Spyware Removal Tips/Tools

Collapse
This topic is closed.
X
X
 
  • Time
  • Show
Clear All
new posts
  • Bing Fung
    Ultra Senior Member
    • Aug 2000
    • 6521

    #46
    Hey Kevin, need some help here please.... What do you see? 8)


    Logfile of HijackThis v1.99.1
    Scan saved at 7:30:24 AM, on 07/06/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    c:\windows\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\ESSSPK.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\SYSTEM\INTERNAT.EXE
    C:\WINDOWS\SYSTEM\ATICWD32.EXE
    C:\WINDOWS\SYSTEM\ATITASK.EXE
    C:\PROGRAM FILES\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATECD50.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\WINDOWS\SYSTEM\LVCOMS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
    C:\WINDOWS\TEMP\AUQOHMSY.EXE
    C:\WINDOWS\SYSTEM\ROZSYGG.EXE
    C:\WINDOWS\SYSTEM\CHS.EXE
    C:\WINDOWS\SYSTEM\DMIME545.EXE
    C:\PROGRAM FILES\MSN APPS\UPDATER\01.02.3000.1001\EN-CA\MSNAPPAU.EXE
    C:\WINDOWS\SYSTEM\DIBEDIT.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
    C:\WINDOWS\SYSTEM\CHS.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\NOXOVLOH.EXE
    C:\WINDOWS\SYSTEM\DEVME545.EXE
    C:\WINDOWS\SYSTEM\E_SICN03.EXE
    C:\PROGRAM FILES\MAAR\OLAS.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\REALITY FUSION\REALITY FUSION GAMECAM SE\PROGRAM\RFTRAY.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\ZAWM8.EXE
    C:\WINDOWS\SYSTEM\NGUTS.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
    R3 - Default URLSearchHook is missing
    F1 - win.ini: load=essspk.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {FB8C57E3-BC57-96A4-2454-EA5B572963C0} - C:\WINDOWS\SYSTEM\UCJCC.DLL
    O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-CA\MSNTB.DLL
    O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\PROGRAM FILES\MSN APPS\ST\01.03.0000.1005\EN-XU\STMAIN.DLL
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\PROGRAM FILES\MSN APPS\MSN TOOLBAR\01.02.4000.1001\EN-CA\MSNTB.DLL
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
    O4 - HKLM\..\Run: [AtiKey] Atitask.exe
    O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
    O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [Auqohmsy] C:\WINDOWS\TEMP\AUQOHMSY.EXE
    O4 - HKLM\..\Run: [Rozsygg] C:\WINDOWS\SYSTEM\ROZSYGG.EXE
    O4 - HKLM\..\Run: [Chs.exe] C:\WINDOWS\SYSTEM\CHS.EXE
    O4 - HKLM\..\Run: [ae89a7e9a66a] C:\WINDOWS\SYSTEM\DMIME545.exe
    O4 - HKLM\..\Run: [3JXCFZM565W7N4] C:\WINDOWS\SYSTEM\Rep78k13.exe
    O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
    O4 - HKLM\..\Run: [om4i36O] DIBEDIT.EXE
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\Run: [Hixhmnes] C:\WINDOWS\SYSTEM\noxovloh.exe
    O4 - HKCU\..\Run: [ZDvsRWime] DEVME545.EXE
    O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\SYSTEM\E_SICN03.EXE /A "C:\WINDOWS\SYSTEM\E_S8204.TMP"
    O4 - HKCU\..\Run: [Eeos] C:\Program Files\maar\olas.exe
    O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
    O4 - Startup: PowerReg SchedulerV2.exe
    O4 - Startup: Reality Fusion GameCam SE.lnk = C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
    O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
    O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
    O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net...ATPartners.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/...s/MsnPUpld.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...67&clcid=0x409
    Bing

    Comment

    • Kevin P
      Member
      • Aug 2000
      • 10809

      #47
      Bing, what scan tools did you run, just curious.

      I'd like you to submit the following files to http://virusscan.jotti.org and see if they report back as infected. The reason being that they may be legitimate Windows files, but they could also be viruses or trojan horses.

      C:\WINDOWS\SYSTEM\INTERNAT.EXE
      C:\WINDOWS\TASKMON.EXE


      Anyway, you should remove the following items in Hijack This. Do it in Safe Mode if possible.

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\SYSTEM\SearchBar.htm
      R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1

      R3 - Default URLSearchHook is missing

      O2 - BHO: (no name) - {FB8C57E3-BC57-96A4-2454-EA5B572963C0} - C:\WINDOWS\SYSTEM\UCJCC.DLL
      O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

      O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
      O4 - HKLM\..\Run: [Auqohmsy] C:\WINDOWS\TEMP\AUQOHMSY.EXE
      O4 - HKLM\..\Run: [Rozsygg] C:\WINDOWS\SYSTEM\ROZSYGG.EXE
      O4 - HKLM\..\Run: [Chs.exe] C:\WINDOWS\SYSTEM\CHS.EXE
      O4 - HKLM\..\Run: [ae89a7e9a66a] C:\WINDOWS\SYSTEM\DMIME545.exe
      O4 - HKLM\..\Run: [3JXCFZM565W7N4] C:\WINDOWS\SYSTEM\Rep78k13.exe
      O4 - HKLM\..\Run: [om4i36O] DIBEDIT.EXE
      O4 - HKCU\..\Run: [Hixhmnes] C:\WINDOWS\SYSTEM\noxovloh.exe
      O4 - HKCU\..\Run: [ZDvsRWime] DEVME545.EXE
      O4 - HKCU\..\Run: [Eeos] C:\Program Files\maar\olas.exe

      O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
      O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
      O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\SYSTEM\maxspeed.exe
      The following entries can be deleted to increase performance as they aren't required, but they aren't spyware entries.

      O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.02.3000.1001\en-ca\msnappau.exe"
      O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
      O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

      Also delete the following files and/or folders afterward. If you find other files with the same date/time stamps in the same folders as these files that look suspicious, move them into a temporary folder and if the system runs normally, delete them.

