[kingofighter]

I installed all the virus scanner this forum suggested and, although found and removed alot, still unable to fix this problem....would anyone please help. this things pop up every 5minutes or so, regardless of my IE being opened or not. this is getting really annoying when im watching full screen video. I ran this after restarting

Logfile of HijackThis v1.99.1
Scan saved at 9:14:43 PM, on 10/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\system32\rundll32.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\QTRAYIME.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\rundll32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\Messenger\msmsgs.exe
E:\HijackThis\HijackThis.exe
E:\Program Files\AIM\aim.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Q9 Tray.lnk = E:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Using &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: Dynamic Directory - E:\WINDOWS\system32\n2p4lc7q1f.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IμI33IDo (炵苀最唗) - Unknown owner - E:\WINDOWS\G_Server.exe

Edited by kingofighter, 24 October 2005 - 10:17 PM.

[Advertisements]

just to keep my log updated...

Logfile of HijackThis v1.99.1
Scan saved at 10:08:38 PM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\QTRAYIME.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\BitSpirit\BitSpirit.exe
E:\Program Files\NetLimiter\NetLimiter.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
E:\HijackThis\HijackThis.exe
E:\Program Files\Messenger\msmsgs.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Q9 Tray.lnk = E:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Using &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MSSYCLM - E:\WINDOWS\system32\n02ulaf91d2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IμI33IDo (炵苀最唗) - Unknown owner - E:\WINDOWS\G_Server.exe

[kingofighter]

just to keep my log updated...

Logfile of HijackThis v1.99.1
Scan saved at 10:08:38 PM, on 10/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\ctfmon.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\QTRAYIME.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Spyware Doctor\sdhelp.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\rundll32.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\BitSpirit\BitSpirit.exe
E:\Program Files\NetLimiter\NetLimiter.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Kingsoft\PowerWord 2005\XDICT.EXE
E:\HijackThis\HijackThis.exe
E:\Program Files\Messenger\msmsgs.exe

O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Q9 Tray.lnk = E:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Using &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - E:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MSSYCLM - E:\WINDOWS\system32\n02ulaf91d2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - E:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IμI33IDo (炵苀最唗) - Unknown owner - E:\WINDOWS\G_Server.exe

[Danny]

Hi,

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

• Click the Free Trial link under to "SpySweeper" to download the program.
• Install it.
• Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply.

Danny

[kingofighter]

