(Solved) Infected After 3 Days!

Unknown · July 2006

Hello! i am new to the site and hope that you can help me! After freshly installing Windows like 3 days ago with system updates and norton i have been infected with some crap!

Spybot and Adware find alot of things: eg. ISeachTEch.YSB, Adware.Look2ME, and system32\n4r2oe9oeh.dll <-- CANNOT DELETE

Have no idea how this could have happened! And keep getting pop-ups even when not on internet! Please Help!!! :sad2:

Here is my hijackthis log....

Logfile of HijackThis v1.99.1
Scan saved at 18:06:17, on 05/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\BOKI\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9DEACA0B-E815-093B-3419-DEE70CED000A}&type=normal&mSkip=1&rnd=1022
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151749535234
O17 - HKLM\System\CCS\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}:
O17 - HKLM\System\CS1\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}:
O17 - HKLM\System\CS2\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}:
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: URL - C:\WINDOWS\system32\n4r20e9oeh.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

jmoney3457 · July 2006

hi riven welcome to SMF.. please do the following do a system scan only with HJT and fix these lines:
O17 - HKLM\System\CCS\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}:
O17 - HKLM\System\CS1\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}:
O17 - HKLM\System\CS2\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}:
then reboot and submit the following file to http://virusscan.jotti.org/ and copy/paste the results along w/a new HJT log
the file is-->C:\WINDOWS\system32\n4r20e9oeh.dll

chiaz · July 2006

@jmoney3457
I have sent you a pm about this.

@riven
Please disregard jmoney3457's post for now.
To remove the nasty Look2Me infection, please download Look2Me-Destroyer.exe to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

@jmoney3457
I have sent you a pm about this.

riven · July 2006

Hay thanks for helping guys! Heres what you requested.

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 06/07/2006 17:08:16

Infected! C:\WINDOWS\system32\i2600cjmefoa0.dll
Infected! C:\WINDOWS\system32\dcrawex.dll
Infected! C:\WINDOWS\system32\en44l1hq1.dll
Infected! C:\WINDOWS\system32\f20o0cd3ef0.dll
Infected! C:\WINDOWS\system32\gp22l3fo1.dll
Infected! C:\WINDOWS\system32\gp82l3lo1.dll
Infected! C:\WINDOWS\system32\gprql3951.dll
Infected! C:\WINDOWS\system32\hrno0553e.dll
Infected! C:\WINDOWS\system32\i2600cjmefoa0.dll
Infected! C:\WINDOWS\system32\itssuba.dll
Infected! C:\WINDOWS\system32\j66m0gj1e6o.dll
Infected! C:\WINDOWS\system32\k480lelm1hqa.dll
Infected! C:\WINDOWS\system32\l20ulcd91f0.dll
Infected! C:\WINDOWS\system32\l44q0eh5eh4.dll
Infected! C:\WINDOWS\system32\mclbui.dll
Infected! C:\WINDOWS\system32\msxoci.dll
Infected! C:\WINDOWS\system32\muvcrt20.dll
Infected! C:\WINDOWS\system32\o848lihu1848.dll
Infected! C:\WINDOWS\system32\p8r4li9q18.dll
Infected! C:\WINDOWS\system32\q2rqlc951f.dll
Infected! C:\WINDOWS\system32\r46u0ej9eho.dll
Infected! C:\WINDOWS\system32\svdoclc.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\i2600cjmefoa0.dll
C:\WINDOWS\system32\i2600cjmefoa0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dcrawex.dll
C:\WINDOWS\system32\dcrawex.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en44l1hq1.dll
C:\WINDOWS\system32\en44l1hq1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\f20o0cd3ef0.dll
C:\WINDOWS\system32\f20o0cd3ef0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp22l3fo1.dll
C:\WINDOWS\system32\gp22l3fo1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gp82l3lo1.dll
C:\WINDOWS\system32\gp82l3lo1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\gprql3951.dll
C:\WINDOWS\system32\gprql3951.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\hrno0553e.dll
C:\WINDOWS\system32\hrno0553e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\i2600cjmefoa0.dll
C:\WINDOWS\system32\i2600cjmefoa0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\itssuba.dll
C:\WINDOWS\system32\itssuba.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\j66m0gj1e6o.dll
C:\WINDOWS\system32\j66m0gj1e6o.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k480lelm1hqa.dll
C:\WINDOWS\system32\k480lelm1hqa.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l20ulcd91f0.dll
C:\WINDOWS\system32\l20ulcd91f0.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\l44q0eh5eh4.dll
C:\WINDOWS\system32\l44q0eh5eh4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mclbui.dll
C:\WINDOWS\system32\mclbui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\msxoci.dll
C:\WINDOWS\system32\msxoci.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\muvcrt20.dll
C:\WINDOWS\system32\muvcrt20.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\o848lihu1848.dll
C:\WINDOWS\system32\o848lihu1848.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\p8r4li9q18.dll
C:\WINDOWS\system32\p8r4li9q18.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\q2rqlc951f.dll
C:\WINDOWS\system32\q2rqlc951f.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r46u0ej9eho.dll
C:\WINDOWS\system32\r46u0ej9eho.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\svdoclc.dll
C:\WINDOWS\system32\svdoclc.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{43AFE7C9-0030-4466-9486-607AE82BA6B2}"
HKCR\Clsid\{43AFE7C9-0030-4466-9486-607AE82BA6B2}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D618F3DC-C014-4652-907B-89E78B657173}"
HKCR\Clsid\{D618F3DC-C014-4652-907B-89E78B657173}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E6AE4774-EDEC-43EE-B8A8-B2E12988DD37}"
HKCR\Clsid\{E6AE4774-EDEC-43EE-B8A8-B2E12988DD37}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F7BEE962-ED9D-4EFA-8F3B-23864E5B915E}"
HKCR\Clsid\{F7BEE962-ED9D-4EFA-8F3B-23864E5B915E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DE67CEFD-6184-4098-A6A0-0526EBA5D3D0}"
HKCR\Clsid\{DE67CEFD-6184-4098-A6A0-0526EBA5D3D0}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{08BE90EE-8DEE-42DA-B788-B160BB568104}"
HKCR\Clsid\{08BE90EE-8DEE-42DA-B788-B160BB568104}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{EB765E4A-E65D-401C-95C1-286C93A9D73E}"
HKCR\Clsid\{EB765E4A-E65D-401C-95C1-286C93A9D73E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8E8F5643-9281-483B-B4D7-7A8D5B704BBF}"
HKCR\Clsid\{8E8F5643-9281-483B-B4D7-7A8D5B704BBF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{05122EB3-5052-4BA0-B63E-6E8727A35619}"
HKCR\Clsid\{05122EB3-5052-4BA0-B63E-6E8727A35619}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{95EE0E36-CE98-479F-B5EE-7605106E646E}"
HKCR\Clsid\{95EE0E36-CE98-479F-B5EE-7605106E646E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

