# Ok I have a virus and not sure how to get rid of it :(



## kickrz (Jul 30, 2003)

Norton has advised me that I have a virus but it didn't tell me where it was. It said the file was called Loader.exe and the Virus was Downloader.Trojan. Couldn't quarantine and couldn't delete it.
I did an online scan and it found nothing and got rid of my adware garbage but Norton just keeps picking this thing up. I just got another pop up that said it was in my Local Setting Temp folder. Who knows maybe now I have 2.
How can I find and get rid of this thing...Any ideas???

Also why are most of my folders in that local setting temp directory empty. They all have weird numbers for name and they are 90% empty. Is is safe to delete these empty files???

If someone could please help me out I would greatly appreciate it. I live on the net and don't want no one's stupid virus 

Not sure if it matters but I am running XP!

Thanks for any and all help!!
~Lynn


----------



## Flrman1 (Jul 26, 2002)

Please do this. Go here http://www.tomcoyote.org/hjt/ and download Hijack This. Un Zip it and click on the Hijackthis.exe.

Click the "Scan" button when the scan is finished the scan button will become "Save Log" click that and save the log.

Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.

Do NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required. Someone here will be glad to advise you on what to fix.


----------



## kickrz (Jul 30, 2003)

Ok here is the hijack file...Hope this helps:

Logfile of HijackThis v1.97.3
Scan saved at 8:33:49 PM, on 10/29/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Trojan Guarder\Trojan Guarder.exe
C:\Program Files\Corel\Graphics9\Register\Remind32.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Norton AntiVirus\Navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monkey\Desktop\Hijackthisprogram\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.execulink.com/bulletins/buy_and_sell.html
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - C:\Program Files\AV VCS 3.0\Vcs3RT.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [vcs3demo] C:\PROGRA~1\AVVCS3~1.0\Vcs3Cmd.exe
O4 - HKLM\..\Run: [USSShReg] C:\PROGRA~1\ULEADS~1\ULEADP~1\SSaver\Ussshreg.exe /r
O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - Startup: Corel Registration.lnk = C:\Program Files\Corel\Graphics9\Register\Remind32.exe
O4 - Global Startup: Trojan Guarder.lnk = C:\Program Files\Trojan Guarder\Trojan Guarder.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37793.3612268519
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A0E680-3A6F-472E-8281-53445C2F1266}: NameServer = 199.166.6.2 209.239.11.98

Thanks!!


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close all browser windows and "Fix checked"

O1 - Hosts: 216.93.168.167 auto.search.msn.com

O1 - Hosts: 216.93.168.167 sitefinder.verisign.com

O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://ftp.coupons.com/v6/brix6ie.cab

Restart to safe mode and delete the entire contents of the;

C:\Documents and Settings\Your name here\Local settings\Temp folder

Do you know what this is?:

O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe


----------



## kickrz (Jul 30, 2003)

Ok I will go ahead and do the hijack this thing.
Do I know what, what is the OpenSite thing??? I have no idea what most of it is...lol.
I will wait on a reply before I go to reboot in safe mode.

Thanks for the quick help...I am eager to rid myself of this nonsense.
Thanks
~Lynn


----------



## Flrman1 (Jul 26, 2002)

Go ahead and do the suggestions above. 

Also go to the C:\Program Files\Open Site folder.

Find the opnste.exe file 

Right cick it and choose "Properties" then look under the "Version" tab and see what it says the "Company Name" and "Product Name" are. Let me know what it says.

I suspect it is a baddie and I may want you to send me a copy of it via email for analysis.


----------



## kickrz (Jul 30, 2003)

Ok I went ahead and checked those that appiled to me. I also tried to delete the documents and setting/temp file but it would not let me delete it all. 
Also that OpenSite thing
It says Product Name: Opensite
and Version :1.00
It does come with an unistall should I just use that????

Thanks
~Lynn


----------



## Flrman1 (Jul 26, 2002)

Yes I would ininstall it since you don't know what it is. I can't find any info on it either.

If you don't mind before you uninstall it. Copy the opnste.exe file and email it to me here.

I'll let you know what I find.

Fix this entry with Hijack This:

O4 - HKLM\..\Run: [Open Site] C:\Program Files\Open Site\opnste.exe

Restart and delete the OpenSite folder.

