Results 1 to 7 of 7
  1. #1
    Member
    Join Date
    Jul 2006
    Location
    USA
    Posts
    8
    Points
    0

    Default I need a bit of help with the trojan 2pursuit !!!!

    I have recently come across a large amount of adware/spyware/trojans/viruses on my laptop. Through hours of troubleshooting, I was able to get rid of about 145 of them, however, there is one that seems to continue to escape my grasp and I can't find any information anywhere on how to get rid of this particular trojan. spy sweeper labels it as trojan-downloader-2pursuit. Everytime that i run spy sweeper... it sees the virus, then deletes the virus, but upon restarting my computer and rerunning spysweeper again, there it is again as if it never left. This is my first time posting on here so I hope I am doing it right, and please let me know if you happen to see something I may have missed.

    Here is the report I pulled from HijackThis:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:33:45 PM, on 7/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wbem\wmiprvse.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\SPYWAR~1\swdoctor.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    \?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Bill\Desktop\Programs\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144344648655
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - AppInit_DLLs: msiexec.dll C:\WINDOWS\system32\msiexec.dll C:\WINDOWS\system32\
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1382171.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Internet Security Professional Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


    and here is the report from spysweeper:

    Your Sweep Options indicate the following will be swept:
    Drives: C: D:
    Also sweeping: Memory, Cookies, Registry
    Trojan Horse found: trojan-downloader-2pursuit
    Spy Cookie found: 2o7.net cookie
    Spy Cookie found: statcounter cookie


    Also 2 quick things, one, just to verify that I am completely clean after this virus is finally removed... is there a program you would recommend for me to use to completely scan my computer of any malicious logic? and two, my norton antivirus "live update" seems to never work on my laptop. I have the same version and the same laptop as my room mate and it updates fine for him and not me even after countless reinstalls of the program. Could there be a virus preventing me from updating? Thank you for your help and your time and have a happy 4th of July.

  2. #2
    Member 1972vet's Avatar
    Join Date
    Mar 2006
    Posts
    275
    Points
    35

    Default

    Please download Look2Me-Destroyer.exe to your desktop.
    • * Close all windows before continuing.
      * Double-click Look2Me-Destroyer.exe to run it.
      * Put a check next to Run this program as a task.
      * You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
      * When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
      * Once it's done scanning, click the Remove L2M button.
      * You will receive a Done Scanning message, click OK.
      * When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
      * Your computer will then shutdown.
      * Turn your computer back on.


    If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
    http://www.ascentive.com/support/new...b/MSWINSCK.OCX

    Then you click the Remove L2M button and wait for it to give you a message when you click ok on it it should shut itself down.

    Download Ewido anti-spyware to your desktop.
    This is a 30 day free trial. At the end of the 30-day trial period the full version features (active guard, automatic updates...) will be deactivated and the program will become a feature-limited freeware version...You can still keep it and use it for "On Demand" scanning.
    1. Double click the icon on the desktop to launch the set up program.
    2. Select Change state to inactivate "Resident Shield" and "Automatic Updates". Right click on ewido in the system tray and uncheck "Start with Windows".
    3. Once the setup is complete you will need to update the definition files.
    4. On the main screen select the icon Update then select the Update now link.
    5. Next select the Start Update button, the update will start and a progress bar will show the updates being installed.
    6. Once the update has completed select the Scanner icon at the top of the screen, then select the Settings tab.
    7. Once in the Settings screen click on Recommended actions and then select Quarantine.
    8. Under Reports
    9. Select Automatically generate report after every scan
    10. Un-Select Only if threats were found


    Close ewido anti-spyware.

    Please boot into Safe mode:

    Restart the computer and immediately begin tapping the F8 key (or F5 on some Dell machines).
    Use the arrow keys to highlight Safe Mode and press the Enter key. Once in safe mode, continue with the instructions below:

    • Lauch ewido anti-spyware by double-clicking the icon on your desktop.
    • Select the Scanner icon at the top, then the Scan tab then click on Complete System Scan.
    • ewido will now begin the scanning process, be patient this may take
    some time.
    • Once the scan is complete do the following:
    • When prompted of an infection, please select Apply all actions
    • Next select the Reports icon at the top.
    • Select the Save report as button in the lower left hand of the screen and save it to your Desktop.

