got trojan
symantec picked up trojan virus. don't know how to get rid of it. virus causing tons of popups.
here's my HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 5:50:13 PM, on 4/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\PopNot\PopNot.exe
c:\windows\system32\unxwif.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pkgcnzl] c:\windows\system32\unxwif.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107517471908
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
here's my HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 5:50:13 PM, on 4/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\PopNot\PopNot.exe
c:\windows\system32\unxwif.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\CK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [pkgcnzl] c:\windows\system32\unxwif.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107517471908
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
0
This discussion has been closed.
Comments
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [pkgcnzl] c:\windows\system32\unxwif.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\svcproc.exe
C:\WINDOWS\Bolger.dll
c:\windows\system32\unxwif.exe
Reboot your computer to go back to normal mode.
Please run at least two of these online scans.
Make sure they are set to clean automatically:
http://www.pandasoftware.com/activescan/com/activescan_principal.htm
http://www.bitdefender.com/scan/licence.php
http://housecall.trendmicro.com/housecall/start_corp.asp
There will be files that these scans will not remove. Please include that information in your next post.
Reboot and post a new hijackthis log.
here's my new hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 12:33:36 AM, on 4/27/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\PopNot\PopNot.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\CK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.netzero.net/s/search?r=minisearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107517471908
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
here's the log from bitdefender.com:
C:\Documents and Settings\CK\Local Settings\Temporary Internet Files\Content.IE5\I09GPK9X\Nail[1].exe: infected with Trojan.Dloader.LI
C:\Documents and Settings\CK\Local Settings\Temporary Internet Files\Content.IE5\I09GPK9X\Nail[1].exe: disinfection failed
C:\Documents and Settings\CK\My Documents\Ken Pham\FILES\OSP\1033\OSP1.CAB=>MSSTDFMT.DLL: infected with Trojan.PWS.Bancos.142
C:\Documents and Settings\CK\My Documents\Ken Pham\FILES\OSP\1033\OSP1.CAB=>MSSTDFMT.DLL: disinfection failed
C:\Documents and Settings\CK\My Documents\Ken Pham\OFFICE1.CAB=>MSSTDFMT.DLL: infected with Trojan.PWS.Bancos.142
C:\Documents and Settings\CK\My Documents\Ken Pham\OFFICE1.CAB=>MSSTDFMT.DLL: disinfection failed
C:\Documents and Settings\CK\My Documents\SetUp Files\Office XP.exe=>(ZIP Sfx o)=>FILES/OSP/1033/OSP1.CAB=>MSSTDFMT.DLL: infected with Trojan.PWS.Bancos.142
C:\Documents and Settings\CK\My Documents\SetUp Files\Office XP.exe=>(ZIP Sfx o)=>FILES/OSP/1033/OSP1.CAB=>MSSTDFMT.DLL: disinfection failed
C:\Documents and Settings\CK\My Documents\SetUp Files\Office XP.exe=>(ZIP Sfx o)=>OFFICE1.CAB=>MSSTDFMT.DLL: infected with Trojan.PWS.Bancos.142
C:\Documents and Settings\CK\My Documents\SetUp Files\Office XP.exe=>(ZIP Sfx o)=>OFFICE1.CAB=>MSSTDFMT.DLL: disinfection failed
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008: infected with Adware.Wheaterbug.A
C:\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008: disinfection failed
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: infected with Adware.Wheaterbug.A
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP41\A0001719.exe=>wise0041=>wise0008: infected with Adware.Wheaterbug.A
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP41\A0001719.exe=>wise0041=>wise0008: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP65\A0007063.exe: infected with Trojan.Dloader.LI
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP65\A0007063.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007356.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007356.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007363.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007363.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007379.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007379.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007391.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP67\A0007391.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008391.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008391.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008405.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008405.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008423.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008423.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008442.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008442.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008467.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008467.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008480.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP68\A0008480.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008503.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008503.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008509.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008509.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008522.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008522.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008530.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008530.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008531.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008531.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008545.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008545.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008552.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008552.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008553.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008553.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008568.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008568.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008580.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008580.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008617.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008617.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008634.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008634.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008645.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008645.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008661.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP69\A0008661.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008687.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008687.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008693.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008693.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008719.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008719.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008734.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008734.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008748.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008748.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008764.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008764.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008778.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008778.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008792.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008792.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008806.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008806.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008827.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008827.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008828.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008828.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008839.exe: infected with Trojan.Dloader.LI
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008839.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008846.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP70\A0008846.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008859.exe: infected with Trojan.Stervis.B
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008859.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008860.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008860.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008868.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008868.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008881.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008881.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008891.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008891.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008906.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008906.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008920.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008920.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008935.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008935.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008949.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008949.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008961.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008961.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008973.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008973.exe: disinfection failed
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008998.exe: infected with Trojan.Agent.CP
C:\System Volume Information\_restore{D178B459-BBCB-4B5C-B931-9A1B2C5742FA}\RP71\A0008998.exe: disinfection failed
C:\WINDOWS\system32\kaxhjwo.exe: infected with Trojan.Agent.CP
C:\WINDOWS\system32\kaxhjwo.exe: disinfection failed
C:\WINDOWS\system32\MSSTDFMT.DLL: infected with Trojan.PWS.Bancos.142
C:\WINDOWS\system32\MSSTDFMT.DLL: disinfection failed
How to see hidden files in Windows
Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
Reboot your computer into Safe Mode
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\Nail.exe
C:\WINDOWS\system32\kaxhjwo.exe
C:\WINDOWS\system32\MSSTDFMT.DLL
Delete temp files
Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.
Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.
Empty the Recycle Bin.
Reboot your computer to go back to normal mode and post a new log.
here is my hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 6:12:15 PM, on 5/3/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\PopNot\PopNot.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\NZSearch\nzspc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
c:\windows\system32\kawvoyj.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Documents and Settings\CK\Desktop\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xqseic] c:\windows\system32\kawvoyj.exe
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107517471908
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
http://www.ewido.net/en/download/
Install it, and download all updates. Then exit Ewido once all updates are installed.
Please download and install Cleanup 4.0
http://cleanup.stevengould.org/
Please run Notepad and copy the following text into a new file:
Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files".
Reboot your computer into Safe Mode
Once in Safe Mode, please double-click on remove.bat. A window should open and close very quickly --- this is normal.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Run CleanUp 4.0 that you installed earlier.
Run a full scan with Ewido, remove anything found, and then restart into normal mode and post the logfile from the scan for me.
Now open up Hijackthis. Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\Run: [xqseic] c:\windows\system32\kawvoyj.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Then delete these files or directories (Do not be concerned if they do not exist):
C:\WINDOWS\svcproc.exe
C:\WINDOWS\Bolger.dll
C:\WINDOWS\Nail.exe
c:\windows\system32\kawvoyj.exe
Restart your computer and please post a new HijackThis log and the Ewido log.
here's my hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 12:25:17 AM, on 5/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\CK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107517471908
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
here's my ewido:
ewido security suite - Scan report
+ Created on: 12:24:03 AM, 5/5/2005
+ Report-Checksum: 6764CEE7
+ Date of database: 5/5/2005
+ Version of scan engine: v3.0
+ Duration: 43 min
+ Scanned Files: 83076
+ Speed: 31.59 Files/Second
+ Infected files: 14
+ Removed files: 7
+ Files put in quarantine: 7
+ Files that could not be opened: 0
+ Files that could not be cleaned: 7
+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes
+ Scanned items:
C:\
C:\
+ Scan result:
C:\Documents and Settings\CK\Desktop\HijackThis files\backups\backup-20050421-214901-871.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\CK\Desktop\HijackThis files\backups\backup-20050427-002253-621.dll -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\fejocyujiha.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Cleaned with backup
C:\WINDOWS\system32\rtneg3.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\vqlrwrr.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Cleaned with backup
C:\Documents and Settings\CK\Desktop\HijackThis files\backups\backup-20050421-214901-871.dll -> Spyware.BetterInternet -> Error during cleaning
C:\Documents and Settings\CK\Desktop\HijackThis files\backups\backup-20050427-002253-621.dll -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\fejocyujiha.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\Nail.exe -> Trojan.Nail -> Error during cleaning
C:\WINDOWS\system32\rtneg3.dll -> Spyware.Beginto.c -> Error during cleaning
C:\WINDOWS\vqlrwrr.exe -> Spyware.BetterInternet -> Error during cleaning
C:\WINDOWS\wupdsnff.exe -> Spyware.BetterInternet -> Error during cleaning
::Report End
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
Download the Pocket Killbox.
Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.
- Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
[*]Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.C:\WINDOWS\Bolger.dll
C:\WINDOWS\Nail.exe
[*]Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
You system will reboot now.
Please post a new hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 12:46:07 AM, on 5/6/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\PopNot\PopNot.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\CK\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.netzero.net/s/search?r=minisearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://my.netzero.net/s/search?r=minisearch
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O4 - HKLM\..\Run: [SigmaTel StacMon] C:\Program Files\SigmaTel\SigmaTel AC97 Audio Drivers\stacmon.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PopNot] C:\Program Files\PopNot\PopNot.exe auto
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\RegClean.exe"
O8 - Extra context menu item: Allow Site's Pop-&ups - file://C:\Program Files\PopNot\trustsite.script
O8 - Extra context menu item: Always &Kill this Pop-up - file://C:\Program Files\PopNot\blocksite.script
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1107517471908
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - c:\WINDOWS\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
http://www.funkytoad.com/download/hoster.zip
This will restore your original Host files.
Run the program and press Restore Original Hosts and press OK.
If that doesn't work then try using an alternate browser like Firefox.
http://www.mozilla.org/products/firefox/
Then at least we can determine if the problem is with your computer or IE alone.
Run Hijackthis. Click on "Open the Misc Tools section". Next click on "Open hosts file manager". Now click on "Open in notepad". Copy and paste the text from notepad to here.
# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a "#" symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host
#
127.0.0.1 localhost
If you are still having problems here are a couple other things you can try.
Go to Start -> RUN. Type CMD. At the prompt type ipconfig /flushdns
Or you can try running Winsock XP Fix.
http://www.snapfiles.com/get/winsockxpfix.html