When you deleted the files in the temp folder were you in safe mode?


----------



## kickrz (Jul 30, 2003)

Hey , sorry but I figured you would say to uninstall it and that is what I already did.
And yes I was in safe mode when I deleted the temp files but each subfolder still has at least 1 file still in it. But I figure that can't be too much of a problem because they are all from a site that I have visited in the past. There is no option to delete just Open, Edit whatever but no delete.

So this should fix my virus problem???

Thanks!
~Lynn


----------



## Flrman1 (Jul 26, 2002)

These viruses Hide in you System restore archives. I would turn off system restore to clear all restore points. Restart your computer and create a restore point.

After that I'd say you're all set! :up:


----------



## kickrz (Jul 30, 2003)

Great thanks for the help...I will do that know and if it doesn't work for some weird reason...I will be back..lol!!

Thanks Again
~Lynn


----------



## Flrman1 (Jul 26, 2002)

You're Welcome! :up:


----------



## kickrz (Jul 30, 2003)

Virus is STILL here. I just did turned off my system restore and rebooted in safe mode after getting the latest virus definitions. I ran a virus scan and this time I caught where Norton has found it. It found it in C:\Found.000 but there is no such file that I can see.
Anyone have a clue what the heck this is and how I can rid myself of it????

Thanks!!
Lynn


----------



## Flrman1 (Jul 26, 2002)

Did it say that C:\Found.000 is the infected file?

Did it not quarantine the file?


----------



## kickrz (Jul 30, 2003)

If I watch Norton during the scan that is where it stops when the virus is found.
I have looked for C:\Found.000 but of course can't find it. My system restore it still off and I have no idea what else to do.
I still can't figure out why my Trojan software and other anti-virus programs aren't picking it up ...just Norton.
After it found the file I hit Quarantine and it said that Norton couldn't do it, so then it asked if I wanted to delete it and it wouldn't do that either. So my only choice at that point it to exit and when I leave it reminds me that my computer is still infected.
And when norton shows the virus all it says is FILE : Loader.exe and VIRUS: Downloader.Trojan. but no location there.

If some one can help I would apppreciate it.
Thanks!


----------



## kickrz (Jul 30, 2003)

Ok and 1 more thing. I did 2 online scans one with Symantec and one with Panda Activescan and neither scan picked up this virus.
So nothing is picking it up not even trojan remover programs.

Thanks!


----------



## kickrz (Jul 30, 2003)

Anyone???? Please help! I want this virus gone


----------



## Flrman1 (Jul 26, 2002)

Boot to safe mode. 

In Safe Mode Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders". 
In the "All or part of the file name" box type:

Loader.exe 

Click "Search" when found right click and delete.


----------



## kickrz (Jul 30, 2003)

Thanks I will try that now!!!!


----------



## kickrz (Jul 30, 2003)

Ok I did exactly what you said but it found nothing. No file what so ever  Any other idea's or shall I pass it along so my husband can reformat?
I was hopeing to get this fixed so I didn't have to go to such extreme's but if that is my only other option then I guess that is all I can do.
BUT if there is another option out there I am willing to try.

Thanks Again!


----------



## kickrz (Jul 30, 2003)

So am I out of options??
Has this thing defeated me and now all I have left to do is format??
Is there anyone out there that has info on this virus...Like what is actually does? Can I still use my email, messenger and surf the net??
I would really appreciate some help I am dying here!!

Thanks 
Lynn


----------



## Flrman1 (Jul 26, 2002)

I really don't know what to tell you.

It didn't show up in your Hijack This log.

Please post another HJT log.


----------



## kickrz (Jul 30, 2003)

Thanks I do appreciate the help. This is a great forum but it is funny how you are the only one that seems to wanna help. Without any of your replies I would still be at square one. Does this board have people with certain specialties? Lots of people view it but no one else helps.

