Okay, so I decided to run ewido in various different ways a few more times, along with spy sweeper. It removed a few things, but kept finding the trojan file gebyw.dll. So I decided to run hijack this again,and look at the log. After I did that I ran Vundo Fix again, and told it to go after gebyw.dll and wybeg.*, and after that when hijack this opened i had it fix 2 things, 1 being that dll file the other being another random winlogon dll file. After that I restarted into regular mode, and I havent seen any problems yet. The computer isnt running slow anymore, and I dont see winfixer at the moment, and I dont see norton popping up telling me I have a virus.
Could someone please check these logs and make sure I am clean though??
Thanks again for your help.
Ewido Log -------- before running hijack this and vundo fix for the last time -------------------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 12:53:22 PM, 10/14/2005
+ Report-Checksum: F7FC2BAE
+ Scan result:
HKU\S-1-5-21-1724617393-3661440306-1321000789-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\WINDOWS\system32\gebyw.dll -> TrojanDownloader.Small.bpk : Cleaned with backup
::Report End
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 1:05:37 PM, 10/14/2005
+ Report-Checksum: 3EFF8157
+ Scan result:
C:\WINDOWS\system32\gebyw.dll -> TrojanDownloader.Small.bpk : Cleaned with backup
::Report End
Spyware Sweeper Log: -----------------------------------------------------------------------------------10/14/2005 12:09:49 AM::------------------------------------------------------------------
10/14/2005 12:09:49 AM::Initializing Clean - (ScanID: 07CD50A0-4AC9-4034-AF28-A4488B)
10/14/2005 12:09:49 AM::Remove Threat (ID:16573)
10/14/2005 12:09:49 AM::Clean Threat Trojan.Downloader.AdMSI (ID:16573)
10/14/2005 12:09:50 AM::Terminating IE
10/14/2005 12:09:51 AM::Removing file c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll
10/14/2005 12:09:51 AM::RemoveProviderByPath-FilePath=c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll,RC=0,ThreatID=16573
10/14/2005 12:09:51 AM::Removed all related Winsock LSP handler for c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll
10/14/2005 12:10:12 AM::Disable file c:\documents and settings\marion\local settings\temp\is-63k9f.tmp\_shfoldr.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\6DB8A5D9-3747-40E2-B72D-33ACD3\570E010F-48E1-4BB5-B20B-CF0770
10/14/2005 12:10:13 AM::Clean Threat Trojan.Downloader.AdMSI (ID:16573) Complete
10/14/2005 12:10:13 AM::Remove Threat (ID:16573) Complete
10/14/2005 12:10:13 AM::Remove Threat (ID:16556)
10/14/2005 12:10:13 AM::Clean Threat Winfixer (ID:16556)
10/14/2005 12:10:13 AM::Removing file c:\windows\system32\df_kme.exe
10/14/2005 12:10:14 AM::Disable file c:\windows\system32\df_kme.exe and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\22F97A85-A345-4144-8DB7-74C837
10/14/2005 12:10:14 AM::Removing file c:\program files\common files\winsoftware\crxml.dll
10/14/2005 12:10:14 AM::RemoveProviderByPath-FilePath=c:\program files\common files\winsoftware\crxml.dll,RC=0,ThreatID=16556
10/14/2005 12:10:14 AM::Removed all related Winsock LSP handler for c:\program files\common files\winsoftware\crxml.dll
10/14/2005 12:10:22 AM::Removing shared dll registry entry for c:\program files\common files\winsoftware\crxml.dll
10/14/2005 12:10:22 AM::Disable file c:\program files\common files\winsoftware\crxml.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\D12F8523-214D-4546-823B-2DDE89
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\contact customer support.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\contact customer support.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\4990E3A4-AFF6-4C53-85AC-A13D62
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\uninstall winfixer 2005.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\uninstall winfixer 2005.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\49C99AE3-4261-4CCD-A7DD-5EFD6D
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005 on the web.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005 on the web.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\FAAFD19B-BA99-417C-90EF-C490F1
10/14/2005 12:10:22 AM::Removing file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005.lnk
10/14/2005 12:10:22 AM::Disable file c:\documents and settings\all users\start menu\programs\winfixer 2005\winfixer 2005.lnk and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\E3C22B01-6D7C-4C6D-80B3-F6C4A7\419233CB-5231-45EE-BBE1-F2F40E
10/14/2005 12:10:22 AM::Delete folder c:\documents and settings\all users\start menu\programs\winfixer 2005\
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005\Settings [TARGET_TIME_LOW=819807920
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005\Settings [TARGET_TIME_HIGH=29741105
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005\Settings
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware\WinFixer 2005
10/14/2005 12:10:22 AM::Removing registry value HKEY_CURRENT_USER\Software\WinSoftware
10/14/2005 12:10:22 AM::Removing registry key HKEY_CURRENT_USER\Software\WinSoftware
10/14/2005 12:10:22 AM::Clean Threat Winfixer (ID:16556) Complete
10/14/2005 12:10:22 AM::Remove Threat (ID:16556) Complete
10/14/2005 12:10:22 AM::Remove Threat (ID:15196)
10/14/2005 12:10:22 AM::Clean Threat Virtumondo (ID:15196)
10/14/2005 12:10:23 AM::Removing file c:\windows\system32\ddabx.dll
10/14/2005 12:10:23 AM::RemoveProviderByPath-FilePath=c:\windows\system32\ddabx.dll,RC=0,ThreatID=15196
10/14/2005 12:10:23 AM::Removed all related Winsock LSP handler for c:\windows\system32\ddabx.dll
10/14/2005 12:10:27 AM::Removing BHO {52B1DFC7-AAFC-4362-B103-868B0683C697} for file c:\windows\system32\ddabx.dll
10/14/2005 12:10:27 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:27 AM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:29 AM::Unregistering COM entry points for file c:\windows\system32\ddabx.dll
10/14/2005 12:10:31 AM::Disable file c:\windows\system32\ddabx.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\7F476BDB-D3B1-48D0-8B68-9A829A\80D218CD-14C4-4F6F-857B-CABBC1
10/14/2005 12:10:31 AM::Delete file c:\windows\system32\ddabx.dll failed, adding to FileDeleteReboot
10/14/2005 12:10:31 AM::Disable file c:\windows\system32\ddabx.dll failed, file locked or in memory
10/14/2005 12:10:31 AM::Special cleaner required to remove threat on restart, reason: Could not quarantine file c:\windows\system32\ddabx.dll, unknown error moving file.
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [=C:\WINDOWS\system32\ddabx.dll
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [ThreadingModel=apartment
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID [=MSEvents.MSEvents.1
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\Programmable
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib [={BAD59A24-6891-417D-A041-C8FD495B77F1}
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID [=MSEvents.MSEvents
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [=MSEvents Object
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [AppID=
10/14/2005 12:10:31 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:31 AM::Removing registry key HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 12:10:33 AM::Clean Threat Virtumondo (ID:15196) Complete
10/14/2005 12:10:34 AM::Remove Threat (ID:13117)
10/14/2005 12:10:34 AM::Clean Threat Altnet (ID:13117)
10/14/2005 12:10:34 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard\Settings
10/14/2005 12:10:34 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard
10/14/2005 12:10:34 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
10/14/2005 12:10:34 AM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
10/14/2005 12:10:34 AM::Clean Threat Altnet (ID:13117) Complete
10/14/2005 12:10:34 AM::Remove Threat (ID:13117) Complete
10/14/2005 12:12:14 AM::Unititializing Clean
10/14/2005 12:12:14 AM::------------------------------------------------------------------
10/14/2005 7:52:15 AM::------------------------------------------------
10/14/2005 7:52:15 AM::Starting GIANT AS Cleaner
10/14/2005 7:52:15 AM::Running all Cleaner deletes
10/14/2005 7:52:15 AM::---Starting Quick Cleaner DelFiles
10/14/2005 7:52:15 AM::File delete failed for c:\windows\system32\ddabx.dll
10/14/2005 7:52:15 AM::---Starting Quick Cleaner DelFolders
10/14/2005 7:52:16 AM::---Starting Quick Cleaner DelRegKeys
10/14/2005 7:52:16 AM::Registry key delete complete for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:52:16 AM::Checking threats to clean
10/14/2005 7:52:18 AM::------------------------------------------------------------------
10/14/2005 7:52:18 AM::Initializing Clean - (ScanID: 07CD50A0-4AC9-4034-AF28-A4488B)
10/14/2005 7:52:18 AM::Cleaning threat 15196 ScanID: 07CD50A0-4AC9-4034-AF28-A4488B
10/14/2005 7:52:18 AM::Clean Threat Virtumondo (ID:15196)
10/14/2005 7:52:19 AM::Generating threat
10/14/2005 7:52:21 AM::Removing file c:\windows\system32\ddabx.dll
10/14/2005 7:52:22 AM::RemoveProviderByPath-FilePath=c:\windows\system32\ddabx.dll,RC=0,ThreatID=15196
10/14/2005 7:52:22 AM::Removed all related Winsock LSP handler for c:\windows\system32\ddabx.dll
10/14/2005 7:55:36 AM::------------------------------------------------
10/14/2005 7:55:36 AM::Starting GIANT AS Cleaner
10/14/2005 7:55:36 AM::Running all Cleaner deletes
10/14/2005 7:55:36 AM::Checking threats to clean
10/14/2005 7:55:37 AM::------------------------------------------------------------------
10/14/2005 7:55:37 AM::Initializing Clean - (ScanID: 07CD50A0-4AC9-4034-AF28-A4488B)