      C:\WINDOWS\SYSTEM\SearchBar.htm
      C:\WINDOWS\SYSTEM\UCJCC.DLL
      C:\WINDOWS\p_981116.exe /Q:A
      C:\WINDOWS\TEMP\AUQOHMSY.EXE (actually, empty the entire C:\Windows\Temp folder).
      C:\WINDOWS\SYSTEM\ROZSYGG.EXE
      C:\WINDOWS\SYSTEM\CHS.EXE
      C:\WINDOWS\SYSTEM\DMIME545.exe
      C:\WINDOWS\SYSTEM\Rep78k13.exe
      C:\WINDOWS\DIBEDIT.EXE (may also be in C:\WINDOWS\SYSTEM)
      C:\WINDOWS\SYSTEM\noxovloh.exe
      C:\WINDOWS\DEVME545.EXE (may also be in C:\WINDOWS\SYSTEM)
      C:\Program Files\maar and all files/folders within
      C:\WINDOWS\SYSTEM\maxspeed.exe

      After cleaning off this stuff, reboot into normal mode and run Hijack This again to make sure no entries were missed, or new entries didn't get created by some unremoved piece of crapware.

      Comment

      • Bing Fung
        Ultra Senior Member
        • Aug 2000
        • 6521

        #48
        Kevin, I have ran CWshredder, Spybot and Adaware 6 & SE. AW6 was aready on the PC but was ineffective, so I updated to SE. SE will not run fully as I get many Windows errors.

        I uploaded the above Hijack log and no problems were detected.

        I'll run through the items you have noted and see where it goes.

        Thanks :T
        Bing

        Comment

        • taz13
          Senior Member
          • Jun 2004
          • 930

          #49
          One other thing Bing shutdown system restore and check that there are still no problems. If no problems, restart and turn system restore back on and create a clean restore point.
          The day is not complete if something new is not learnt.
          Taz/Rick/Richard/Ricardo

          Comment

          • Bing Fung
            Ultra Senior Member
            • Aug 2000
            • 6521

            #50
            Smart thinking Taz, I'm one step ahead


            There is no system restore in Win 98 :lol: It was introduced in ME. It's kind of strange to be working with Windows 98 again :lol:
            Bing

            Comment

            • taz13
              Senior Member
              • Jun 2004
              • 930

              #51
              forgot, I used Roxio Go back way back when.
              The day is not complete if something new is not learnt.
              Taz/Rick/Richard/Ricardo

              Comment

              • Bing Fung
                Ultra Senior Member
                • Aug 2000
                • 6521

                #52
                Taz Classics :T I was sorting through all my data CDs and general crap last night and seen many golden Oldies. EZ CD 3, Adobe Photo, Windows 95 on floppy :lol: Pitch-Ola!


                Kevin, that worked well, thanks for help on this! :amen:
                Bing

                Comment

                • thyname
                  Senior Member
                  • Jan 2005
                  • 358

                  #53
                  Hi Kevin;

                  I constantly run spyware doctor and adaware, always running them for updates. Here is what my HijackThis comes up with. I would really appreciate you help!!

                  Logfile of HijackThis v1.99.1
                  Scan saved at 12:00:26 PM, on 6/10/2005
                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                  Running processes:
                  C:\WINDOWS\System32\smss.exe
                  C:\WINDOWS\system32\winlogon.exe
                  C:\WINDOWS\system32\services.exe
                  C:\WINDOWS\system32\lsass.exe
                  C:\WINDOWS\System32\Ati2evxx.exe
                  C:\WINDOWS\system32\svchost.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\WINDOWS\system32\LEXBCES.EXE
                  C:\WINDOWS\system32\LEXPPS.EXE
                  C:\WINDOWS\system32\spoolsv.exe
                  C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
                  c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
                  C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
                  C:\WINDOWS\System32\svchost.exe
                  c:\PROGRA~1\mcafee.com\vso\mcshield.exe
                  C:\WINDOWS\Explorer.EXE
                  C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                  C:\WINDOWS\System32\PRISMSVR.EXE
                  C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
                  C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
                  C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
                  C:\Program Files\Dell\Media Experience\PCMService.exe
                  C:\WINDOWS\system32\dla\tfswctrl.exe
                  C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe
                  C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
                  C:\PROGRA~1\mcafee.com\agent\mcagent.exe
                  C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
                  C:\Program Files\Common Files\Real\Update_OB\realsched.exe
                  C:\Program Files\QuickTime\qttask.exe
                  C:\Program Files\Dell AIO Printer A940\dlbabmon.exe
                  C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
                  C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
                  C:\Program Files\iTunes\iTunesHelper.exe
                  C:\Program Files\Dell Support\DSAgnt.exe
                  c:\progra~1\mcafee.com\vso\mcvsescn.exe
                  C:\WINDOWS\System32\svchost.exe
                  C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
                  C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
                  C:\Program Files\iPod\bin\iPodService.exe
                  C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
                  C:\DOCUME~1\Skerdi\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netaddress.com/
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
                  R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
                  O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll
                  O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
                  O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
                  O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
                  O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
                  O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
                  O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
                  O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
                  O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
                  O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
                  O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
                  O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
                  O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
                  O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
                  O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_ 7_0.dll
                  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
                  O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
                  O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
                  O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
                  O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
                  O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
                  O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
                  O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
                  O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
                  O4 - HKLM\..\Run: [Dell AIO Printer A940] "C:\Program Files\Dell AIO Printer A940\dlbabmgr.exe"
                  O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
                  O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
                  O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
                  O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
                  O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
                  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
                  O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                  O4 - HKLM\..\Run: [eBayToolbar] C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
                  O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
                  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                  O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                  O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
                  O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Adobe Acrobat 6.0\Distillr\acrotray.exe
                  O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
                  O4 - Global Startup: Image Transfer.lnk = ?
                  O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
                  O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
                  O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
                  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
                  O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
                  O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
                  O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
                  O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                  O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
                  O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-17.cab
                  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
                  O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/check/nets...l/gtdownls.cab
                  O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/...21/mcgdmgr.cab
                  O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
                  O23 - Service: .nloos - - (no file)
                  O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
                  O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
                  O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
                  O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
                  O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
                  O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
                  O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
                  O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
                  O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
                  O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

                  Comment

                  • Marzen
                    Senior Member
                    • Jul 2005
                    • 302

                    #54
                    Has anyone discovered how to remove the newest VX2 spyware BHO? I run the latest versions of Adaware w/ VX2 plug in, X-cleaner, PestPatrol, & Freedom. Only the latter will detect the 'nocontnt.GID' spawn & remove it. Of course it regenerates on reboot. I ran the usual gamut of sweeping/searching after a full boot & safe mode. Note, this version doesn't generate an IEHelper.dll file. I'm beginning to think it's imbedded in another program. I may have to startup each auto boot program individually & scan after each one. Jeez, what a time consuming PITA! Below is a recent HijackThis Log:

                    Logfile of HijackThis v1.99.1
                    Scan saved at 5:59:11 AM, on 9/3/2005
                    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
                    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                    Running processes:
                    C:\WINNT\System32\smss.exe
                    C:\WINNT\system32\winlogon.exe
                    C:\WINNT\system32\services.exe
                    C:\WINNT\system32\lsass.exe
                    C:\WINNT\system32\svchost.exe
                    C:\WINNT\system32\LEXBCES.EXE
                    C:\WINNT\system32\spoolsv.exe
                    C:\WINNT\System32\cisvc.exe
                    C:\Program Files\Common Files\Command Software\dvpapi.exe
                    C:\WINNT\System32\svchost.exe
                    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
                    C:\WINNT\system32\nvsvc32.exe
                    C:\WINNT\system32\regsvc.exe
                    C:\WINNT\system32\MSTask.exe
                    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
                    C:\WINNT\System32\WBEM\WinMgmt.exe
                    C:\WINNT\system32\svchost.exe
                    C:\WINNT\Explorer.EXE
                    C:\WINNT\system32\RUNDLL32.EXE
                    C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
                    C:\Program Files\Microsoft IntelliType Pro\type32.exe
                    C:\WINNT\system32\ctfmon.exe
                    C:\Program Files\Netscape\Netscape Browser\netscape.exe
                    C:\WINNT\System32\cidaemon.exe
                    C:\WINNT\System32\cidaemon.exe
                    C:\Documents and Settings\Gaucho1\Desktop\hijackthis\HijackThis.exe

                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.ebay.com/ws/eBayISAPI.dll?...%3AMYEBAY%3AUS
                    N4 - Mozilla: user_pref("browser.startup.homepage", "http://my.yahoo.com/index.html"); (C:\Documents and Settings\Gaucho1\Application Data\Mozilla\Profiles\default\1a2gh54g.slt\prefs.j s)
                    N4 - Mozilla: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gaucho1\Application Data\Mozilla\Profiles\default\1a2gh54g.slt\prefs.j s)
                    O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
                    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                    O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\Freedom\pkR.dll
                    O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\Freedom\FreeBHOR.dll
                    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
                    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.d ll
                    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
                    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
                    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
                    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NvMcTray.dll,NvTaskbarInit
                    O4 - HKLM\..\Run: [Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
                    O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
                    O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\Freedom\IndexCleanerR.exe"
                    O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NVMCTRAY.DLL,NvTaskbarInit
                    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
                    O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
                    O4 - HKCU\..\Run: [AuctionNavigator] C:\Program Files\RKD\AuctionNavigator\AuctionNavigator.exe
                    O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Zero Knowledge\Freedom\IndexCleanerR.exe"
                    O8 - Extra context menu item: Add all items to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/202
                    O8 - Extra context menu item: Add this item to the auction list - res://C:\Program Files\RKD\AuctionNavigator\BidCtxtClick.dll/201
                    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
                    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
                    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/14939218...p/RdxIE601.cab
                    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
                    O20 - Winlogon Notify: nwprovau - C:\WINNT\SYSTEM32\nwprovau.dll
                    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
                    O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
                    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
                    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
                    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
                    O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
                    What if the Hokey Pokey really IS what it's all about?

                    Comment

                    • Kevin P
                      Member
                      • Aug 2000
                      • 10809

                      #55
                      I usually use VX2Finder which can be downloaded from here, as well as the Lavasoft VX2 tool (make sure to download the latest version). There are other tools out there too. If these don't work, let me know and I'll dig up some more.

                      VX2 can be difficult to remove, and not all traces show up in Hijack This logs.

                      Your Hijack This log looks clean to me.

                      Comment

                      • Marzen
                        Senior Member
                        • Jul 2005
                        • 302

                        #56
                        Thanks, here's the VX2Finder log, not sure if it's good or bad:

                        Log for VX2.BetterInternet File Finder (ALL)

                        Files Found---

                        Additional Files---

                        Keys Under Notify---
                        crypt32chain
                        cryptnet
                        cscdll
                        nwprovau
                        sclgntfy
                        SensLogn
                        wzcnotif


                        Guardian Key--- is called:

                        Guardian Key--- :

                        User Agent String---
                        What if the Hokey Pokey really IS what it's all about?

                        Comment

                        • bigburner
                          Super Senior Member
                          • May 2005
                          • 2649

                          #57
                          I think that you guys should consider installing Microsoft AntiSpyware. Whilst Adaware and Spybot are good products for removing spyware, Microsoft AntiSpyware is the best product on the market for preventing spyware from getting on your PC in the first place.

                          I work for a multi-national IT company with 150,000 employees, and I received this advice from colleagues whom I regard as subject matter experts in this field. Since installing Microsoft AntiSpyware I have experienced minimal spyware infestation.

                          And no, I'm not a Microsoft bigot...

                          You can get this software from http://www.microsoft.com/downloads/d...displaylang=en

                          Comment

                          • Mitchell
                            Senior Member
                            • Sep 2004
                            • 202

                            #58
                            I installed Mozilla Firefox on the advice of a friend and it seems o have solved most of the problems I had with popups which were horrible.
                            Mitchell

                            Comment

                            • GregoriusM
                              Super Senior Member
                              • Oct 2000
                              • 2755

                              #59
                              Help!!!

                              Hey, geeks! :B

                              Here is my Hijack log.

                              I have a trojan, virus, worm, screwy app, or something like that that opens up my default browser and goes to a "spyware" download page... then if you leave it long enough, it goes to an adult site, and then goes to another spyware site on the same domain, then to a gambling site, back to the same domain for different spyware, etc.

                              Here are the URLs for where the spyware goes when it launches my browser, which is Avant browser, which uses IE as its foundation. I don't think they will do anything with me posting them here unless you click on them.

                              Also, I get a flashing Alert in the bottom right of my toolbar (just like the icon I put on this post), a pop-up from the toolbar that says i has detected 4 spyware apps, and what they can do to my system, and to click on the pop-up for help... yeah, sure, it goes to one of the sites. I get another flashing Application icon in the tool bar.

                              I've restarted with system restore turned off and in safe mode, and the dang flashing-icon app. still loads and is the only app showing in the toolbar on the right.

                              I've used Spybot Search and Destroy, AdAware, Norton AntiVirus (which detects a worm when I restart, says it has deleted it, but something is still there), Anti Trojan Elite, which stops scanning after about 60,000 files, Windows Defender. Nothing works.

                              Here are the URLs, with http://www. removed so you can't click on them and go to the site.

                              webtopsecurity.com/vc/as/sec-15dksjsop/

                              entertainsite.com/vc/aff/gindexosh.html

                              webtopsecurity.com/vc/as/sec1-adls/

                              entertainsite.com/vc/cas/monaco1/index.html

                              webtopsecurity.com/vc/as/sec-14jdklss/

                              entertainsite.com/vc/cas/monaco2/index.html

                              webtopsecurity.com/vc/as/sec2-dkfa/

                              webtopsecurity.com/vc/as/sec4-ddkf/

                              entertainsite.com/vc/aff/gindexisdf.html

                              webtopsecurity.com/vc/as/sec-13asfks/

                              Your help would be greatly, hugely appreciated!!!!

                              - Greg

                              -------


                              Logfile of HijackThis v1.99.1
                              Scan saved at 11:47:43 PM, on 24/05/2006
                              Platform: Windows XP SP2 (WinNT 5.01.2600)
                              MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                              Running processes:
                              C:\WINDOWS\System32\smss.exe
                              C:\WINDOWS\system32\winlogon.exe
                              C:\WINDOWS\system32\services.exe
                              C:\WINDOWS\system32\lsass.exe
                              C:\WINDOWS\system32\svchost.exe
                              C:\Program Files\Windows Defender\MsMpEng.exe
                              C:\WINDOWS\System32\svchost.exe
                              C:\Program Files\Ahead\InCD\InCDsrv.exe
                              C:\WINDOWS\Explorer.EXE
                              C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                              C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                              C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
                              C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                              C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                              C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                              C:\WINDOWS\system32\spoolsv.exe
                              C:\WINDOWS\system32\atmclk.exe
                              C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                              C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                              C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                              C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
                              C:\Program Files\Launch Manager\QtZgAcer.EXE
                              C:\Program Files\iTunes\iTunesHelper.exe
                              C:\Program Files\Ahead\InCD\InCD.exe
                              C:\WINDOWS\system32\hkcmd.exe
                              C:\acer\epm\epm-dm.exe
                              C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                              C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe
                              C:\Acer\eManager\anbmServ.exe
                              C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
                              C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
                              C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
                              C:\Program Files\MSN Messenger\MsnMsgr.Exe
                              C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
                              C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
                              C:\Program Files\palmOne\AlarmApp.exe
                              C:\Program Files\palmOne\HOTSYNC.EXE
                              C:\Program Files\ePrompter\ePrompter.exe
                              C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
                              C:\Program Files\acer\eRecovery\Monitor.exe
                              C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
                              C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
                              C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
                              C:\WINDOWS\System32\snmp.exe
                              C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
                              C:\WINDOWS\system32\svchost.exe
                              C:\Program Files\iPod\bin\iPodService.exe
                              C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
                              C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
                              C:\Program Files\Anti Trojan Elite\TJEnder.exe
                              C:\Program Files\Mozilla Firefox\firefox.exe
                              C:\DOCUME~1\Greg\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
                              C:\Program Files\Messenger\msmsgs.exe

                              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
                              R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.shaw.ca/start/enca/addons/search/
                              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
                              R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
                              R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
                              R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
                              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by SHAW Internet
                              O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                              O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
                              O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
                              O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp40F7.tmp
                              O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
                              O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
                              O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
                              O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                              O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                              O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                              O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
                              O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
                              O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
                              O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
                              O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                              O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
                              O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
                              O4 - HKLM\..\Run: [LaunchApp] Alaunch
                              O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                              O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                              O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
                              O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
                              O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
                              O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
                              O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
                              O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
                              O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                              O4 - HKLM\..\Run: [AWMON] "C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe"
                              O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
                              O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
                              O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
                              O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
                              O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
                              O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
                              O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
                              O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
                              O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
                              O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
                              O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\palmOne\AlarmApp.exe
                              O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
                              O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
                              O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
                              O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
                              O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
                              O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
                              O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
                              O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
                              O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
                              O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
                              O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
                              O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
                              O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
                              O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
                              O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
                              O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                              O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...fit/index.aspx
                              O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135209311258
                              O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
                              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146381423474
                              O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
                              O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
                              O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
                              O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
                              O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
                              O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
                              O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                              O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
                              O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
                              O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                              O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
                              O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
                              O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                              O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
                              O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
                              O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
                              O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
                              O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
                              O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
                              O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
                              O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                              O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                              O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
                              O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                              .
                              Gregor

                              Comment

                              • Hdale85
                                Moderator Emeritus
                                • Jan 2006
                                • 16075

                                #60
                                Well theres your problem your useing Norton. Download a trial version of Spysweeper its what i use and I have never had an infection and I do a lot of p2p downloading. Just try it out do a sweep see if it fixes it or what not if not no harm done.

                                Comment

                                • GregoriusM
                                  Super Senior Member
                                  • Oct 2000
                                  • 2755

                                  #61
                                  Well, the daily "quick scan" by NAV actually found the bugger since I posted that, and I selected "Remove" and I'm back in business!

                                  I will download Spysweeper just in case I have some other stuff on my notebook that is doing nefarious things that aren't so obvious!

                                  Thanks!!!
                                  .
                                  Gregor

                                  Comment

                                  • Hdale85
                                    Moderator Emeritus
                                    • Jan 2006
                                    • 16075

                                    #62
                                    I never liked norton stuff much and people dont usually no better because it comes with their computers I use Spysweeper for spyware and AVG Free Edition for Virus's and i never have any problems they run automatically at like 8am and update automatically i havnt had a virus or serious spyware problem in a long long time.

                                    Comment

                                    • GregoriusM
                                      Super Senior Member
                                      • Oct 2000
                                      • 2755

                                      #63
                                      Well, Spy Sweeper found two HIGH RISK spyware in my computer, but it is the same as Spy Doctor, you have to buy them.

                                      I'm too broke to buy anything right now, so I'll have to put up with NAV getting one of them, and the other two screwing me up for the next while.

                                      Thanks again!
                                      .
                                      Gregor

                                      Comment

                                      • Kevin P
                                        Member
                                        • Aug 2000
                                        • 10809

                                        #64
                                        Grego, grab Windows Defender (formerly MS AntiSpyware) and install/run that (you can get it from download.microsoft.com). Then post another Hijack This log. We'll get whatever's left over.

                                        Also, have you run Ad-Aware and Spybot Search & Destroy yet? CWShredder?

                                        Comment

                                        • Hdale85
                                          Moderator Emeritus
                                          • Jan 2006
                                          • 16075

                                          #65
                                          Well the SpySweeper site has a glitch in it Theres an upgrade part where you put in an email address and then put in a new email address and they send you your key and everything in the email. And it works because people are so paranoid so you can put in like BlahBlah@Blah.com for the old email address (because some idiot used it to register) And then put in yours for the new one and they will send you a link to download the full version and send you a key good for 1 year :rofl: My friend discoverd this was rather interesting.