Anyway here is my log:

Logfile of HijackThis v1.97.3
Scan saved at 9:41:12 AM, on 10/31/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Monkey\Desktop\Hijackthisprogram\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.execulink.com/bulletins/buy_and_sell.html
O1 - Hosts: comments (such as these) may be inserted on individual
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {B9D6B3C2-09AD-464A-8162-8C55114C808A} - C:\Program Files\AV VCS 3.0\Vcs3RT.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: NeoTrace It! (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} (UCSearch.ucUCSearch) - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.trojanscan.com/trojanscan/TDECntrl.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37793.3612268519
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A0E680-3A6F-472E-8281-53445C2F1266}: NameServer = 199.166.6.2 209.239.11.98

Thanks Again!


----------



## Flrman1 (Jul 26, 2002)

Well I still don't see loader.exe. It is very puzzling as I am familiar with it. It is most frequently associated with a browser hijack and found in this folder C:\Program Files\Clear Search.

Look and see if you have such a folder. If so delete it.


----------



## kickrz (Jul 30, 2003)

Well of course it is not there  That would be too easy!
I looked and even searched for it but nothin!

So you do know this virus????
What does it do and what affects does it have on my computer.
Should I avoid my emails, messenger service and surfing all together??? I also go to a chat room will that cause any problem if this virus is here hiding???

The thing I can't figure out is why non of the 3 online scans I did found it and neither did my Trojan software. Only Norton finds it time after time.

Well it is starting to look like a format job right??

Thanks hopefully you can shed some light on what this virus does.


~Lynn


----------



## Flrman1 (Jul 26, 2002)

Well the loader.exe that i referred to above would not be classified as a virus. It's more of an adware\spyware type trojan.

Just recently AV companies like Norton and Mcafee have started adding this type foistware to their detections. I've seen in a lot of cases where they seem to detect them but not remove them.

At this point I'd say that a reformat is a bit extreme as we have not yet exhausted the possibilities.

Since Adaware and Spybot are the leaders in detecting and removing this type of invader I suggest we try those.

Go here http://www.lavasoftusa.com/software/adaware/ and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished put a check by and let it fix everything it finds.

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

See if this helps.

If not we should look at a Startup List. You can genereate a Startup List with Hijack This.

Open HJT. Click on the "Config" button in the lower right corner. Now click on "Misc Tools" then under "Generate Startup List" put a check by "List also minor sections (full)). Now click on the "Generate Startup List" button and copy and paste the contents of the list back here in a reply.

Of course if Adaware and Spybot fix the problem there will be no need for the startup list.


----------



## lotuseclat79 (Sep 12, 2003)

If you still have a virus, try the following free housecall at TrendMicro:

http://housecall.trendmicro.com/housecall/start_corp.asp

it takes a while, but is very thorough and updates its pattern file weekly, sometimes twice within a week's time.

Good luck,

-- Tom


----------



## kickrz (Jul 30, 2003)

I did use adware 6 and got rid of the garbage yesterday. And I did it again today but it found 0 files.
I doubled check all the settings and they were all exactly what you said to have checked.
I also checked for updates and it said there wasn't any.
I will do another scan so that I am following you word for word and let you know how it turns out.

Also the Trend Micro scan I did that yesterday as well and it only got so far then it shuts the whole window down but at this point I will try anything so I will do it again.

Be back in a few!!!!

Thanks!!


----------



## kickrz (Jul 30, 2003)

Ohh and 1 more thing. I just did the trnd micro scan and it said it found nothing but norton did pop up and say it found the downloader.trojan virus in my temp file.
the path was C:\documents and Settings\myname\local settings\temp\V4803Ka03284.

So does that mean this is where it is?? Cause I don't see anything that looks like that on here.

Just thought I would add that I am off to do the rest you suggested.

Thanks!


----------



## Flrman1 (Jul 26, 2002)

Boot to safe mode and delete the entire contents of the:

C:\documents and Settings\myname\local settings\temp folder


----------



## kickrz (Jul 30, 2003)

Ok done! I did EVERYTHING as advised and Norton is still finding it. I have no files what so ever in my temp folder.
So I have done the startup log and here it is:

StartupList report, 10/31/2003, 4:47:25 PM
StartupList version: 1.52
Started from : C:\Documents and Settings\Monkey\Desktop\Hijackthisprogram\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Documents and Settings\Monkey\Desktop\Hijackthisprogram\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

NAV Agent = C:\PROGRA~1\NORTON~1\navapw32.exe
IncrediMail = C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
WINDVDPatch = CTHELPER.EXE
Jet Detection = "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\INF\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}] *
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",HideIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\AV VCS 3.0\Vcs3RT.dll - {B9D6B3C2-09AD-464A-8162-8C55114C808A}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[UCSearch.ucUCSearch]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\UCSearch.ocx
CODEBASE = http://www.armbender.com/UCSearch.CAB

[Scanner Class]
InProcServer32 = C:\temp\TDECntrl\TDECntrl.dll
CODEBASE = http://www.trojanscan.com/trojanscan/TDECntrl.CAB

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\avsniff.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\rufsi.dll
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab

[WScanCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\webscan.dll
CODEBASE = http://www3.ca.com/virusinfo/webscan.cab

[ActiveScan Installer Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\asinst.dll
CODEBASE = http://www.pandasoftware.com/activescan/as5/asinst.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37793.3612268519

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/SymAData.dll

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[ActiveDataObj Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ActiveData.dll
CODEBASE = https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab

--------------------------------------------------

Enumerating Windows NT/2000/XP services

AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LexBce Server: C:\WINDOWS\system32\LEXBCES.EXE (autostart)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Norton AntiVirus Auto Protect Service: C:\Program Files\Norton AntiVirus\navapsvc.exe (autostart)
NVIDIA Driver Helper Service: %SystemRoot%\System32\nvsvc32.exe (autostart)
PfModNT: \??\C:\WINDOWS\System32\PfModNT.sys (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
Remote Registry: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
ScriptBlocking Service: C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe (autostart)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
SYMTDI: \??\C:\WINDOWS\System32\Drivers\SYMTDI.SYS (autostart)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Vcs support: \??\C:\WINDOWS\System32\Drivers\Vcs.sys (autostart)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Automatic Updates: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 11,039 bytes
Report generated in 0.125 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Well I hope you can make some sense of this cause it looks foreign to me.

Thanks!

Lynn


----------



## Flrman1 (Jul 26, 2002)

I don't see anything in the startup list.

Do you delete your temporary internet files regularly. If you haven't done so lately do it now.

I am at a loss here.

I think I'll ask someone else to look at this thread. Maybe they will have an idea that I'm just missing.


----------



## dvk01 (Dec 14, 2002)

local settings is a hidden system file in Xp so 
make sure that you have all files set to show by opening explorer /tools/folder options/view and make sure that show hidden files & folders is ticked and hide protected operating system files is UNticked

then navigate to the foilder using windows explorer /press edit /select all & delete everything in the folder


----------



## kickrz (Jul 30, 2003)

Ok done that and it says that my temp folder is empty. Should I recheck that box that says hide protected operating system files.
Since that didn't work I am leary about it being displayed cause if I delete some thing I am not suppose to then I will have more problems.

I also click properties and it says 0 bytes not sure if that makes a difference but what the heck we've gone this far.

Could this be an error with Norton?? Like it keeps finding it cause maybe it is messed up?? I have another virus program here and can get rid of Norton install the new one to see if it picks it up as well. Then if it doesn't re-install Norton fresh. And if it finds it maybe the new one can delete it??

Or am I reaching now???

I am soo sick of this mess as I am sure you all are too.

Thanks!
~Lynn


----------



## dvk01 (Dec 14, 2002)

do this 

press start button/ run/ type cmd

when the black screen comes up 

type or copy & pate this line and press return 

C:\documents and Settings\myname\local settings\temp\V4803Ka03284

change the myname for the actual name of the user folder

that should delete the file

Since Norton decided to target spyware & not just viruses & proper trojans there are all sorts of false readings and problems.


----------



## dvk01 (Dec 14, 2002)

forget the above post 

lets do this the easy way

open windows explorer navigate to C:\documents and Settings\myname\local settings\temp and delete the entire temp folder itself.
reboot & windows will create a new one that will be empty and ready for use

then run a virus scan with norton & see what happens


----------



## kickrz (Jul 30, 2003)

When I go to C:\documents and Settings\myname\local settings\temp it is already empty there is nothing to delete.

I deleted that about 2 hours ago and after I did delete it I did a scan and it was still finding the virus.
So there is nothing in Temp anymore.

Thanks
~Lynn


----------



## kickrz (Jul 30, 2003)

Ok so this may be of interest. I just checked my Norton log file and this is what it says:

The compressed file loader.exe within C:\Found.000\FILE0002.CHK is infected with the downloader.trojan virus.
Unable to delete this file

There are 2 that say this and another one that says:

The file C:\docume~1\myname\local~1\temp\V4803Ka03284 is infected with the downloader.trojan virus. Unable to repair.

The one with the long number appears twice then 2 more of th C:\found one after that again.

Does this maybe help a little???

Thanks Again
~Lynn


----------



## dvk01 (Dec 14, 2002)

when you open C:\documents and Settings\

how many users are there

delete the temp folder for every user


----------



## dvk01 (Dec 14, 2002)

.chk files are left over bits after scandisk has found and repaired damaged files
they are very rare in XP, so I asssume you have FAT32 not ntfs file system

can you find the C:\Found.000 folder if so delete it


----------



## dvk01 (Dec 14, 2002)

I'm seeing a few of these now and am wondering if Norton has screwed up somewhere as many posts are saying the same thing.

Norton supposedly "finds " a trojan, but the files don't exist anywhere, or they do they are so well hidden that normal usage doesn't find them.


----------



## kickrz (Jul 30, 2003)

I have no idea where or how to find it. I did a search for it but couldn't find it. There are no other temp files for any other user.

But I also did find on my Norton log that just before it detected this it detected something else.
download106746294.dat is infected with the [email protected] virus. Unable to repair and access to the file was denied.

Could this some how be related??? Cause it all seemd fine then this virus and now the downloader.trojan right after that. 


OK WAIT !!!!!!!!!!!!!!

I did a search for *.chk and it found a WHOLE bunch!!!
actually 10 all together!!!

OMG!! Do I delete them ALL????


Could this be it!!??!!!

Ok waiting patiently for a reply 

Thanks
~Lynn


----------



## dvk01 (Dec 14, 2002)

hang on I've just though 

have you got spybot or adaware

if so delete the backups or quarantine files from them 

I think that is what is happening

adaware/spybot have removed the file originally but norton is finding it in a hidden quarantine file that's only available to spybot/adaware 

in adaware start the program/ press open quarantine list and delete it all

openspybot in advanced mode and press recovery, select all items and press purge


----------



## dvk01 (Dec 14, 2002)

Yes all 000.chk files can be safely deleted they are totally useless

they are a result of scan disc errors


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by dvk01:_
> *hang on I've just though
> 
> have you got spybot or adaware
> ...


Good thinking Derek! :up:

Wish I'd thought of that.............


----------



## kickrz (Jul 30, 2003)

Ok here are the actually files it found:



NAME: IN FOLDER

FILE0000.CHK C:\FOUND.000
FILE0001.CHK " "
FILE0002.CHK " "
FILE0000.CHK C:\Found.001
FILE0000.CHK C:\Found.002
edb.chk C:\Windows\security
edb.chk C:\Windows\system32\CatRoot2
FILE0000.CHK D:\Found.000
FILE0000.CHK H:\Found.000
FILE0000.CHK I:\Found.000

Thanks!

Sorry so do I leave the edb.chk ones????


----------



## dvk01 (Dec 14, 2002)

I'm not sure if I'm right Mark but I remember reading somewhere that spybot keeps it's backups in a hidden zip that doesn't show in explorer in local settings folder


----------



## dvk01 (Dec 14, 2002)

these are safe to delete

FILE0000.CHK C:\FOUND.000
FILE0001.CHK " "
FILE0002.CHK " "
FILE0000.CHK C:\Found.001
FILE0000.CHK C:\Found.002
FILE0000.CHK D:\Found.000
FILE0000.CHK H:\Found.000
FILE0000.CHK I:\Found.000

*DO NOT delete the edb.chk C:\Windows\security
edb.chk C:\Windows\system32\CatRoot2*


----------



## kickrz (Jul 30, 2003)

Ok GREAT I deleted all but those and should I reboot before a new scan???

If this works I will be soooo HAPPY!!!!

Thanks!
~Lynn


----------



## dvk01 (Dec 14, 2002)

yes definitely reboot and see what happens

I will check back inthe morning as I'm off to bed now but Firman1 will keep an eye open and see if any more needs doing


----------



## kickrz (Jul 30, 2003)

Ok can't wait dying to know if this worked   
I will reboot and scan then be right back!!

Thanks Again!!!
~Lynn


----------



## Flrman1 (Jul 26, 2002)

> _Originally posted by dvk01:_
> *hang on I've just though
> 
> have you got spybot or adaware
> ...


Just wanted to make sure you didn't miss this. I think Derek may be on to something here.


----------



## kickrz (Jul 30, 2003)

Ok so the verdict is..........NO INFECTIONS FOUND :up: :up: :up: 

Deleting the C:\Found files seems to have worked. I have NO virus!!!!!


THANK YOU!!! THANK YOU!!! THANK YOU!!!!

I am off to surf the net and catch up on my emails.

I really do appreciate ALLLL the help!

Thanks again and take care!!!


~Lynn


----------



## Flrman1 (Jul 26, 2002)

Good Job! :up:

Thanks for the backup Derek.


----------



## atruefish (Nov 19, 2003)

Hi I have Norton Anti-virus 2003 Professional Edition which has solved my problems in the past, however I recently aquired the Downloader.Trojan virus and I can't get rid of it. I ran the Hijack This program and this is what I came up with:
Logfile of HijackThis v1.97.7
Scan saved at 4:12:59 PM, on 11/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\Inet Delivery\intdel_2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINNT\wt\updater\wcmdmgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel\The Weather Channel.exe
C:\WINNT\System32\RunDLL32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\regedit.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\svchost.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lw15fd.law15.hotmail.msn.com...F000000001&a=1fe9967eb4be5af4775f37dc38836a86
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_page.html?&account_id=132702
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopnav.com/apps/epa/epa?cid=shnv9884&s=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.2020search.com/search/9884/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://lw15fd.law15.hotmail.msn.com...01&a=b79f8e79c4b40c3009bdafbfb6a0fa86&fti=yes
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {14b3d246-6274-40b5-8d50-6c2ade2ab29b} - C:\Program Files\Srng\SNHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINNT\wsem216.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {F7F808F0-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINNT\nem214.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-5F8507C5F4E9} - C:\WINNT\iempg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Srng] \Program Files\Srng\Srng.exe
O4 - HKLM\..\Run: [msbb] C:\winnt\msbb.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LYG] C:\WINNT\LYG.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\intdel_2.exe
O4 - HKLM\..\Run: [wcmdmgr] C:\WINNT\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stcloader] C:\WINNT\System32\stcloader.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Desktop Weather 3] C:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebcam/eng5/common/AXWebMonProj1.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/contact/formassist.CAB
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install013.exe
O16 - DPF: {15589FA1-C456-11CE-BF01-00AA0055595A} - http://www.spywarenuker.com/product/camp/clickbank/SpywareNukerInstaller.exe
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet-traffic.com/intdel.exe
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37855.5040277778
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab

I don't know what is good and what is Bad and needs to be fixed. flrman1- you gave help to someone else, if you could help me with this problem too that would be awesome! Anyway I just want to get rid of the virus anyway I can so any help would be great! Thanks!


----------



## Flrman1 (Jul 26, 2002)

atruefish

Welcome to TSG! 

Go here http://www.lavasoftusa.com/support/download/ and download Adaware 6

Install the program and launch it.

I strongly recommend that you read the help file to familiarize yourself with the program.

Before running the scan look at the top of the main window and you will see a Gear Icon. This is where you configure the settings. Click on that and then in the next window that pops up click on the "Scanning" tab on the left side. Under "Drives and Folders" put a check by "Scan within archives" and below that under "Memory and Registry" put a check by all the options there.
The click on the "Tweak" tab and under "Scanning engine" put a check by "Unload recognized processes during scanning" ...........then......under "Cleaning engine" put a ckeck by "Let windows remove files in use at next reboot" then click "Proceed"

Next in the main window look in the bottom right corner and click on "Check for updates now" and get the latest referencefiles.
After getting the latest referencefiles you are ready to scan.

Click "Start" and in the next window make sure "Active in depth scanning" is checked then click "Next" and the scan will begin.