thank you for helping me.., here is the requested summary
********
9:45 PM: | Start of Session, Thursday, October 27, 2005 |
9:45 PM: Spy Sweeper started
9:45 PM: Sweep initiated using definitions version 564
9:45 PM: Found Adware: look2me
9:45 PM: HKLM\software\microsoft\windows nt\currentversion\winlogon\notify\ms-dos emulation\ || dllname (ID = 129984)
9:45 PM: l80u0id9e80.dll (ID = 129984)
9:45 PM: Starting Memory Sweep
9:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:46 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:46 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:46 PM: Detected running threat: E:\WINDOWS\system32\l80u0id9e80.dll (ID = 163672)
9:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:47 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:47 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:47 PM: Detected running threat: E:\WINDOWS\system32\kld101a.dll (ID = 163672)
9:48 PM: Detected running threat: E:\WINDOWS\system32\guard.tmp (ID = 163672)
9:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:48 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:48 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:48 PM: Memory Sweep Complete, Elapsed Time: 00:03:20
9:48 PM: Starting Registry Sweep
9:49 PM: Found Adware: quicklink search toolbar
9:49 PM: HKCR\qlink.qlfilter\ (3 subtraces) (ID = 890588)
9:49 PM: HKCR\qlink.qlfilter.1\ (3 subtraces) (ID = 890592)
9:49 PM: HKCR\qlink.qlhelper\ (3 subtraces) (ID = 890596)
9:49 PM: HKCR\qlink.qlhelper.1\ (3 subtraces) (ID = 890600)
9:49 PM: HKCR\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890604)
9:49 PM: HKCR\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890613)
9:49 PM: HKCR\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890624)
9:49 PM: HKLM\software\classes\qlink.qlfilter\ (3 subtraces) (ID = 890661)
9:49 PM: HKLM\software\classes\qlink.qlfilter.1\ (3 subtraces) (ID = 890665)
9:49 PM: HKLM\software\classes\qlink.qlhelper\ (3 subtraces) (ID = 890669)
9:49 PM: HKLM\software\classes\qlink.qlhelper.1\ (3 subtraces) (ID = 890673)
9:49 PM: HKLM\software\classes\clsid\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (8 subtraces) (ID = 890677)
9:49 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\ (10 subtraces) (ID = 890686)
9:49 PM: Found Adware: instant access
9:49 PM: HKLM\software\classes\clsid\{e225ab73-4d7e-45f7-9425-47d2f7c7a8ab}\progid\ (1 subtraces) (ID = 890691)
9:49 PM: HKLM\software\classes\typelib\{090712ed-1622-4227-94d3-f573a9c2577f}\ (9 subtraces) (ID = 890697)
9:49 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
9:49 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser qlhelper objects\{aa3c0ffe-758e-4c41-b1b9-2d711915a938}\ (ID = 909564)
9:49 PM: Found Adware: popup killer
9:49 PM: HKU\S-1-5-21-1547161642-1482476501-725345543-500\software\ultimate popup killer\ (3 subtraces) (ID = 136785)
9:49 PM: Registry Sweep Complete, Elapsed Time:00:00:17
9:49 PM: Starting Cookie Sweep
9:49 PM: Found Spy Cookie: 2o7.net cookie
9:49 PM: administrator@2o7[1].txt (ID = 1957)
9:49 PM: Found Spy Cookie: 3 cookie
9:49 PM: administrator@3[1].txt (ID = 1959)
9:49 PM: Found Spy Cookie: websponsors cookie
9:49 PM: [email protected][2].txt (ID = 3665)
9:49 PM: Found Spy Cookie: abcsearch cookie
9:49 PM: administrator@abcsearch[1].txt (ID = 2033)
9:49 PM: Found Spy Cookie: yieldmanager cookie
9:49 PM: [email protected][1].txt (ID = 3751)
9:49 PM: Found Spy Cookie: adknowledge cookie
9:49 PM: administrator@adknowledge[1].txt (ID = 2072)
9:49 PM: Found Spy Cookie: hbmediapro cookie
9:49 PM: [email protected][2].txt (ID = 2768)
9:49 PM: Found Spy Cookie: specificclick.com cookie
9:49 PM: [email protected][1].txt (ID = 3400)
9:49 PM: Found Spy Cookie: addynamix cookie
9:49 PM: [email protected][1].txt (ID = 2062)
9:49 PM: Found Spy Cookie: cc214142 cookie
9:49 PM: [email protected][1].txt (ID = 2367)
9:49 PM: Found Spy Cookie: advertising cookie
9:49 PM: administrator@advertising[2].txt (ID = 2175)
9:49 PM: Found Spy Cookie: falkag cookie
9:49 PM: [email protected][2].txt (ID = 2650)
9:49 PM: [email protected][2].txt (ID = 2650)
9:49 PM: [email protected][2].txt (ID = 2650)
9:49 PM: Found Spy Cookie: ask cookie
9:49 PM: administrator@ask[1].txt (ID = 2245)
9:49 PM: Found Spy Cookie: atlas dmt cookie
9:49 PM: administrator@atdmt[2].txt (ID = 2253)
9:49 PM: Found Spy Cookie: atwola cookie
9:49 PM: administrator@atwola[1].txt (ID = 2255)