                                          Here we go found the page to do it

                                          Comment

                                          • GregoriusM
                                            Super Senior Member
                                            • Oct 2000
                                            • 2755

                                            #66
                                            Thanks guys!

                                            Shall do!
                                            .
                                            Gregor

                                            Comment

                                            • autio
                                              Senior Member
                                              • Mar 2005
                                              • 118

                                              #67
                                              I have been fighting with this spyware for about three days ago (boy am I frustrated). I have spybot, aol spywareprotection, hijackthis, norton 2006, microsoft defender, ad aware, cws shredder, ezarmor, spyware blaster, among others!!! I would really appreciate it if anyone could help me!


                                              Running processes:
                                              C:\WINDOWS\System32\smss.exe
                                              C:\WINDOWS\System32\winlogon.exe
                                              C:\WINDOWS\system32\services.exe
                                              C:\WINDOWS\system32\lsass.exe
                                              C:\WINDOWS\system32\svchost.exe
                                              C:\WINDOWS\System32\svchost.exe
                                              C:\WINDOWS\system32\spoolsv.exe
                                              C:\WINDOWS\Explorer.EXE
                                              C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
                                              C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
                                              C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
                                              C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
                                              C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                                              C:\WINDOWS\system32\drivers\dcfssvc.exe
                                              C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
                                              C:\Program Files\Norton AntiVirus\navapsvc.exe
                                              C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                                              C:\WINDOWS\System32\nvsvc32.exe
                                              C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                                              C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                                              C:\WINDOWS\System32\svchost.exe
                                              C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                                              C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
                                              C:\WINDOWS\wanmpsvc.exe
                                              C:\WINDOWS\system32\fxssvc.exe
                                              C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                                              C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                                              C:\Program Files\Common Files\Real\Update_OB\realsched.exe
                                              C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
                                              C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
                                              C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
                                              C:\Program Files\Windows Defender\MsMpEng.exe
                                              C:\Program Files\Windows Defender\MSASCui.exe
                                              C:\WINDOWS\system32\wuauclt.exe
                                              C:\Program Files\Internet Explorer\iexplore.exe
                                              C:\WINDOWS\System32\tdopaiou.exe
                                              C:\Program Files\Messenger\msmsgs.exe
                                              C:\Documents and Settings\Lee\Desktop\spy and virus\HijackThis.exe

                                              R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
                                              R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
                                              R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
                                              F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\atuid.exe
                                              O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
                                              O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                                              O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nst2B.dll
                                              O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmyeqk.dll
                                              O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                              O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
                                              O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                                              O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
                                              O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
                                              O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
                                              O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
                                              O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
                                              O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
                                              O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                                              O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
                                              O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
                                              O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
                                              O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                                              O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe
                                              O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
                                              O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled
                                              O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
                                              O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                              O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                              O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
                                              O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
                                              O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
                                              O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
                                              O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
                                              O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                              O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                              O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
                                              O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
                                              O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
                                              O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                                              O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
                                              O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102514210926
                                              O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148652866750
                                              O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/pl...IM.9.5.1.8.cab
                                              O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
                                              O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
                                              O20 - AppInit_DLLs: iniwin32.dll,direct32.dll
                                              O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
                                              O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
                                              O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
                                              O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
                                              O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
                                              O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
                                              O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
                                              O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                                              O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                                              O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
                                              O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                                              O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
                                              O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
                                              O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
                                              O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
                                              O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
                                              O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
                                              O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
                                              O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
                                              O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                                              O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
                                              O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
                                              O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                                              O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                                              O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                                              O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
                                              O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

                                              Comment

                                              • Kevin P
                                                Member
                                                • Aug 2000
                                                • 10809

                                                #68
                                                Autio, the first thing I noticed is you have Norton and eTrust Antivirus both running. Having more than one antivirus running in resident mode can cause conflicts. I recommend dumping Norton and keeping eTrust.

                                                Also, it looks like you have both Norton and McAfee firewalls running, this too can cause conflicts. Uninstalling Norton will prevent this as well.

                                                I found SafeSurfing and e2give entries in there (spyware).

                                                Run HiJack This again (preferably with nothing else running, Safe Mode is even better), check off the entries I listed below, click Fix, let it do its thing, then reboot and run/post another log just to be safe. Also delete the files I listed at the bottom of this post.
                                                F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\atuid.exe

                                                O2 - BHO: web compressor - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - C:\WINDOWS\System32\nst2B.dll
                                                O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\System32\irsmyeqk.dll

                                                (optional) O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

                                                (optional) O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

                                                O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\System32\irssyncd.exe

                                                O4 - Global Startup: Adobe Gamma Loader.lnk.disabled
                                                O4 - Global Startup: America Online 9.0 Tray Icon.lnk.disabled

                                                O20 - AppInit_DLLs: iniwin32.dll,direct32.dll

                                                O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)

                                                If you knowingly installed WinPCap (a packet sniffing driver), leave this entry. Otherwise, remove it and delete the associated files/folders.
                                                O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
                                                DELETE the following files:

                                                C:\WINDOWS\System32\tdopaiou.exe
                                                C:\WINDOWS\System32\atuid.exe
                                                C:\WINDOWS\System32\nst2B.dll
                                                C:\WINDOWS\System32\irsmyeqk.dll
                                                C:\WINDOWS\System32\irssyncd.exe\
                                                iniwin32.dll (may be in Windows or Windows\System32)
                                                direct32.dll (may be in Windows or Windows\System32)
                                                C:\Program Files\WinPCap (delete this folder, if you didn't install WinPCap on purpose)

                                                Comment

                                                • GregoriusM
                                                  Super Senior Member
                                                  • Oct 2000
                                                  • 2755

                                                  #69
                                                  Some bed time reading for geeks! :B

                                                  I used Windows Defender, which found nothing.

                                                  So, here's my Hijack log. If you need me to do a scan that lists "also minor sections" I can do that also.