    Now close ewido anti-spyware.

    Please run HijackThis again and check the box next to these entries:
    O4 - HKLM\..\Run: [DeleteLog] c:\windows\system32\oobe\DeleteLog.exe
    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3 &tp=iehome&locale=EN_US&c=Q106&bd=pavilion&pf=laptop
    O16 - DPF: {97B79133-88F0-45F0-8D57-0F2EF27D9C66} - http://85.255.114.166/1/rdgUS2404.exe
    O20 - AppInit_DLLs: msiexec.dll C:\WINDOWS\system32\msiexec.dll C:\WINDOWS\system32\
    O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g1382171.dll
    O20 - Winlogon Notify: winhld32 - winhld32.dll (file missing)


    Close all windows except for HijackThis before clicking Fix Checked.

    Locate and delete the following files indicated in Bold text:
    C:\WINDOWS\g1382171.dll
    C:\WINDOWS\winhld32.dll

    Reboot the computer.

    Please perform this online scan: F-Secure Online Scanner Next Generation Beta
    1. Click on the link "F-Secure Online Scanner Next Generation Beta".
    2. You may receive an alert on the address bar at this point to install the ActiveX control.
    3. Click on that alert and then Click Insall ActiveX component.
    4. Read the license agreement and click "Accept".
    5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
    6. When done click "Show report" and copy/paste its contents into your next reply along with a new HijackThis log and the log from your Ewido scan. Thanks!
    Disabled Veteran
    U.S.C.G.

    CastleCops Graduate 1st Responder

    Member:
    A.S.A.P.

  3. #3
    Member
    Join Date
    Jul 2006
    Location
    USA
    Posts
    8
    Points
    0

    Default I think there is still a problem

    I followed the instructions to the T and I have come across even more viruses and trojans that spy sweeper hadn't detected. While following your instructions, everything went smoothly except for 2 things. my computer was unable to locate the 2 files you had mentioned for me to search for and delete:

    C:\WINDOWS\g1382171.dll
    C:\WINDOWS\winhld32.dll

    also, after checking and fixing the mentioned items in HijackThis, there popped up an error of some sort, although I don't know if it was relevant or not because the files were fixed anyway, but I thought I'd still mention it just in case.

    Anyway, here is the F-Secure Online Scanner Next Generation Beta report you requested:

    Scanning Report
    Thursday, July 06, 2006 15:55:52 - 16:47:27
    Computer name: AMARANT
    Scanning type: Scan system for viruses, rootkits, spyware
    Target: C:\ D:\


    --------------------------------------------------------------------------------

    Result: 25 malware found
    Possible Browser Hijack attempt (spyware)
    System (Disinfected)
    Tracking Cookie (spyware)
    System (Disinfected)
    System
    System
    System
    Trojan-Downloader.Win32.Delf.aeo (virus)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\024B68D2.DLL (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\1165164A (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\2BC30AF6 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\346B0628 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\37EB7F87 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\40D0779D (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\571A145A.DLL (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63E51445 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63E83E42 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63EB683E (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\63EF123B (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\662A45C6 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\691B06F4 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\6EA22828 (Renamed & Submitted)
    C:\PROGRAM FILES\NORTON ANTIVIRUS\QUARANTINE\7A336427 (Renamed & Submitted)
    Trojan-Downloader.Win32.Obfuscated.n (virus)
    C:\DOCUMENTS AND SETTINGS\BILLY'S BOO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QD3GTKNA\RDGUS2404[1].EXE (Renamed & Submitted)
    C:\DOCUMENTS AND SETTINGS\BILLY'S BOO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GTWV2P45\RDGUS2405[1].EXE (Renamed & Submitted)
    C:\DOCUMENTS AND SETTINGS\BILLY'S BOO\LOCAL SETTINGS\APPLICATION DATA\82AAB3AF.EXE (Renamed)
    C:\DOCUMENTS AND SETTINGS\BILL\LOCAL SETTINGS\APPLICATION DATA\82AAB3AF.EXE (Renamed)
    W32/Malware (virus)
    C:\WINDOWS\SYSTEM32\CLCI.EXE

    --------------------------------------------------------------------------------

    Statistics
    Scanned:
    Files: 30547
    System: 5155
    Not scanned: 6
    Actions:
    Disinfected: 2
    Renamed: 19
    Deleted: 0
    None: 4
    Submitted: 17
    Files not scanned:
    C:\HIBERFIL.SYS
    C:\PAGEFILE.SYS
    C:\WINDOWS\SYSTEM32\DRIVERS\DTSCSI.SYS
    C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
    C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0102\0314\VALUES

    --------------------------------------------------------------------------------

    Options
    Scanning engines:
    F-Secure AVP: 6.0.171, 2006-07-06
    F-Secure Libra: 2.4.1, 2006-07-04
    F-Secure Orion: 1.2.37, 2006-07-06
    F-Secure Blacklight: 1.0.31, 0000-00-00
    F-Secure Pegasus: 1.19.0, 2006-06-04
    F-Secure Draco: 1.0.35, 2006-06-29
    Scanning options:
    Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
    Use Advanced heuristics

    Here is a new HijackThis Report:

    Logfile of HijackThis v1.99.1
    Scan saved at 4:57:39 PM, on

    7/6/2006
    Platform: Windows XP SP2 (WinNT

    5.01.2600)
    MSIE: Internet Explorer v6.00 SP2

    (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common

    Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet

    Security Professional\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program

    Files\Symantec\LiveUpdate\ALUSched

    ulerSvc.exe
    C:\Program Files\Norton Internet

    Security Professional\ccPxySvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-

    spyware 4.0\guard.exe
    C:\Program Files\Common

    Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton

    AntiVirus\navapsvc.exe
    C:\Program Files\Norton

    AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy

    Sweeper\WRSSSDK.exe
    C:\WINDOWS\ehome\mcrdsvc.exe
    C:\Program Files\Hewlett-

    Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Hp\HP Software

    Update\HPWuSchd2.exe
    C:\Program

    Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless

    Assistant\HP Wireless

    Assistant.exe
    C:\Program

    Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HPQ\Quick Launch

    Buttons\EabServr.exe
    C:\Program Files\Common

    Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32

    \wbem\wmiprvse.exe
    C:\Program Files\Common

    Files\Ahead\lib\NMBgMonitor.exe
    C:\Program

    Files\Creative\MediaSource\Detecto

    r\CTDetect.exe
    C:\PROGRA~1

    \HPQ\SHARED\HPQTOA~1.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\PROGRA~1\Symantec\LIVEUP~1

    \LUCOMS~1.EXE
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\PROGRA~1\SPYWAR~1\swdoctor.exe
    C:\Program Files\Internet

    Explorer\iexplore.exe
    C:\Program

    Files\Messenger\msmsgs.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Documents and

    Settings\Bill\Desktop\Programs\Hij

    ackThis.exe

    O2 - BHO: AcroIEHlprObj Class -

    {06849E9F-C8D7-4D59-B87D-

    784B7D6BE0B3} - C:\Program

    Files\Adobe\Acrobat 6.0

    \Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services

    Button - {5BAB4B5B-68BC-4B02-94D6

    -2FC0DE4A7897} - C:\Program

    Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard -

    {5C8B2A36-3DB1-42A4-A3CB-

    D426709BBFEB} - C:\PROGRA~1

    \SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class -

    {761497BB-D6F0-462C-B6EB-

    D4DAF1D92D43} - C:\Program

    Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper -

    {AA58ED58-01DD-4d91-8333-

    CF10577473F7} - c:\program

    files\google\googletoolbar2.dll
    O2 - BHO: PCTools Browser Monitor

    - {B56A7D7D-6927-48C8-A975-

    17DF180C71AC} - C:\PROGRA~1

    \SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-

    B101-42AD-A544-FADC6B084872} -

    C:\Program Files\Norton

    AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1

    -4965-11d4-9B18-009027A5CD4F} -

    c:\program

    files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus -

    {42CDD1BF-3FFB-4238-8AD1-

    7859DF00B1D6} - C:\Program

    Files\Norton

    AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray]

    C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon]

    RUNDLL32.EXE C:\WINDOWS\system32

    \NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe

    /installquiet /nodetect
    O4 - HKLM\..\Run: [High Definition

    Audio Property Page Shortcut]

    CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [HP Software

    Update] C:\Program Files\Hp\HP

    Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SynTPEnh]

    C:\Program

    Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run:

    [hpWirelessAssistant] C:\Program

    Files\hpq\HP Wireless Assistant\HP

    Wireless Assistant.exe
    O4 - HKLM\..\Run: [QPService]

    "C:\Program

    Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [eabconfg.cpl]

    C:\Program Files\HPQ\Quick Launch

    Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset]

    C:\Program Files\HPQ\Default

    Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard]

    C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [ccApp]

    "C:\Program Files\Common

    Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy]

    "C:\Program Files\Common

    Files\Symantec

    Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools

    Check] C:\PROGRA~1\NORTON~2

    \AdvTools\ADVCHK.EXE
    O4 - HKLM\..\Run: [SpySweeper]

    "C:\Program Files\Webroot\Spy

    Sweeper\SpySweeper.exe"

    /startintray
    O4 - HKCU\..\Run: [BgMonitor_

    {79662E04-7C6C-4d9f-84C7-

    88D8A56B10AA}] "C:\Program

    Files\Common

    Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Creative

    Detector] "C:\Program

    Files\Creative\MediaSource\Detecto

    r\CTDetect.exe" /R
    O8 - Extra context menu item:

    &Google Search - res://c:\program

    files\google\GoogleToolbar2.dll/cm

    search.html
    O8 - Extra context menu item:

    &Translate English Word -

    res://c:\program

    files\google\GoogleToolbar2.dll/cm

    wordtrans.html
    O8 - Extra context menu item:

    Backward Links - res://c:\program

    files\google\GoogleToolbar2.dll/cm

    backlinks.html
    O8 - Extra context menu item:

    Cached Snapshot of Page -

    res://c:\program

    files\google\GoogleToolbar2.dll/cm

    cache.html
    O8 - Extra context menu item:

    E&xport to Microsoft Excel -

    res://C:\PROGRA~1\MICROS~2

    \Office10\EXCEL.EXE/3000
    O8 - Extra context menu item:

    Similar Pages - res://c:\program

    files\google\GoogleToolbar2.dll/cm

    similar.html
    O8 - Extra context menu item:

    Translate Page into English -

    res://c:\program

    files\google\GoogleToolbar2.dll/cm

    trans.html
    O9 - Extra button: Spyware Doctor

    - {2D663D1A-8670-49D9-A1A5-

    4C56B4E14E84} - C:\PROGRA~1

    \SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {01010E00-5E80-11D8-

    9E86-0007E96C65AE} (SupportSoft

    SmartIssue) -

    http://www.symantec.com/techsupp/a

    sa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-

    9E86-0007E96C65AE} (SupportSoft

    Script Runner Class) -

    http://www.symantec.com/techsupp/a

    sa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-

    83C6-A7ADCBF9BD02} (HouseCall

    Control) -

    http://housecall60.trendmicro.com/

    housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-

    970D-3C54734667FE} (LSSupCtl

    Class) -

    http://www.symantec.com/techsupp/a

    sa/ctrl/LSSupCtl.cab
    O16 - DPF: {30528230-99f7-4bb4-

    88d8-fa1d4f56a2ab} (YInstStarter

    Class) - C:\Program Files\Yahoo!

    \Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-

    8127-FD793AFC6CC8} (ActiveDataInfo

    Class) - https://www-

    secure.symantec.com/techsupp/asa/c

    trl/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-

    81DF-AAB636FA4345} (Symantec

    SmartIssue) - https://www-

    secure.symantec.com/techsupp/asa/c

    trl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-

    81DF-AAB636FA4345} (Symantec

    Script Runner Class) -

    https://www-

    secure.symantec.com/techsupp/asa/c

    trl/tgctlsr.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-

    8532-2D05CB959537} (MSN Photo

    Upload Tool) -

    http://by116fd.bay116.hotmail.msn.

    com/resources/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-

    879C-DC1FA91D2FC3} (MUWebControl

    Class) -

    http://update.microsoft.com/micros

    oftupdate/v6/V5Controls/en/x86/cli

    ent/muweb_site.cab?1144344648655
    O16 - DPF: {9D190AE6-C81E-4039-

    8061-978EBAD10073} (F-Secure

    Online Scanner 3.0) -

    http://support.f-

    secure.com/ols3/fscax.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-

    9FE8-0F47A3308078} -

    http://www.symantec.com/techsupp/a

    sa/ctrl/SymAData.cab
    O18 - Protocol: msnim - {828030A1

    -22C1-4009-854F-8E305202313F} -

    "C:\PROGRA~1\MSNMES~1\msgrapp.dll"

    (file missing)
    O20 - Winlogon Notify: NavLogon -

    C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon -

    C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier

    - C:\WINDOWS\SYSTEM32

    \WRLogonNTF.dll
    O23 - Service: Automatic

    LiveUpdate Scheduler - Symantec

    Corporation - C:\Program

    Files\Symantec\LiveUpdate\ALUSched

    ulerSvc.exe
    O23 - Service: Symantec Event

    Manager (ccEvtMgr) - Symantec

    Corporation - C:\Program

    Files\Common Files\Symantec

    Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password

    Validation Service (ccPwdSvc) -

    Symantec Corporation - C:\Program

    Files\Common Files\Symantec

    Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy

    Service (ccPxySvc) - Symantec

    Corporation - C:\Program

    Files\Norton Internet Security

    Professional\ccPxySvc.exe
    O23 - Service: Creative Service

    for CDROM Access - Creative

    Technology Ltd -

    C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware

    4.0 guard - Anti-Malware

    Development a.s. - C:\Program

    Files\ewido anti-spyware 4.0

    \guard.exe
    O23 - Service: hpqwmiex - Hewlett

    -Packard Development Company, L.P.

    - C:\Program Files\Hewlett-

    Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table

    Manager (IDriverT) - Macrovision

    Corporation - C:\Program

    Files\Common

    Files\InstallShield\Driver\11

    \Intel 32\IDriverT.exe
    O23 - Service: LightScribeService

    Direct Disc Labeling Service

    (LightScribeService) - Hewlett-

    Packard Company - C:\Program

    Files\Common

    Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate -

    Symantec Corporation -

    C:\PROGRA~1\Symantec\LIVEUP~1

    \LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus

    Auto Protect Service (navapsvc) -

    Symantec Corporation - C:\Program

    Files\Norton

    AntiVirus\navapsvc.exe
    O23 - Service: Norton Internet

    Security Professional Accounts

    Manager (NISUM) - Symantec

    Corporation - C:\Program

    Files\Norton Internet Security

    Professional\NISUM.EXE
    O23 - Service: Norton Unerase

    Protection (NProtectService) -

    Symantec Corporation - C:\Program

    Files\Norton

    AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Display

    Driver Service (NVSvc) - NVIDIA

    Corporation - C:\WINDOWS\system32

    \nvsvc32.exe
    O23 - Service: ScriptBlocking

    Service (SBService) - Symantec

    Corporation - C:\PROGRA~1

    \COMMON~1\SYMANT~1\SCRIPT~1

    \SBServ.exe
    O23 - Service: Webroot Spy Sweeper

    Engine (svcWRSSSDK) - Webroot

    Software, Inc. - C:\Program

    Files\Webroot\Spy

    Sweeper\WRSSSDK.exe

    And here is the ewido anti spyware scan report:


    ---------------------------------------------------------
    ewido anti-spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 2:04:17 PM 7/6/2006

    + Scan result:



    C:\Documents and Settings\Billy's Boo\Application Data\Uystem32\r5gsvr32.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
    [400] C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Error during cleaning.
    [412] C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Error during cleaning.
    [580] C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Error during cleaning.
    [628] C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Error during cleaning.
    [692] C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Error during cleaning.
    [736] C:\WINDOWS\system32\msiexec.dll -> Adware.PurityScan : Error during cleaning.
    C:\WINDOWS\system32\khfggeb.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\clc.exe -> Downloader.Agent.apb : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\admparsel.dll -> Downloader.Delf.ako : Cleaned with backup (quarantined).
    C:\WINDOWS\g11439250.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g11708734.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1258500.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g12640609.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g12911890.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1382171.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g14111984.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1499500.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g1503531.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g177546.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g178359.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g179218.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g181390.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g183125.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g183296.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g2460171.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g296843.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g3662921.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g4950953.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g5224234.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g6075062.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g6545062.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g7504296.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g7866500.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\g898906.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    [1032] C:\WINDOWS\g1382171.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    [348] C:\WINDOWS\g1382171.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\CONFLICT.1\rdgUS2404.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\rdgUS2404.exe -> Downloader.Obfuscated.n : Cleaned with backup (quarantined).
    C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
    C:\Program Files\Ĺ“Vcrosoft\dexplore.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@eztracks.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
    C:\Documents and Settings\Bill\Cookies\bill@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@citi.bridgetrack[1].txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
    C:\Documents and Settings\Dre\Cookies\dre@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\guest@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
    C:\Documents and Settings\Dre\Cookies\dre@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
    C:\Documents and Settings\Billy's Boo\Cookies\billy's boo@sales.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
    C:\Documents and Settings\Bill\Cookies\bill@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
    C:\Documents and Settings\Bill\Cookies\bill@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).


