Options
Help! clicked link on AIM... =(
Okay, well, I'm new here and I registered because my computer is messed up. And I need help.
I've been kind of freaked out (well, very freaked out to be honest) because if my parents figure out I've infected my computer... anyway.
So what happened was, someone automatically sent one of those links to everyone on her buddy list and so I clicked on it because of well, uh, yeah. It was one of those "remember when we took this picture in 6th grade?" x.x
I've spent the last two days trying to fix it and I finally stumbled upon here where I saw some very helpful responses to people's problems. And I'll admit... I was really surprised when I even saw a "no donations please!" thing on here. I'll admit, what you guys do here is awesome.
Right, so after I clicked on it, it downloaded some stuff and half hour later, I notice random pop ups. I also notice my computer getting laggy. And my norton was like "zomg! i'm gonna stop this trojan script!"
Well, so what I did is I looked around my files and I saw some stuff like "defender22" and some other suspicious stuff and I deleted them. Lo and behold though... when I accessed the internet, they just kept getting redownloaded over and over again.
The effects of it... well, a lot of lag, a lot of pop ups, and when I first load the computer it loads this assortment of textboxes and then just goes away. I downloaded HJT, and I saw some stuff (like the defender) and I pressed "fix"
anyway, here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:46:34 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\regsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
c:\defender22.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
O4 - HKLM\..\Run: [newname] c:\\newname22.exe
O4 - HKLM\..\Run: [defender] c:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard22.exe
O4 - HKCU\..\Run: [CyberDefender AntiSpyware] "C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\jt4007hme.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
So, as you guys probably know, this was just as useful to me (other than the defender stuff I recognized) as a French textbook. Could someone please help me fix this problem? Read the log and tell me what to do... how to fix it...
It would be greatly appreciated if you could help, if at all. I'm very x.x LSJF;ASJFAKLS;F; right now. Mm. Thanks.
I've been kind of freaked out (well, very freaked out to be honest) because if my parents figure out I've infected my computer... anyway.
So what happened was, someone automatically sent one of those links to everyone on her buddy list and so I clicked on it because of well, uh, yeah. It was one of those "remember when we took this picture in 6th grade?" x.x
I've spent the last two days trying to fix it and I finally stumbled upon here where I saw some very helpful responses to people's problems. And I'll admit... I was really surprised when I even saw a "no donations please!" thing on here. I'll admit, what you guys do here is awesome.
Right, so after I clicked on it, it downloaded some stuff and half hour later, I notice random pop ups. I also notice my computer getting laggy. And my norton was like "zomg! i'm gonna stop this trojan script!"
Well, so what I did is I looked around my files and I saw some stuff like "defender22" and some other suspicious stuff and I deleted them. Lo and behold though... when I accessed the internet, they just kept getting redownloaded over and over again.
The effects of it... well, a lot of lag, a lot of pop ups, and when I first load the computer it loads this assortment of textboxes and then just goes away. I downloaded HJT, and I saw some stuff (like the defender) and I pressed "fix"
anyway, here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 9:46:34 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\regsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
c:\defender22.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
O4 - HKLM\..\Run: [newname] c:\\newname22.exe
O4 - HKLM\..\Run: [defender] c:\\defender22.exe
O4 - HKLM\..\Run: [keyboard] c:\\keyboard22.exe
O4 - HKCU\..\Run: [CyberDefender AntiSpyware] "C:\Program Files\CyberDefender\AntiSpyware\cdas14b.exe"
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\system32\jt4007hme.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
So, as you guys probably know, this was just as useful to me (other than the defender stuff I recognized) as a French textbook. Could someone please help me fix this problem? Read the log and tell me what to do... how to fix it...
It would be greatly appreciated if you could help, if at all. I'm very x.x LSJF;ASJFAKLS;F; right now. Mm. Thanks.
0
Comments
Let's get rid of most first:
Download and unzip BFU.zip from here.
Run the program and click the Web button as shown by the blue arrow below:
Use this URL to copy into the address bar of the Download script window:
[http://metallica.geekstogo.com/alcanshorty.bfu
Execute the script by clicking the Execute button.
If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html
Reboot
Please follow these instructions carefully -> http://www.short-media.com/forum/showthread.php?t=42651
Post a new HijackThis log along with contents of c:\Look2Me-Destroyer.txt.