When it is finished put a check by and let it fix everything it finds.

Restart your computer.

Then go here http://spybot.eon.net.au/index.php?...n&page=download and download Spybot.

Install the program and launch it.

Before scanning press "Online" and "Search for Updates" .

Put a check mark at and install all updates.

Click "Check for Problems" and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

Come back here and post another HJT log and we'll get rid of what's left.


----------



## atruefish (Nov 19, 2003)

Ok here HJT report after installing and running Ad-aware 6.0 and spybot:
Logfile of HijackThis v1.97.7
Scan saved at 5:38:22 PM, on 11/19/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\WINNT\System32\SK9910DM.EXE
C:\WINNT\GWMDMMSG.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\The Weather Channel\The Weather Channel.exe
C:\WINNT\System32\RunDLL32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://lw15fd.law15.hotmail.msn.com...F000000001&a=1fe9967eb4be5af4775f37dc38836a86
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gateway.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://lw15fd.law15.hotmail.msn.com...01&a=b79f8e79c4b40c3009bdafbfb6a0fa86&fti=yes
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {BA25708B-154D-4D40-8607-67AA5190C395} - C:\PROGRA~1\INTELL~1\ISengine.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: & IntelliStopper - {21C32A07-0176-4FFE-BCDA-65D4A24F4303} - C:\PROGRA~1\INTELL~1\INTELL~1.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Desktop Weather 3] C:\Program Files\The Weather Channel\The Weather Channel.exe
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINNT\System32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - Startup: PowerReg Scheduler V3.exe
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/games/clients/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! GoStop - http://download.games.yahoo.com/games/clients/y/gst1_x.cab
O16 - DPF: Yahoo! Graffiti - http://download.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/games/clients/y/pyt1_x.cab
O16 - DPF: Yahoo! Sheepshead - http://download.games.yahoo.com/games/clients/y/dt0_x.cab
O16 - DPF: Yahoo! Spelldown - http://download.games.yahoo.com/games/clients/y/sdt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {0585238B-9CA6-4CCB-A9B2-FE4BA495E880} (AXWebMon Control) - http://www.smilecam.com/home/ezwebcam/eng5/common/AXWebMonProj1.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - https://support.gateway.com/support/contact/formassist.CAB
O16 - DPF: {4FCFF034-6F56-4D65-8C31-70D98C475428} (ddm_download.ddm_control) - http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9A57B18E-2F5D-11D5-8997-00104BD12D94} (compid Class) - https://support.gateway.com/support/serialharvest/gwCID.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37855.5040277778
O16 - DPF: {C1C2AC28-5E4B-4228-B7A0-05E986FFCE14} (TIBSLoader Class) - http://www.movie-browser.com/tl4000.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-32.cab

This still seems like a lot of stuff. Please tell me waht to do next and thanks for your help!


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close all windows except HijackThis and "Fix checked"

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - Startup: PowerReg Scheduler V3.exe

O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.143/code/PWActiveXImgCtl.CAB

Restart your computer.

Be sure and take advantage of the "Immunize" feature in Spybot.

Finally go here http://www.net-integration.net/cgi-bin/forum/ikonboard.cgi?;act=ST;f=38;t=3051 for info on how to tighten your security settings and how to help prevent future attacks. 
On this page you will find links to Javacool's SpywareBlaster and SpywareGuard. Get them both and check for updates frequently. 
The Immunize feature in Spybot used in conjunction with SpywareBlaster , SpywareGuard and weekly scans with Spybot and Adaware will go a long way toward keeping your PC free of these pests..

Important!: ALWAYS check for updated detections and referencefiles before scanning with Spybot and Adaware. And be sure to check for updates to SpywareBlaster and SpywareGuard on a weekly basis.


----------



## Strebor (Nov 23, 2003)

Check the following Registry Entry to see if it is present:

HKCU/Software/Microsoft/Windows/CurrentVersion/Run

See if there is a reference to loader.exe present. Make sure you delete this entry. You may also see other entrieas related to Spyware. Feel free to get rid of these as well. I would do this after running Adaware and Spybot though. 

Let me know how you makeout. 

Annother good site for online scanning by the way is Trend Micro. They have Online Housecall. Works great. 

Strebor


----------

