This is my first time trying this...I've just about exhausted everything I can think of trying to fix my computer and made minimal progress if any, so I'd really really love your help. I will give you a summary of what has happened so far (I've tried a lot on my own because I didn't know this resource was out there! I wish I had realized it earlier!), and then I'll post my HijackThis Logfile.
(If you don't need a summary of what all I've done so far, please skip ahead to my HijackThis file).
I first had Norton Antivirus on my computer, and it detected the "pokapoka70.exe" virus and "nt_hide70.dll" virus. After deleting and quarantining as many of the infected files as I could, I restarted, only to find that those viruses still existed, and I also got a virus notification of "Trojan.Elitebar" virus. Upon trying to restart again, my computer would not start... it would freeze saying "Please wait..." and would not get to the log-in menu. It would not let me start in safemode either, for it kept getting hung up on a file called d347bus.sys. I was finally able to start it using the "Start using last good/working settings" mode. I looked up directions for deleting the Trojan.Elitebar virus on the Symantec website and followed their directions (including turning off System Restore...which I still have off. It also involved looking at my "hosts" file, and there was another line in there besides the one that there is supposed to be. I deleted that other line.).
It appeared to have worked after I finally restarted, because I no longer got virus notifications when I logged on. However, then I noticed I could no longer access the internet through IE, and there was a strange toolbar in my IE window. I was also getting lots of pop-ups. I looked in Add/Remove programs and saw "180Search Toolbar" which looked unfamiliar, so I tried to delete it. I think I had to go into Safemode to do so. Also, in safemode I could use IE, but not in Normal mode. When I returned to normal mode, I still couldn't use IE, the toolbar was gone sometimes and there sometimes, but also my Windows Taskmanager would not open. I would just get the little green square on the bottom right of the screen that showed it was running, but I could not actually see it. My computer was working very slowly also. I found some information on others who had this problem, with both IE and the taskmanager, and they said that somehow uninstalling their Norton Antivirus helped the problem.
I uninstalled Norton Antivirus and sure enough, now I could use IE and open Windows Taskmanager in Normal Mode... don't really get it, but it worked. However, the weird toolbar was still there in IE and I was still getting many popups. I went to my school's webpage and installed the newest version of Symantec to replace the Norton Antivirus I had uninstalled. However, upon trying to open Symantec, my computer would freeze. This happened many times. So not being able to run Symantec, I ran Ad-aware a couple times to try to see what was affecting my computer (even though I know they probably look for different things). Also, when I logged onto AIM, after a few minutes something took over control of my AIM and started sending messages to people on my buddy list one by one with infected links. I couldn't stop it, it was doing it all on it's own, so I logged out.
I left my computer off for about a week and borrowed a computer, but I had to give it back today. I really need my computer for schoolwork so I got it out again today to try to fix it. When I turned it on, it was extremely slow in all applications, especially the internet. I came across your website. I followed all of the instructions on your Start page as you requested.
When I rebooted, Symantec's auto-protection scan popped up with viruses such as Adaware.Shorty, Adaware.MaxSearch, Trojan.Elitebar, Adaware.180Search. My system was still working very slow. I ran regular Symantec, which found those infections as well as nt_hide76.dll, system32.dll, mc-110-12-0000080.exe, Adperform180safull.exe, stubSafull.exe, etc.... Symantec claimed it was able to delete the first 2 of those, and quarantined the rest. I went into the Register Keys ("Regedit") as I had done before when I was following directions on removing pokapoka, and while trying to look for the keys that Symantec says would be modified for these other viruses, I came across pokapoka75.exe and pokapoka76.exe, so I deleted those. I also ran Symantec's tool for removing 180Search Toolbar files.... however, in the end it said that I did not have any such files on my computer (though it told me I had them earlier). Meanwhile, the Spybot-SD that I downloaded and ran from your site earlier, kept popping up with messages whenever keys were changed by one of the viruses. Unfortunately, it would ask if I wanted to accept the changes or not, and looked like it had two buttons, but they were cut off at the bottom of the window so I couldn't read them, and it wouldn't let me expand the window.... it was very strange. So I just kept clicking the "X" to close the box, but they kept popping up over and over. So, I finally shut down and restarted out of exasperation.
When I restarted, my computer was working at normal speed! IE was working fine, taskmanager was working fine. I wasn't getting any popups. The weird toolbar was gone. Everything seemed to be great for an hour or so. I was just about to run HijackThis, but I thought maybe I had fixed it and didn't need to.
About an hour later, I started getting popups all of a sudden. I logged onto AIM then, and within a few seconds, I noticed that my mouse pointer would switch between a pointer and an hourglass every second... as if it's running something or trying to. I logged off of AIM, but my mouse is continuing to do this for many minutes, and is still going as I am typing this. My computer has gotten slower again too. So, I ran HijackThis, and here is my file. I am really at a loss for what is going on, and I hope that my efforts to fix it haven't just made things worse.
I really look forward to your help (and sorry for the long summary... I wasn't sure how much detail you needed.)
Logfile of HijackThis v1.99.1
Scan saved at 11:03:07 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton SystemWorks\Norton Speed Disk\nopdb.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\SymTray.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Kerberos\leash32.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\Program Files\Kerberos\krbcc32s.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\My Documents\My
Downloads\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
http://www.eza1netsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://www.eza1netsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://www.eza1netsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.wisc.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
http://www.eza1netsearch.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer
= :0
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common
Files\Symantec Shared\SymTray.exe "Norton SystemWorks"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang
1033
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server
/startmonitor /deaf
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration]
windir32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search &
Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common
Files\Windows\mc-110-12-0000080.exe
O4 - Startup: Norton System Doctor.lnk = C:\Program Files\Norton
SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Leash Kerberos Ticket Manager.lnk = C:\Program
Files\Kerberos\leash32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} -
http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} -
http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} -
http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupd...client/wuweb_si
te.cab?1103167582532
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CWShredder Service - InterMute, Inc. - C:\Documents and
Settings\Administrator\My Documents\My Downloads\cwshredder-1.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec
Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation
- C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton
SystemWorks\Norton Speed Disk\nopdb.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program
Files\Symantec AntiVirus\Rtvscan.exe
Sign In
Create Account