Logfile of HijackThis v1.99.1
Scan saved at 17:14:14, on 06/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\BOKI\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9DEACA0B-E815-093B-3419-DEE70CED000A}&type=normal&mSkip=1&rnd=1022
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151749535234
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

WHAT THE HELL IS R1 (point 3) ??

chiaz · July 2006

Please launch HijackThis and place a tick by the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ad-w-a-r-e.com/cgi-bin/PopupV3?ID={9DEACA0B-E815-093B-3419-DEE70CED000A}&type=normal&mSkip=1&rnd=1022

Close all other windows other than HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.

Rescan with HijackThis and post the new log in your next reply. Also I would like some feedback on how your system is running now.

riven · July 2006

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1151749535234
O17 - HKLM\System\CCS\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}: NameServer = 212.159.11.150,212.159.13.150
O17 - HKLM\System\CS1\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}: NameServer = 212.159.11.150,212.159.13.150
O17 - HKLM\System\CS2\Services\Tcpip\..\{1933BDCE-5BEE-4800-BEC8-1F9BB5835D09}: NameServer = 212.159.11.150,212.159.13.150
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

System seems to be working fine, no stupidness is happening any more - Thanks alot guys! REaly thanks alot

chiaz · July 2006

Congratulations! Your computer appears clean.

Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore. Click to add a check mark beside Turn off System Restore on all Drives, and click Apply. When you are warned that all existing Restore Points will be deleted, click Yes to continue. All system restore points are deleted. Now you should manually create a restore point. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click Create a Restore Point, and then click Next. Name your restore point. (I use the date as well as a descriptive term such as "Clean system.")

Here are a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of spyware problems.

You may have already taken some of these steps:
1. Watch what you download!
Do not download just anything you see on the web. Some may have spyware bundled into them.

2. Try not to use peer-to-peer programs.
P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.

3. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
We recommend checking for Windows updates monthly.

4. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.

So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?

5. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.

6. Keep your antivirus software up to date. If you don't have one, I recommend the free AVG.

7. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm
A tutorial on understanding and using firewalls may be found here

8. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.

9. You might consider installing Mozilla / Firefox, which is much safer than Internet Explorer.
http://www.mozilla.org/

10. Install spyware detection and removal programs:
Ad-aware: http://www.snapfiles.com/get/adaware.html
Spybot S&D:
http://www.safer-networking.org
Use these programs to regularly scan your system for and remove many forms of spyware/malware.

11. Microsoft now offers their own anti-spyware product. Windows® Defender (Beta 2) improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC. This is a BETA for XP/2000 only.

12. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm

Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!

(Solved) Infected After 3 Days!

Comments