Logfile of HijackThis v1.99.1
Scan saved at 3:52:39 PM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\U3RldmVuIEsuIExpbQ\command.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\regsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\BigFix\BigFix.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Steven K. Lim\Desktop\hijackthis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: (no name) - {5AA06644-BC46-4220-A460-47A6EB47C96D} - (no file)
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton SystemWorks\Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {58172624-85DD-4482-9E64-02ADCA637E96} (shizmoo Class) - http://shizmoo.com/activex/web665.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Antivirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
I still don't know what that means =P but there's that. And here's the look2me logfile:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 5/26/2006 3:07:27 PM
Infected! C:\WINDOWS\system32\jtjm0711e.dll
Infected! C:\RECYCLER\NPROTECT\00367791.dll
Infected! C:\RECYCLER\NPROTECT\00369221.dll
Infected! C:\RECYCLER\NPROTECT\00369393.dll
Infected! C:\RECYCLER\NPROTECT\00369861.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll
Infected! C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll
Infected! C:\WINDOWS\system32\dvintf.dll
Infected! C:\WINDOWS\system32\f8j2li1o18.dll
Infected! C:\WINDOWS\system32\ivetpp.dll
Infected! C:\WINDOWS\system32\jtjm0711e.dll
Infected! C:\WINDOWS\system32\mwvcp50.dll
Infected! C:\WINDOWS\system32\szndcmsg.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\jtjm0711e.dll
C:\WINDOWS\system32\jtjm0711e.dll Deleted successfully!
Attempting to delete: C:\RECYCLER\NPROTECT\00367791.dll
C:\RECYCLER\NPROTECT\00367791.dll Deleted successfully!
Attempting to delete: C:\RECYCLER\NPROTECT\00369221.dll
C:\RECYCLER\NPROTECT\00369221.dll Deleted successfully!
Attempting to delete: C:\RECYCLER\NPROTECT\00369393.dll
C:\RECYCLER\NPROTECT\00369393.dll Deleted successfully!
Attempting to delete: C:\RECYCLER\NPROTECT\00369861.dll
C:\RECYCLER\NPROTECT\00369861.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0090878.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP343\A0091798.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092455.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092521.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092571.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll
C:\System Volume Information\_restore{66F23E54-A1A0-4309-B298-096C8FB5561D}\RP344\A0092607.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dvintf.dll
C:\WINDOWS\system32\dvintf.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\f8j2li1o18.dll
C:\WINDOWS\system32\f8j2li1o18.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ivetpp.dll
C:\WINDOWS\system32\ivetpp.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\jtjm0711e.dll
C:\WINDOWS\system32\jtjm0711e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mwvcp50.dll
C:\WINDOWS\system32\mwvcp50.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\szndcmsg.dll
C:\WINDOWS\system32\szndcmsg.dll Deleted successfully!
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{1BC33C5D-AE4E-4C77-B5E8-9A4F82941B07}"
HKCR\Clsid\{1BC33C5D-AE4E-4C77-B5E8-9A4F82941B07}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D53187E7-CB4A-47E5-9E22-0FEC77663097}"
HKCR\Clsid\{D53187E7-CB4A-47E5-9E22-0FEC77663097}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{64DD4318-B449-4A5F-A7B9-0B5A12B6FFF0}"
HKCR\Clsid\{64DD4318-B449-4A5F-A7B9-0B5A12B6FFF0}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C511D9C6-497F-4B1C-B5FB-719F4DF01298}"
HKCR\Clsid\{C511D9C6-497F-4B1C-B5FB-719F4DF01298}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Okay, so that's everything. My computer is running so much faster and I haven't had any popups since! Thanks so much for the help. Just to make sure, check the files and see to make sure my computer is clean. Is everything cool? My computer back to the way it was before?
Once again, thanks so much. If I ever see anyone else with problems, I'll make sure to refer them here.
Fix with HjT (do a system scan only, checkmark these and press fix checked):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [{A5-52-2F-FA-ZN}] c:\windows\system32\podsregk.exe GID003
O23 - Service: RemoteRegBck - Unknown owner - C:\WINDOWS\regsvc.exe
Please click Start > Run and type in: services.msc
Click OK
In the Services window find: RemoteRegBck
Select/highlight and right click the entry, and choose: Properties
On the General tab, under Service Status click the Stop button
Beside: Startup Type, in the drop menu, select: Disabled
Click Apply, then OK
Now, go to Start > Run, and copy/paste the following into the Open box:
sc delete RemoteRegBck
Click: OK
Please download ewido anti-malware it is a free version of the program -> http://www.ewido.net/en/download/
1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
* Install background guard
* Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates -> http://download.ewido.net/ewido-signatures-full-current.exe Make sure to close Ewido before installing the update.
Once the updates are installed do the following:
Reboot your computer in SafeMode by doing the following:
1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.
Delete if found:
c:\windows\system32\podsregk.exe
C:\WINDOWS\regsvc.exe
C:\WINDOWS\U3RldmVuIEsuIExpbQ
Then launch ewido:
* Click on scanner
* Click on Complete System Scan and the scan will begin.
* You will be prompted to clean the first infection.
* Select "Perform action on all infections", then proceed.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
Reboot back to normal mode
Send ewido report and a fresh HjT log.