10/14/2005 7:55:37 AM::Cleaning threat 15196 ScanID: 07CD50A0-4AC9-4034-AF28-A4488B
10/14/2005 7:55:37 AM::Clean Threat Virtumondo (ID:15196)
10/14/2005 7:55:38 AM::Generating threat
10/14/2005 7:55:41 AM::Removing file c:\windows\system32\ddabx.dll
10/14/2005 7:55:41 AM::RemoveProviderByPath-FilePath=c:\windows\system32\ddabx.dll,RC=0,ThreatID=15196
10/14/2005 7:55:41 AM::Removed all related Winsock LSP handler for c:\windows\system32\ddabx.dll
10/14/2005 7:56:30 AM::Removing BHO {52B1DFC7-AAFC-4362-B103-868B0683C697} for file c:\windows\system32\ddabx.dll
10/14/2005 7:56:30 AM::Removing registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:30 AM::Removing registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:32 AM::Unregistering COM entry points for file c:\windows\system32\ddabx.dll
10/14/2005 7:56:33 AM::Disable file c:\windows\system32\ddabx.dll and quarantine to C:\Program Files\Microsoft AntiSpyware\Quarantine\BF7CDCDB-02D4-43F9-BADC-B87C1D\A41F74E8-79DC-440C-BEF7-C222B7
10/14/2005 7:56:33 AM::Delete file c:\windows\system32\ddabx.dll failed, adding to FileDeleteReboot
10/14/2005 7:56:33 AM::Disable file c:\windows\system32\ddabx.dll failed, file locked or in memory
10/14/2005 7:56:33 AM::Special cleaner required to remove threat on restart, reason: Could not quarantine file c:\windows\system32\ddabx.dll, unknown error moving file. (CLEANER RUNNING)
10/14/2005 7:56:33 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [=C:\WINDOWS\system32\ddabx.dll
10/14/2005 7:56:33 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32 [ThreadingModel=apartment
10/14/2005 7:56:33 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\InprocServer32
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID [=MSEvents.MSEvents.1
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\ProgID
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\Programmable
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib [={BAD59A24-6891-417D-A041-C8FD495B77F1}
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\TypeLib
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID [=MSEvents.MSEvents
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}\VersionIndependentProgID
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [=MSEvents Object
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697} [AppID=
10/14/2005 7:56:35 AM::Removing registry value HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:35 AM::Removing registry key HKEY_CLASSES_ROOT\CLSID\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 7:56:36 AM::Clean Threat Virtumondo (ID:15196) Complete
10/14/2005 7:56:36 AM::Unititializing Clean
10/14/2005 7:56:36 AM::------------------------------------------------------------------
10/14/2005 7:56:36 AM::Ending GIANT AS Cleaner
10/14/2005 7:56:36 AM::------------------------------------------------
10/14/2005 8:19:27 AM::------------------------------------------------
10/14/2005 8:19:27 AM::Starting GIANT AS Cleaner
10/14/2005 8:19:27 AM::Running all Cleaner deletes
10/14/2005 8:19:27 AM::---Starting Quick Cleaner DelFiles
10/14/2005 8:19:27 AM::File delete failed for c:\windows\system32\ddabx.dll
10/14/2005 8:19:27 AM::---Starting Quick Cleaner DelRegKeys
10/14/2005 8:19:28 AM::Registry key delete complete for HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{52B1DFC7-AAFC-4362-B103-868B0683C697}
10/14/2005 8:19:28 AM::Checking threats to clean
10/14/2005 8:19:28 AM::Ending GIANT AS Cleaner
10/14/2005 8:19:28 AM::------------------------------------------------
Vundo Fix Log --------------------------------------Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Suspending PID 500 'smss.exe'
Threads [504][508][512]
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 1548 'explorer.exe'
Killing PID 1548 'explorer.exe'
Killing PID 1548 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Error, Cannot find a process with an image name of rundll32.exe
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003
[email protected]Killing PID 572 'winlogon.exe'
Killing PID 572 'winlogon.exe'
Killing PID 572 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
Hijackthis Log - After running Ewido , spysweeper, and vundo fix. -------------------Logfile of HijackThis v1.99.1
Scan saved at 1:43:49 PM, on 10/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\CounterSpy.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.emachines.com/O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\gebyw.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cabO20 - Winlogon Notify: gebyw - C:\WINDOWS\SYSTEM32\gebyw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I provided the other logs as a reference, but does my HiJackThis log look clean???
Thanks for your help,
Nick
Edited by ns0622, 14 October 2005 - 12:13 PM.