    ::Report end

    As you can see, it looks like there are still some problems somewhere. I appreciate all your help. I look forward to hearing from you. Thank you again.

    Billdoe

  4. #4
    Member 1972vet's Avatar
    Join Date
    Mar 2006
    Posts
    275
    Points
    35

    Default

    From what I can read of it, that log looks much better. Your log was not formatted well and is difficult to read. We'll fix that later. Those files that you could not locate have already been removed so let's not worry about them.

    We need to disable some of your protective software as they may interfere
    with this fix.

    Disable your Symantec Script Blocking from within your Norton so it does not interfere with anything during our fixes now or later. You can enable this whenever we have verified that your system is clean.
    To disable Norton AntiVirus Script Blocking:
    1. Start Norton AntiVirus.
    If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
    2. Click Options.
    If you see a menu, click Norton AntiVirus.
    3. In the left pane, click Script Blocking.
    4. In the right pane, uncheck Enable Script Blocking (recommended).
    5. Click OK.

    Please disable SpySweeper, as it may hinder the removal of some entries. You can re-enable it after you're clean.

    To disable SpySweeper:
    Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
    Over to the left click "shields" and uncheck all there.
    Uncheck "home page shield".
    Uncheck 'automatically restore default without notification".

    To disable Ewido Guard:
    1. Open ewido by double-clicking the yellow 'e' icon in the system tray.
    2. In the 'Your security status' section, toggle the ewido Guard
    realtime protection 'off' by clicking 'active' which will then change
    the protection status to 'inactive'.
    3. When you reboot, ewido will prompt you as to whether you would like
    to "Restart the guard?".
    4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.

    Let's try to clean up a bit. Please download the KILLBOX, extract it to your desktop.

    Open killbox.exe.

    First click on Tools>Delete Temp Files.
    A box will open with a list of all user profiles.

    Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

    Temporary Internet Files
    Temp Files
    XP Prefetch

    If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

    Then, click on the Button titled "Delete Selected Temp Files".
    Exit by clicking the Button titled "Exit(Save Settings)".

    Once back into the main killbox program, check the box:

    Delete on Reboot

    Highlight all the entries in the quote box below and then Copy them.
    C:\DOCUMENTS AND SETTINGS\BILLY'S BOO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QD3GTKNA\RDGUS2404[1].EXE

    C:\DOCUMENTS AND SETTINGS\BILLY'S BOO\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GTWV2P45\RDGUS2405[1].EXE

    C:\DOCUMENTS AND SETTINGS\BILLY'S BOO\LOCAL SETTINGS\APPLICATION DATA\82AAB3AF.EXE

    C:\DOCUMENTS AND SETTINGS\BILL\LOCAL SETTINGS\APPLICATION DATA\82AAB3AF.EXE

    C:\WINDOWS\SYSTEM32\CLCI.EXE
    Then in killbox click File>>Paste from Clipboard

    At this point the "All Files" button should be enabled so you can click it.
    Click the "All Files" button.

    Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes.

    A second message will ask to Reboot now? you will need to click Yes to allow the system to reboot.
    Note: Killbox will let you know if a file does not exist.

    If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until you've entered the last one, then click "Yes" to allow the system to reboot.

    When the system comes back up, open Notepad. Click Format from the menu at the top. Make sure "Word Wrap" has a check next to it. Close Notepad.

    Post back a new HijackThis log and please advise how the system is performing for you now. Better?
    Thanks!
    Disabled Veteran
    U.S.C.G.