                                                  Thanks a bunch! ;x(

                                                  ---------

                                                  Logfile of HijackThis v1.99.1
                                                  Scan saved at 05:52, on 26/05/2006
                                                  Platform: Windows XP SP2 (WinNT 5.01.2600)
                                                  MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                                                  Running processes:
                                                  C:\WINDOWS\System32\smss.exe
                                                  C:\WINDOWS\system32\winlogon.exe
                                                  C:\WINDOWS\system32\services.exe
                                                  C:\WINDOWS\system32\lsass.exe
                                                  C:\WINDOWS\system32\svchost.exe
                                                  C:\Program Files\Windows Defender\MsMpEng.exe
                                                  C:\WINDOWS\System32\svchost.exe
                                                  C:\Program Files\Ahead\InCD\InCDsrv.exe
                                                  C:\WINDOWS\Explorer.EXE
                                                  C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                                                  C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                                                  C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
                                                  C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                                                  C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                                                  C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                                                  C:\WINDOWS\system32\spoolsv.exe
                                                  C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                                                  C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                                                  C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                                                  C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
                                                  C:\Program Files\Launch Manager\QtZgAcer.EXE
                                                  C:\Program Files\iTunes\iTunesHelper.exe
                                                  C:\Program Files\Ahead\InCD\InCD.exe
                                                  C:\WINDOWS\system32\hkcmd.exe
                                                  C:\acer\epm\epm-dm.exe
                                                  C:\Program Files\Common Files\Symantec Shared\ccApp.exe
                                                  C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe
                                                  C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
                                                  C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
                                                  C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
                                                  C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
                                                  C:\Program Files\MSN Messenger\MsnMsgr.Exe
                                                  C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
                                                  C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
                                                  C:\Program Files\palmOne\AlarmApp.exe
                                                  C:\Program Files\palmOne\HOTSYNC.EXE
                                                  C:\Program Files\ePrompter\ePrompter.exe
                                                  C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
                                                  C:\Program Files\acer\eRecovery\Monitor.exe
                                                  C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
                                                  C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
                                                  C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
                                                  C:\Program Files\Spyware Doctor\sdhelp.exe
                                                  C:\WINDOWS\System32\snmp.exe
                                                  C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
                                                  C:\WINDOWS\system32\svchost.exe
                                                  C:\Program Files\iPod\bin\iPodService.exe
                                                  C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
                                                  C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
                                                  C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
                                                  C:\Program Files\Windows Defender\MSASCui.exe
                                                  F:\My Downloads\Spyware\HijackThis.exe
                                                  C:\WINDOWS\system32\NOTEPAD.EXE

                                                  R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
                                                  R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.shaw.ca
                                                  R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
                                                  R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.shaw.ca/start/enca/addons/search/
                                                  R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
                                                  R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
                                                  O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
                                                  O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
                                                  O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
                                                  O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
                                                  O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
                                                  O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp40F7.tmp
                                                  O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
                                                  O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
                                                  O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
                                                  O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
                                                  O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
                                                  O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                                                  O4 - HKLM\..\Run: [shawnotify] c:\progra~1\shaw\update\updateloader.exe /notify
                                                  O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
                                                  O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
                                                  O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
                                                  O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
                                                  O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
                                                  O4 - HKLM\..\Run: [LManager] C:\Program Files\Launch Manager\QtZgAcer.EXE
                                                  O4 - HKLM\..\Run: [LaunchApp] Alaunch
                                                  O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
                                                  O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
                                                  O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
                                                  O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
                                                  O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
                                                  O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
                                                  O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
                                                  O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
                                                  O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
                                                  O4 - HKLM\..\Run: [AWMON] "C:\Program Files\F-Secure\Anti-Spyware\Ad-Monitor.exe"
                                                  O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
                                                  O4 - HKCU\..\Run: [WeatherEye] C:\Program Files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
                                                  O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
                                                  O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\NEROPH~1\data\Xtras\mssysmgr.exe
                                                  O4 - HKCU\..\Run: [NBJ] "C:\PROGRA~1\Ahead\NEROBA~1\NBJ.exe"
                                                  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
                                                  O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
                                                  O4 - Startup: HotSync Manager.lnk = C:\Program Files\palmOne\HOTSYNC.EXE
                                                  O4 - Startup: ePrompter.lnk = C:\Program Files\ePrompter\ePrompter.exe
                                                  O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton SystemWorks\Norton GoBack\GBTray.exe
                                                  O4 - Global Startup: Alarm Manager.LNK = C:\Program Files\palmOne\AlarmApp.exe
                                                  O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
                                                  O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
                                                  O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
                                                  O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
                                                  O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
                                                  O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
                                                  O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
                                                  O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
                                                  O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
                                                  O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
                                                  O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
                                                  O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
                                                  O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
                                                  O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
                                                  O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
                                                  O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
                                                  O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
                                                  O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
                                                  O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
                                                  O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                  O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                  O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MTS...fit/index.aspx
                                                  O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                                                  O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1135209311258
                                                  O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
                                                  O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1146381423474
                                                  O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
                                                  O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
                                                  O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
                                                  O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
                                                  O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
                                                  O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
                                                  O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
                                                  O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
                                                  O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
                                                  O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
                                                  O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
                                                  O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
                                                  O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
                                                  O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                                                  O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
                                                  O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
                                                  O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
                                                  O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
                                                  O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\NPROTECT.EXE
                                                  O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
                                                  O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
                                                  O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
                                                  O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
                                                  O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
                                                  O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~3\SPEEDD~1\NOPDB.EXE
                                                  O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
                                                  O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
                                                  .
                                                  Gregor

                                                  Comment

                                                  • autio
                                                    Senior Member
                                                    • Mar 2005
                                                    • 118

                                                    #70
                                                    Kevin,
                                                    Thanks for the help!!!! I just installed norton 2 days ago while tring to get rid of spyware (my computer became unusable). But I took your advice and uninstalled it.
                                                    I went into safe mode and ran Hijack and did your recommended fixes, but while doing its thing on

                                                    F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\atuid.exe

                                                    HIjack displayed an error message stating I should email Merijn the error message and give details of what I was tring to do with a log of the error message which was put on my clipboard. When I clicked okay it continued doing its thing. I thought I would finish then send the email but there wasnt anything in the clipboard???

                                                    I deleted some of the files you told me but I couldnt find these C:\WINDOWS\System32\tdopaiou.exe
                                                    C:\WINDOWS\System32\nst2B.dll
                                                    C:\WINDOWS\System32\irssyncd.exe\
                                                    iniwin32.dll (may be in Windows or Windows\System32)
                                                    direct32.dll (may be in Windows or Windows\System32)

                                                    then I rebooted ran hijack and here is the log
                                                    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

                                                    Running processes:
                                                    C:\WINDOWS\System32\smss.exe
                                                    C:\WINDOWS\System32\winlogon.exe
                                                    C:\WINDOWS\system32\services.exe
                                                    C:\WINDOWS\system32\lsass.exe
                                                    C:\WINDOWS\system32\svchost.exe
                                                    C:\Program Files\Windows Defender\MsMpEng.exe
                                                    C:\WINDOWS\System32\svchost.exe
                                                    C:\WINDOWS\system32\spoolsv.exe
                                                    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
                                                    C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
                                                    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
                                                    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
                                                    C:\WINDOWS\system32\drivers\dcfssvc.exe
                                                    C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
                                                    C:\WINDOWS\System32\nvsvc32.exe
                                                    C:\WINDOWS\System32\svchost.exe
                                                    C:\WINDOWS\wanmpsvc.exe
                                                    C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
                                                    C:\WINDOWS\system32\fxssvc.exe
                                                    C:\WINDOWS\Explorer.EXE
                                                    C:\Program Files\Windows Defender\MSASCui.exe
                                                    C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
                                                    C:\Program Files\Internet Explorer\iexplore.exe
                                                    C:\Documents and Settings\Lee\Desktop\spy and virus\HijackThis.exe

                                                    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
                                                    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm
                                                    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com...r/fix_homepage
                                                    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
                                                    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
                                                    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                                    O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
                                                    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
                                                    O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
                                                    O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
                                                    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
                                                    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
                                                    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
                                                    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
                                                    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
                                                    O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\1.1.489.27609\GoogleUpdater.exe
                                                    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                                    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                                    O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
                                                    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
                                                    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
                                                    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
                                                    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
                                                    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
                                                    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
                                                    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
                                                    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
                                                    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
                                                    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
                                                    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1102514210926
                                                    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1148652866750
                                                    O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures06.aim.com/ygp/aol/pl...IM.9.5.1.8.cab
                                                    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
                                                    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
                                                    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
                                                    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
                                                    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
                                                    O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
                                                    O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
                                                    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
                                                    O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
                                                    O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
                                                    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                                                    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
                                                    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
                                                    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
                                                    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
                                                    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
                                                    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
                                                    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
                                                    O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
                                                    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

                                                    Comment

                                                    • Staff
                                                      Junior Member
                                                      • Mar 2004
                                                      • 6

                                                      #71
                                                      Looks good, Autio. Interesting that you got an error message deleting that entry but it's gone anyway. Is the machine functioning normally now? Looks like you're in good shape for now.

                                                      P.S. It was Kevin P who posted this, I forgot I was logged in as "Staff"

                                                      Comment

                                                      • autio
                                                        Senior Member
                                                        • Mar 2005
                                                        • 118

                                                        #72
                                                        Kevin,

                                                        Thank you for all the help!! I am glad to hear that you dont see any other problems. Yes, the computer is working really well without all the 5 minute delays and popups. I really appreciate all the help, I did as much research as I could in the last couple of days and I still couldnt figure out what to do. I am extermely glad I checked here for assistance.

                                                        Lee

                                                        Comment

                                                        • Kevin P
                                                          Member
                                                          • Aug 2000
                                                          • 10809

                                                          #73
                                                          Gregor:

                                                          Remove these entries using Hijack This:

                                                          O2 - BHO: Nothing - {f79fd28e-36ee-4989-aa61-9dd8e30a82fa} - C:\WINDOWS\system32\hp40F7.tmp

                                                          O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

                                                          O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...ffit/index.aspx

                                                          O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
                                                          Also delete hp40F7.tmp from your C:\windows\system32 folder.

                                                          I noticed you're running Norton Goback. I've found machines running this app tend to run slow and show constant disk activity. Uninstalling Goback will fix this.

                                                          Comment

                                                          • GregoriusM
                                                            Super Senior Member
                                                            • Oct 2000
                                                            • 2755

                                                            #74
                                                            Thanks, Kevin. I'm going to do that right away!

                                                            Man, GEEKS can be COOL! :rofl:
                                                            .
                                                            Gregor

                                                            Comment

                                                            • GregoriusM
                                                              Super Senior Member
                                                              • Oct 2000
                                                              • 2755

                                                              #75
                                                              Done!

                                                              Thanks Kev!!

                                                              Hijack This deleted that last file on its own.

                                                              Velly, velly goot!!! :B :B :B :B :B
                                                              .
                                                              Gregor

                                                              Comment

                                                              • P-Dub
                                                                Office Moderator
                                                                • Aug 2000
                                                                • 6766

                                                                #76
                                                                Okay it's my turn to post my logfile. Any thoughts?

                                                                Logfile of HijackThis v1.99.1
                                                                Scan saved at 4:32:09 PM, on 1/6/2007
                                                                Platform: Windows 2000 SP4 (WinNT 5.00.2195)
                                                                MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

                                                                Running processes:
                                                                C:\WINNT\System32\smss.exe
                                                                C:\WINNT\system32\winlogon.exe
                                                                C:\WINNT\system32\services.exe
                                                                C:\WINNT\system32\lsass.exe
                                                                C:\WINNT\system32\svchost.exe
                                                                C:\WINNT\system32\spoolsv.exe
                                                                C:\Program Files\NavNT\defwatch.exe
                                                                C:\WINNT\System32\svchost.exe
                                                                C:\WINNT\system32\hidserv.exe
                                                                C:\WINNT\system32\drivers\KodakCCS.exe
                                                                C:\WINNT\system32\mgabg.exe
                                                                C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
                                                                C:\WINNT\system32\regsvc.exe
                                                                C:\WINNT\system32\MSTask.exe
                                                                C:\WINNT\system32\stisvc.exe
                                                                C:\WINNT\system32\tgbstarter.exe
                                                                C:\WINNT\System32\ups.exe
                                                                C:\WINNT\system32\ZoneLabs\vsmon.exe
                                                                C:\WINNT\System32\WBEM\WinMgmt.exe
                                                                C:\WINNT\System32\mspmspsv.exe
                                                                C:\WINNT\system32\svchost.exe
                                                                C:\WINNT\Explorer.EXE
                                                                C:\WINNT\system32\TCAUDIAG.exe
                                                                C:\WINNT\system32\PDesk\PDesk.exe
                                                                C:\Program Files\ASUS\Probe\AsusProb.exe
                                                                C:\Program Files\DU Meter\DUMeter.exe
                                                                C:\Program Files\Ahead\InCD\InCD.exe
                                                                C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
                                                                C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
                                                                C:\Program Files\Icons\Seticon.exe
                                                                C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
                                                                C:\progra~1\scansoft\paperp~1\pptd40nt.exe
                                                                C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
                                                                C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
                                                                C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                                                                C:\Program Files\AnalogX\POW\pow.exe
                                                                C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
                                                                C:\PROGRA~1\TELUSE~1\SMARTB~1\SBHookSvc.exe
                                                                C:\WINNT\system32\wuauclt.exe
                                                                C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
                                                                C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
                                                                C:\Program Files\Grisoft\AVG Free\avgcc.exe
                                                                C:\WINNT\system32\taskmgr.exe
                                                                C:\Program Files\Internet Explorer\IEXPLORE.EXE
                                                                C:\setup\Hijack\HijackThis.exe