9:49 PM: Found Spy Cookie: azjmp cookie
9:49 PM: administrator@azjmp[2].txt (ID = 2270)
9:49 PM: Found Spy Cookie: belnk cookie
9:49 PM: administrator@belnk[1].txt (ID = 2292)
9:49 PM: Found Spy Cookie: bizrate cookie
9:49 PM: administrator@bizrate[1].txt (ID = 2308)
9:49 PM: Found Spy Cookie: bluestreak cookie
9:49 PM: administrator@bluestreak[1].txt (ID = 2314)
9:49 PM: Found Spy Cookie: burstnet cookie
9:49 PM: administrator@burstnet[2].txt (ID = 2336)
9:49 PM: Found Spy Cookie: casalemedia cookie
9:49 PM: administrator@casalemedia[2].txt (ID = 2354)
9:49 PM: [email protected][2].txt (ID = 2293)
9:49 PM: [email protected][1].txt (ID = 1958)
9:49 PM: Found Spy Cookie: clickandtrack cookie
9:49 PM: [email protected][2].txt (ID = 2397)
9:49 PM: Found Spy Cookie: linksynergy cookie
9:49 PM: administrator@linksynergy[1].txt (ID = 2926)
9:49 PM: Found Spy Cookie: maxserving cookie
9:49 PM: administrator@maxserving[1].txt (ID = 2966)
9:49 PM: Found Spy Cookie: top-banners cookie
9:49 PM: [email protected][1].txt (ID = 3548)
9:49 PM: Found Spy Cookie: nextag cookie
9:49 PM: administrator@nextag[2].txt (ID = 5014)
9:49 PM: Found Spy Cookie: shop@home cookie
9:49 PM: [email protected][1].txt (ID = 3368)
9:49 PM: Found Spy Cookie: paypopup cookie
9:49 PM: administrator@paypopup[1].txt (ID = 3119)
9:49 PM: Found Spy Cookie: peel network cookie
9:49 PM: administrator@peel[1].txt (ID = 3127)
9:49 PM: Found Spy Cookie: questionmarket cookie
9:49 PM: administrator@questionmarket[2].txt (ID = 3217)
9:49 PM: Found Spy Cookie: realmedia cookie
9:49 PM: administrator@realmedia[2].txt (ID = 3235)
9:49 PM: Found Spy Cookie: reunion cookie
9:49 PM: administrator@reunion[2].txt (ID = 3255)
9:49 PM: Found Spy Cookie: revenue.net cookie
9:49 PM: administrator@revenue[2].txt (ID = 3257)
9:49 PM: Found Spy Cookie: rn11 cookie
9:49 PM: administrator@rn11[2].txt (ID = 3261)
9:49 PM: Found Spy Cookie: servedby advertising cookie
9:49 PM: [email protected][1].txt (ID = 3335)
9:49 PM: Found Spy Cookie: server.iad.liveperson cookie
9:49 PM: [email protected][1].txt (ID = 3341)
9:49 PM: Found Spy Cookie: statcounter cookie
9:49 PM: administrator@statcounter[1].txt (ID = 3447)
9:49 PM: Found Spy Cookie: tradedoubler cookie
9:49 PM: administrator@tradedoubler[2].txt (ID = 3575)
9:49 PM: Found Spy Cookie: trafficmp cookie
9:49 PM: administrator@trafficmp[1].txt (ID = 3581)
9:49 PM: Found Spy Cookie: tribalfusion cookie
9:49 PM: administrator@tribalfusion[2].txt (ID = 3589)
9:49 PM: administrator@yieldmanager[2].txt (ID = 3749)
9:49 PM: Found Spy Cookie: adserver cookie
9:49 PM: [email protected][1].txt (ID = 2142)
9:49 PM: Found Spy Cookie: zedo cookie
9:49 PM: administrator@zedo[2].txt (ID = 3762)
9:49 PM: [email protected][1].txt (ID = 3751)
9:49 PM: [email protected][1].txt (ID = 3548)
9:49 PM: Found Spy Cookie: partypoker cookie
9:49 PM: system@partypoker[2].txt (ID = 3111)
9:49 PM: system@tribalfusion[1].txt (ID = 3589)
9:49 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
9:49 PM: Starting File Sweep
9:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:50 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:50 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:51 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:51 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:52 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:53 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:55 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:56 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:56 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:57 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:58 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:59 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:00 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:01 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:01 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:02 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:03 PM: e:\program files\quicklinks (1 subtraces) (ID = -2147468660)
10:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:03 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:03 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:05 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 PM: qlutility.exe (ID = 168232)
10:06 PM: kld101a.dll (ID = 163672)
10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:06 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:07 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:08 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:09 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:09 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:09 PM: l80u0id9e80.dll (ID = 163672)
10:09 PM: qllib.dll (ID = 168233)
10:09 PM: guard.tmp (ID = 163672)
10:09 PM: nswddi.dll (ID = 163672)
10:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:10 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
10:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:10 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
10:10 PM: File Sweep Complete, Elapsed Time: 00:21:01
10:10 PM: Full Sweep has completed. Elapsed time 00:24:50
10:10 PM: Traces Found: 166
10:10 PM: Removal process initiated
10:11 PM: Quarantining All Traces: look2me
10:11 PM: look2me is in use. It will be removed on reboot.
10:11 PM: l80u0id9e80.dll is in use. It will be removed on reboot.
10:11 PM: kld101a.dll is in use. It will be removed on reboot.
10:11 PM: l80u0id9e80.dll is in use. It will be removed on reboot.
10:11 PM: guard.tmp is in use. It will be removed on reboot.
10:11 PM: E:\WINDOWS\system32\l80u0id9e80.dll is in use. It will be removed on reboot.
10:11 PM: E:\WINDOWS\system32\kld101a.dll is in use. It will be removed on reboot.
10:11 PM: E:\WINDOWS\system32\guard.tmp is in use. It will be removed on reboot.
10:11 PM: Quarantining All Traces: instant access
10:11 PM: Quarantining All Traces: popup killer
10:11 PM: Quarantining All Traces: quicklink search toolbar
10:11 PM: Quarantining All Traces: 2o7.net cookie
10:11 PM: Quarantining All Traces: 3 cookie
10:11 PM: Quarantining All Traces: abcsearch cookie
10:11 PM: Quarantining All Traces: addynamix cookie
10:11 PM: Quarantining All Traces: adknowledge cookie
10:11 PM: Quarantining All Traces: adserver cookie
10:11 PM: Quarantining All Traces: advertising cookie
10:11 PM: Quarantining All Traces: ask cookie
10:11 PM: Quarantining All Traces: atlas dmt cookie
10:11 PM: Quarantining All Traces: atwola cookie
10:11 PM: Quarantining All Traces: azjmp cookie
10:11 PM: Quarantining All Traces: belnk cookie
10:11 PM: Quarantining All Traces: bizrate cookie
10:11 PM: Quarantining All Traces: bluestreak cookie
10:11 PM: Quarantining All Traces: burstnet cookie
10:11 PM: Quarantining All Traces: casalemedia cookie
10:11 PM: Quarantining All Traces: cc214142 cookie
10:11 PM: Quarantining All Traces: clickandtrack cookie
10:11 PM: Quarantining All Traces: falkag cookie
10:11 PM: Quarantining All Traces: hbmediapro cookie
10:11 PM: Quarantining All Traces: linksynergy cookie
10:11 PM: Quarantining All Traces: maxserving cookie
10:11 PM: Quarantining All Traces: nextag cookie
10:11 PM: Quarantining All Traces: partypoker cookie
10:11 PM: Quarantining All Traces: paypopup cookie
10:11 PM: Quarantining All Traces: peel network cookie
10:11 PM: Quarantining All Traces: questionmarket cookie
10:11 PM: Quarantining All Traces: realmedia cookie
10:11 PM: Quarantining All Traces: reunion cookie
10:11 PM: Quarantining All Traces: revenue.net cookie
10:11 PM: Quarantining All Traces: rn11 cookie
10:11 PM: Quarantining All Traces: servedby advertising cookie
10:11 PM: Quarantining All Traces: server.iad.liveperson cookie
10:11 PM: Quarantining All Traces: shop@home cookie
10:11 PM: Quarantining All Traces: specificclick.com cookie
10:11 PM: Quarantining All Traces: statcounter cookie
10:11 PM: Quarantining All Traces: top-banners cookie
10:11 PM: Quarantining All Traces: tradedoubler cookie
10:11 PM: Quarantining All Traces: trafficmp cookie
10:11 PM: Quarantining All Traces: tribalfusion cookie
10:11 PM: Quarantining All Traces: websponsors cookie
10:11 PM: Quarantining All Traces: yieldmanager cookie
10:11 PM: Quarantining All Traces: zedo cookie
10:11 PM: Warning: Launched explorer.exe
10:11 PM: Warning: Quarantine process could not restart Explorer.
10:11 PM: Removal process completed. Elapsed time 00:01:10
********
9:44 PM: | Start of Session, Thursday, October 27, 2005 |
9:44 PM: Spy Sweeper started
9:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:45 PM: The Spy Communication shield has blocked access to: www.ad-w-a-r-e.com
9:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:45 PM: The Spy Communication shield has blocked access to: www.a-d-w-a-r-e.com
9:45 PM: Your spyware definitions have been updated.
9:45 PM: | End of Session, Thursday, October 27, 2005 |