    CastleCops Graduate 1st Responder

    Member:
    A.S.A.P.

  5. #5
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Before posting your next hijackthis log ... while you still have it in notepad...

    Click format & untick "wordwrap" .... then click format again & re-tick "wordwrap" ... your hijackthis will post correctly then.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  6. #6
    Member
    Join Date
    Jul 2006
    Location
    USA
    Posts
    8
    Points
    0

    Default

    Ok I took care of everything you asked me to do. Here is the newest log of Hijack this, in both word wrapped and non word wrapped format as I was a little bit confused with which one you wanted. I hope it is readable. The system seems to be running fine, don't see any more pop ups. Are we good to turn SPY SWEEPER and NORTON back on? If so, is there a special way to do it? Or just undo what I did to turn them off? Thank you all for your help, this website is a God send.



    Logfile of HijackThis v1.99.1
    Scan saved at 3:32:52 PM, on 7/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
    C:\Documents and Settings\Bill\Desktop\Programs\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Bill\Desktop\KillBox\KillBox.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144344648655
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Internet Security Professional Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe


    ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

    and here it is again word wrapped just in case.


    Logfile of HijackThis v1.99.1
    Scan saved at 3:32:52 PM, on 7/13/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    C:\Program Files\HP\QuickPlay\QPService.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\PROGRA~1\HPQ\SHARED\HPQTOA~1.EXE
    C:\Documents and Settings\Bill\Desktop\Programs\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Bill\Desktop\KillBox\KillBox.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /nodetect
    O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] CHDAudPropShortcut.exe
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
    O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
    O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...l/SymAData.cab
    O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - https://www-secure.symantec.com/tech...rl/tgctlsi.cab
    O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...rl/tgctlsr.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by116fd.bay116.hotmail.msn.co...s/MsnPUpld.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1144344648655
    O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\ccPxySvc.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Internet Security Professional Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security Professional\NISUM.EXE
    O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

  7. #7
    Member 1972vet's Avatar
    Join Date
    Mar 2006
    Posts
    275
    Points
    35

    Default

    Sorry I didn't respond sooner, but I didn't get the email notification on 7/13 that you responded. Must be a forum glitch.

    Congratulations, your log looks clean! Don't forget to re-enable the protective software that we disabled for the fix.
    1. Start Norton AntiVirus.
    If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
    2. Click Options.
    If you see a menu, click Norton AntiVirus.
    3. In the left pane, click Script Blocking.
    4. In the right pane, check Enable Script Blocking (recommended).
    5. Click OK, then close the application.

    Open SpySweeper--> click >Options over to the left then >program options >check "load at windows startup".
    Over to the left click "shields" and check all there.
    Check "home page shield".
    Check 'automatically restore default without notification".

    Open ewido. The main "Status" menu will appear. Select "Change state" to activate 'Resident Shield' and 'Automatic Updates'. Right-click on ewido in the system tray and check "Start with Windows".

    Now that your system is clean, let's create a new restore point.
    Please click "Start > Programs > Accessories > System Tools > System Restore"
    In the new window, check the 'Create a restore point' in the right pane and click "Next".
    In the "Restore point description" textbox, name your restore point to something you will easily recognize. I recommend something like yyyymmdd_Clean (ex. 20060101_Clean)
    Click "Create" and reboot your computer.

    In the future, there are some things you can do to prevent spyware infections:

    Install the following freeware programs:
    SpywareGuard
    Spywareblaster

    Keep your anti-virus and spyware definitions up to date. Be sure to scan often.

    Stay updated with the most recent Windows patches using
    Microsoft's Windows Update.

    Using an alternate browser can reduce your chance of certain infections installing themselves. We recommend installing Mozilla Firefox from http://www.mozilla.org

    If you still wish to use Internet Explorer, please make sure you install SpywareBlaster (from above) to protect you from most ActiveX infections.

    Run CCleaner often
    or Disk Cleanup ("Start > Programs > Accessories > System Tools > Disk Cleanup") and check off the following:
    Downloaded Program Files, Temporary Internet Files, Recycle Bin, and Temporary Files

    So how did I get infected in the first place?
    Regards, and Happy Surfing!
    Disabled Veteran
    U.S.C.G.

    CastleCops Graduate 1st Responder

    Member:
    A.S.A.P.