                                                                R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
                                                                N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.globefund.com/"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\tidsvodp.slt\prefs.j s)
                                                                N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\tidsvodp.slt\prefs.j s)
                                                                O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                                                O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
                                                                O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
                                                                O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
                                                                O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\system32\PDesk\PDesk.exe /Autolaunch
                                                                O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
                                                                O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
                                                                O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
                                                                O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
                                                                O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
                                                                O4 - HKLM\..\Run: [SetIcon] C:\Program Files\Icons\Seticon.exe
                                                                O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
                                                                O4 - HKLM\..\Run: [Nero DriveSpeed] C:\PROGRA~1\Ahead\NEROTO~1\DRIVES~1.EXE
                                                                O4 - HKLM\..\Run: [PaperPort PTD] c:\progra~1\scansoft\paperp~1\pptd40nt.exe
                                                                O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
                                                                O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
                                                                O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
                                                                O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
                                                                O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
                                                                O4 - HKLM\..\Run: [PowerStrip] c:\program files\powerstrip\pstrip.exe
                                                                O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
                                                                O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
                                                                O4 - Startup: POW! (2).lnk = C:\Program Files\AnalogX\POW\pow.exe
                                                                O4 - Global Startup: Cinetray.lnk = C:\Program Files\Common Files\Ravisent Shared\cinetray.exe
                                                                O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Palm\Hotsync.exe
                                                                O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
                                                                O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                                                O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
                                                                O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
                                                                O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1124201795015
                                                                O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
                                                                O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
                                                                O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
                                                                O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
                                                                O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
                                                                O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
                                                                O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
                                                                O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
                                                                O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINNT\system32\mgabg.exe
                                                                O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
                                                                O23 - Service: ptssvc - KODAK - C:\Program Files\Kodak\Kodak EasyShare software\bin\ptssvc.exe
                                                                O23 - Service: SBHookSvc - Motive Communications, Inc. - C:\PROGRA~1\TELUSE~1\SMARTB~1\SBHookSvc.exe
                                                                O23 - Service: TgbIke Starter (TgbIKE Starter) - Unknown owner - C:\WINNT\system32\tgbstarter.exe
                                                                O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
                                                                Paul

                                                                There are three kinds of people in this world; those that can count, and those that can't.

                                                                Comment

                                                                • Kevin P
                                                                  Member
                                                                  • Aug 2000
                                                                  • 10809

                                                                  #77
                                                                  Paul, your log looks pretty clean to me, nothing that is obvious junk. Just some items to mention in case they're not legit:

                                                                  tgbstarter.exe: Are you running a GreenBow VPN client? If not, this might not be legit.

                                                                  MotiveSB.exe: This could be part of Telus or Sympatico self support tools.

                                                                  pstrip.exe: Part of Entech Powerstrip. Do you have this installed?

                                                                  pow.exe: An AnalogX pop-up blocker.

                                                                  qttask.exe, realsched.exe and osa9.exe can be removed from your startup as they don't need to be running all the time.

                                                                  Only other thing I noticed is you seem to have both AVG and Norton anti-virus programs. Running more than one AV can cause conflicts.

                                                                  Do you have any symptoms of a problem?

                                                                  Comment

                                                                  • P-Dub
                                                                    Office Moderator
                                                                    • Aug 2000
                                                                    • 6766

                                                                    #78
                                                                    I was concerned as my Norton icon was showing that the real time virus scanning was not enabled. I tried to enable and it just wouldn't start. I downloaded the other anti virus program to ensure I was okay.

                                                                    I am running a GreenBow VPN client.

                                                                    MotiveSB is from Telus.

                                                                    I do have Powerstrip installed.

                                                                    A very strange thing that has happenned, it's been about a year, is that my Acrobat will not work. So I'm using my laptop to read PDF files.
                                                                    Paul

                                                                    There are three kinds of people in this world; those that can count, and those that can't.

                                                                    Comment

                                                                    • mackintire
                                                                      Senior Member
                                                                      • Jan 2009
                                                                      • 186

                                                                      #79
                                                                      Adaware and Spybot search and Destroy are not even in the running for decent spyware removal these days.

                                                                      Malwarebytes and SuperAntiSpyware Remover are the top two freeware products.

                                                                      Pick them both up at www.majorgeeks.com

                                                                      Comment

                                                                      • 1Michael
                                                                        Senior Member
                                                                        • Sep 2006
                                                                        • 293

                                                                        #80
                                                                        Add Malwarebytes to your list of programs :T
                                                                        Michael
                                                                        Chesapeake Va.

                                                                        Comment

                                                                        • 1oldguy
                                                                          Senior Member
                                                                          • Dec 2008
                                                                          • 459

                                                                          #81
                                                                          Very Nice.
                                                                          A Man should never Gamble more than he can stand to loose.

                                                                          Comment

                                                                          • numberoneoppa
                                                                            Senior Member
                                                                            • Sep 2009
                                                                            • 535

                                                                            #82
                                                                            Microsoft Security Essentials is now free to the public (has been for a while). I highly recommend it, it's lightweight and seems to be able to do its job better than any pay-to-use/subscription software. It defends against all forms of malware.
                                                                            -Josh

                                                                            That feeling when things are finally going right. Yeah, that one.

                                                                            Comment

                                                                            Working...
                                                                            😀
                                                                            😂
                                                                            🥰
                                                                            😘
                                                                            🤢
                                                                            😎
                                                                            😞
                                                                            😡
                                                                            👍
                                                                            👎
                                                                            Searching...Please wait.
                                                                            An unexpected error was returned: 'Your submission could not be processed because you have logged in since the previous page was loaded.

                                                                            Please push the back button and reload the previous window.'
                                                                            An unexpected error was returned: 'Your submission could not be processed because the token has expired.

                                                                            Please push the back button and reload the previous window.'
                                                                            An internal error has occurred and the module cannot be displayed.
                                                                            There are no results that meet this criteria.
                                                                            Search Result for "|||"