Good Job :thumbup:


Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. Spywareblaster, Spywareguard and IESPY AD. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 


#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 57,171 posts

Posted 10 November 2005 - 06:07 PM

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php

The forum is run by volunteers who donate their time and expertise.

Want to help others? Join the ClassRoom and learn how.

Logs will be closed if you haven't replied within 3 days

 

If you would like to paypal.gif for the help you received.
 

Proud graduate of TC/WTT Classroom

 

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users