[kingofighter]

i dont know if you need this, but here is the newest hijackthis log (there is still the IEXPLORER.exe there)

Logfile of HijackThis v1.99.1
Scan saved at 10:23:56 PM, on 10/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
E:\WINDOWS\System32\rundll32.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\system32\QTRAYIME.EXE
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Program Files\AIM\aim.exe
E:\Program Files\BitSpirit\BitSpirit.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\FlashGet\flashget.exe
E:\Program Files\Messenger\msmsgs.exe
E:\HijackThis\HijackThis.exe

O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - E:\PROGRA~1\FlashGet\jccatch.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [gcasServ] "E:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [msnmsgr] "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\System32\ctfmon.exe
O4 - Startup: Q9 Tray.lnk = E:\WINDOWS\system32\QTRAYIME.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - E:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download Using &BitSpirit - E:\Program Files\BitSpirit\bsurl.htm
O8 - Extra context menu item: Download using FlashGet - E:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - E:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - E:\PROGRA~1\FlashGet\flashget.exe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "E:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - E:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - E:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - E:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - E:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: IμI33IDo (炵苀最唗) - Unknown owner - E:\WINDOWS\G_Server.exe

[Danny]

Hi,

Very Sorry for the late reply.

I need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes.

• Open Microsoft AntiSpyware.
  
• Click on Options, Settings.
• In the left pane, click on Real-time Protection.
• Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
• Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
• After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
• Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware

You have the latest version of VX2. Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for [color="blue"]Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.



Danny

[kingofighter]

Setting Directory
E:\
E:\
System Rebooted!

Running From:
E:\

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1848 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1876 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!

Zipping up files for submission:
adding: clear.reg (188 bytes security) (deflated 58%)
adding: lo2.txt (188 bytes security) (deflated 49%)
adding: test.txt (188 bytes security) (stored 0%)
adding: test2.txt (188 bytes security) (deflated 40%)
adding: test3.txt (188 bytes security) (deflated 40%)
adding: test5.txt (188 bytes security) (deflated 40%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{AB3C9DBF-CD06-4978-897F-93A69316E08C}"=-
"{38D9B660-E632-4147-A538-2678FDAF9085}"=-
"{38447A11-BCAA-486A-8AB2-B0291C26A731}"=-
"{F0293D46-28E4-4E38-BDE7-4155445DB6FB}"=-
"{EB9A5FCC-C832-4EBA-8566-6A6285C2B30B}"=-
"{CC150CF5-8158-42E9-828E-227D459771B5}"=-
[-HKEY_CLASSES_ROOT\CLSID\{AB3C9DBF-CD06-4978-897F-93A69316E08C}]
[-HKEY_CLASSES_ROOT\CLSID\{38D9B660-E632-4147-A538-2678FDAF9085}]
[-HKEY_CLASSES_ROOT\CLSID\{38447A11-BCAA-486A-8AB2-B0291C26A731}]
[-HKEY_CLASSES_ROOT\CLSID\{F0293D46-28E4-4E38-BDE7-4155445DB6FB}]
[-HKEY_CLASSES_ROOT\CLSID\{EB9A5FCC-C832-4EBA-8566-6A6285C2B30B}]
[-HKEY_CLASSES_ROOT\CLSID\{CC150CF5-8158-42E9-828E-227D459771B5}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************


[Danny]

Hi,

Go to Start > Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the below services:

IμI33IDo

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

GrayPigeonServer

Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.

Danny

Edited by Danny, 30 October 2005 - 06:02 PM.

[kingofighter]

hijackthis said cannot find it in registry when i try to delete NT service

[Danny]

Hi,

Can you please look at this post: http://www.dknoppix....opic,153.0.html

And get me a startup list?

Thanks,

Danny

[kingofighter]

StartupList report, 10/31/2005, 4:30:04 PM
StartupList version: 1.52.2
Started from : E:\HijackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
E:\WINDOWS\system32\spoolsv.exe
E:\Program Files\Norton AntiVirus\navapsvc.exe
E:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
E:\WINDOWS\System32\nvsvc32.exe
E:\WINDOWS\System32\tcpsvcs.exe
E:\WINDOWS\System32\svchost.exe
E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\System32\ctfmon.exe
E:\Program Files\Common Files\Symantec Shared\ccApp.exe
E:\WINDOWS\System32\RUNDLL32.EXE
E:\Program Files\MSN Messenger\msnmsgr.exe
E:\WINDOWS\System32\rundll32.exe
E:\WINDOWS\system32\QTRAYIME.EXE
E:\Program Files\BitSpirit\BitSpirit.exe
E:\Program Files\FlashGet\flashget.exe
E:\Program Files\AIM\aim.exe
E:\Program Files\Internet Explorer\iexplore.exe
E:\Program Files\Messenger\msmsgs.exe
E:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[E:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
Q9 Tray.lnk = E:\WINDOWS\system32\QTRAYIME.EXE

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IMJPMIG8.1 = "E:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
PHIME2002ASync = E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
PHIME2002A = E:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
ccApp = "E:\Program Files\Common Files\Symantec Shared\ccApp.exe"
nwiz = nwiz.exe /install
NvCplDaemon = RUNDLL32.EXE E:\WINDOWS\System32\NvCpl.dll,NvStartup
NvMediaCenter = RUNDLL32.EXE E:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

msnmsgr = "E:\Program Files\MSN Messenger\msnmsgr.exe" /background
ctfmon.exe = E:\WINDOWS\System32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from E:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=E:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\PROGRA~1\FlashGet\jccatch.dll - {A5366673-E8CA-11D3-9CD9-0090271D075B}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Norton AntiVirus - Scan my computer - Administrator.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[{3334504D-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...C4D/mp43dmo.CAB

[MsnMessengerSetupDownloadControl Class]
InProcServer32 = E:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.ocx
CODEBASE = http://messenger.msn...pDownloader.cab

[Shockwave Flash Object]
InProcServer32 = E:\WINDOWS\System32\Macromed\Flash\Flash8.ocx
CODEBASE = http://fpdownload.ma...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: E:\WINDOWS\system32\SHELL32.dll
CDBurn: E:\WINDOWS\system32\SHELL32.dll
WebCheck: E:\WINDOWS\System32\webcheck.dll
SysTray: E:\WINDOWS\System32\stobject.dll
UPnPMonitor: E:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 5,489 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

[Danny]

Hi,

Go back into Services.msc and find the service labeled: IμI33IDo, and double click it.

If you can't find it, look for any service with asian letters, and double click it. Please post back what it says under "Service Name" and "Service Description".

Danny

[kingofighter]

炵苀最唗

[Danny]

It said "????" ?

If so, Go to Start > Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the below services:

IμI33IDo (OR the one in Asian Letters)

When you find it, double-click on it. In the next window that opens, under the General tab click the Stop button, then click the drop-down box to change the Startup Type to Disabled. Now hit Apply and then Ok.

Open HiJackThis, click on "None of the above, just start the program". Now, click on the "Config" button (bottom right), then click on "Misc Tools", then click on "Delete an NT Service" a window will pop up. Enter the below item into that field (make sure there are NO spaces before or after the name):

???? (Or the name of the service that I asked you to find.
Click OK.

It should pull up information about the service, then ask if you want to reboot. Click YES.

Post a new HiJackThis log after it reboots and let me know if you received any error messages.

If the service name is not ????:

Please tell me the service name. This is a backdoor trojan which steals personal data, so it is vital that we get this thing off!

Danny

[kingofighter]

when i paste those asian characters ( i think they are?) into hijackthis they turn into ????.....so hijackthis isnt able to remove it. but i did disable it.