Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Another AURORA victom....HELP


  • Please log in to reply

#1
SoCal

SoCal

    New Member

  • Member
  • Pip
  • 6 posts
I already have Ad-Aware and SpyBot and 2 days ago I bought Norton "SystemWorks-premier". Because I already have Norton I didn't install Ewido, I read that you shouldn't have more than 1 anti-virus program.

I am computer illiterate and need HELP!


Logfile of HijackThis v1.99.1
Scan saved at 1:38:10 PM, on 7/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\53ospkur.exe
C:\WINDOWS\system32\hhjlpr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\system32\locemsp.exe
C:\WINDOWS\system32\ligtview.exe
c:\windows\system32\vaqqkju.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Ipod\bin\iPodService.exe
C:\WINDOWS\maulxl.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jeff\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 255.255.255.255 www.casinoxo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [53ospkur] C:\WINDOWS\system32\53ospkur.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegvj32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hhjlpr.exe reg_run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [2FmO3tO] locemsp.exe
O4 - HKLM\..\Run: [qdjnzo] c:\windows\system32\vaqqkju.exe r
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Jo5ERjiqS] ligtview.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab


Thank you, Jeff
  • 0

Advertisements


#2
SoCal

SoCal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Moved Hightjack to C drive, I think. Anyway re-ran Highjack, here is the new read out.

Logfile of HijackThis v1.99.1
Scan saved at 7:47:42 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\windows\system32\qvqrar.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MouseWare\System\Em_exec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R3 - Default URLSearchHook is missing
O1 - Hosts: 255.255.255.255 www.casinoxo.com
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [53ospkur] C:\WINDOWS\system32\53ospkur.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegvj32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hhjlpr.exe reg_run
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [2FmO3tO] locemsp.exe
O4 - HKLM\..\Run: [ivfylz] c:\windows\system32\qvqrar.exe r
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Jo5ERjiqS] ligtview.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.edisonchargers.com
O15 - Trusted Zone: http://www.shockwave.com
O15 - Trusted Zone: http://www.sportsline.com
O15 - Trusted Zone: http://www.thegreek.com
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n6/dlhelper.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.bro...in/Download.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://home.microga...ome/FlashAX.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Ipod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thanks again, Jeff
  • 0

#3
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
Please download LQfix batch here:
http://www.downloads...m.org/LQfix.zip
Unzip it to the desktop but do NOT run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


Once in Safe Mode, please run LQfix.bat. When finished, restart your computer in normal mode and run HijackThis again.
Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R3 - Default URLSearchHook is missing
O1 - Hosts: 255.255.255.255 www.casinoxo.com

O4 - HKLM\..\Run: [53ospkur] C:\WINDOWS\system32\53ospkur.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitegvj32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\hhjlpr.exe reg_run

O4 - HKLM\..\Run: [2FmO3tO] locemsp.exe
O4 - HKLM\..\Run: [ivfylz] c:\windows\system32\qvqrar.exe r

O4 - HKCU\..\Run: [Jo5ERjiqS] ligtview.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\temp\stubinstaller6480.exe"

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c356.cab

Then install and run Ewido anyway. What you said about 2 Antiviruses is true, but Ewido is not really an Antivirus and you don't have to run it resident. Just do a system scan.

Post the Ewido log and a new HijackThis log.

Regards,
  • 0

#4
SoCal

SoCal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thanks for the help Metallica, here are the reports. I think I ran LQfix, I am not sure if I unzipped it. When I clicked run it flashed up a small screen so fast I couldn't read it, was that what was supposed to happen?

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:56:56 PM, 7/17/2005
+ Report-Checksum: A1AEA0AF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\Jeff\Cookies\jeff@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Jeff\Desktop\mom\embroidery\madness.zip/Madness Interactive/madness.exe -> TrojanDropper.Decept.30.a : Error during cleaning
C:\Program Files\Aprps\CxtPls.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1052\A0108141.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1052\A0108146.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1052\A0108147.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1052\A0108149.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1053\A0108162.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1059\A0112446.exe -> TrojanDownloader.Qoologic.v : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1059\A0112461.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1059\A0112462.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1060\A0112506.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1060\A0112507.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1061\A0112531.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1061\A0112535.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1061\A0112536.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1061\A0112563.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1062\A0112568.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1063\A0112616.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114033.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114034.dll -> Spyware.BookedSpace : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114038.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114041.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114042.exe -> Spyware.Pacer : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114043.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114045.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114047.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1071\A0114048.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1072\A0114055.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1072\A0114064.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1072\A0114072.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1072\A0114073.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1072\A0115085.exe -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1072\A0115092.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1074\A0115258.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1081\A0115699.dll -> Heuristic.Win32.Hijacker1 : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1081\A0115709.EXE -> Spyware.AproposMedia : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1085\A0116311.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1085\A0116313.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1085\A0116314.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1088\A0117423.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\WINDOWS\c73lsu6o.exe -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\SYSTEM32\53ospkur.exe -> Adware.Saha : Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup




Logfile of HijackThis v1.99.1
Scan saved at 5:58:34 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Ipod\bin\iPodService.exe
C:\HJT\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://www.edisonchargers.com
O15 - Trusted Zone: http://www.neteller.com
O15 - Trusted Zone: http://www.pinnaclesports.com
O15 - Trusted Zone: http://www.shockwave.com
O15 - Trusted Zone: http://www.sportsline.com
O15 - Trusted Zone: http://www.thegreek.com
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard..../wowbeta/si.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.micro...n6/dlhelper.cab
O16 - DPF: {B160422D-0A48-11D4-BD9B-00A0C9B0AB7B} (Download Class) - http://expressit.bro...in/Download.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://home.microga...ome/FlashAX.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.c...ebio5_1_3_0.cab
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Ipod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Ghost\Agent\PQV2iSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you again, Jeff
  • 0

#5
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
I missed one before.

Fix this one as well:
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0029.exe

The rest of the log looks good.

Is your computer behaving as well?

Regards,
  • 0

#6
SoCal

SoCal

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Thank you Metallica, you're a life saver! Yes! everything seems fine, no more pop-ups. Thank you again.

I have an unrelated question about having 44+ things running according to my Task Manager report. Which forum should I post in?

Thank you very much, Jeff
  • 0

#7
Metallica

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 31,676 posts
My pleasure.

Please do have a look at my site about removing and preventing spyware.

Not sure if we have a Norton forum :tazz:
Just kidding. Try the XP forum: http://www.geekstogo...2003_NT-f5.html

Good luck,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP