0

:o Hi, I (stupidly) tried to download something this morning and have been wrestling with trojan/popups/adware/etc. all day. I'm on my husband's computer, and if I don't fix it before he gets home, all hell will break loose. I'm begging for your help...the HijackThis log is found below:

Logfile of HijackThis v1.99.1
Scan saved at 2:34:16 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\HijackThis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\s4rs0e97eh.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

3
Contributors
8
Replies
9
Views
11 Years
Discussion Span
Last Post by D3m3nt3d
0

Hi, well lets get you all cleaned up :).

Boot into safe mode, and configure windows to show hidden files.To do this do the following.


file 1 Click the Start Button

2 In the Start menu click Control Panel

3 In the Control panel Window click the Folder Options Icon

4 The folder Options Window will now Open

5 Click the View Tab

6 In the view tab window look down the list for a section marked Hidden Files and Folders

7 Enable the option Show Hidden Files and Folders by left clicking the radio button on the left of the option with your mouse. Then uncheck Hide protected operating system files. CLick yes to the dialog.

8 Press the Apply button

9 On the next screen press OK to exit

10 You should now be able to view the hidden files and folders.

------------------------

1. If the computer is running, shut down Windows, and then turn off the power
2. Wait 30 seconds, and then turn the computer on.
3. When you see the black-and-white Starting Windows bar at the bottom of the screen, start tapping the F8 key. The Windows 2000 Advanced Options Menu appears.
4. Ensure that the Safe mode option is selected. In most cases, it is the first item in the list and is selected by default.
5. Press Enter. The computer then begins to start in Safe mode.

Once in safe mode run HJT again and put a check next to the following items.


O10 - Hijacked Internet access by New.Net

O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\s4rs0e97eh.dll

Then browse to and delete (if it exists)

C:\WINDOWS\system32\s4rs0e97eh.dll

Empty recycle bin

Then go to

Start>Control Panel>Add/Remove Programs>

Remove anything that has to do with newdotnet -- or New.Net.

Reboot normally and post a new log.

If the popups are still occuring, we can remove the infection manually.

0

Hi, things have changed since my first post. Here's a new HJT logfile. Thank you so much for your help!

Logfile of HijackThis v1.99.1
Scan saved at 6:49:44 PM, on 3/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\gpn6l35s1.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

0

It's not Haxdoor, it's a Look2Me infection which Spysweeper should remove :)

Since this is your husbands PC, I assume you are going to want to tell him this, he has two Antiviruses running at once.

This does not double the protection, but instead can cause conflicts as well as hog memory resources.

He should uninstall either AVG or Norton.

Since MSConfig is being used to disable startup entries, we need to see another log as well.

WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
-Follow step 9 here on how to properly run it:
http://wiki.castlecops.com/Vundo_Rootkit_Detection_and_Removal_Procedure
-Save the log and attach for me

0

Thanks for the info about doubling up on anti-virus software; I uninstalled Norton right away. Before I checked back here, I got a reply on a different forum (sorry--I was REALLY desperate yesterday) and ran Look2Me Destroyer. The log from that and a new HJT log can be found below. Does it look like it's gone? If it means anything, I haven't had a popup since running the "destroyer." :)


Look2Me-Destroyer V1.0.10

Scanning for infected files.....
Scan started at 3/14/2006 3:53:16 PM

Infected! C:\WINDOWS\system32\r2p80c7uef.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0022963.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0022967.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023077.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023085.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023088.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023092.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023104.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023218.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023357.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023365.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023369.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023378.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023383.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023387.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023393.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023606.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023632.dll
Infected! C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023638.dll
Infected! C:\WINDOWS\system32\cWpesnpn.dll
Infected! C:\WINDOWS\system32\k0pmla711d.dll
Infected! C:\WINDOWS\system32\r2p80c7uef.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\r2p80c7uef.dll
C:\WINDOWS\system32\r2p80c7uef.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0022963.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0022963.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0022967.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0022967.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023077.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023077.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023085.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023085.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023088.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023088.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023092.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023092.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023104.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023104.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023218.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023218.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023357.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023357.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023365.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023365.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023369.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023369.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023378.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023378.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023383.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023383.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023387.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023387.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023393.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP114\A0023393.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023606.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023606.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023632.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023632.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023638.dll
C:\System Volume Information\_restore{74B9DA22-742F-4669-927A-7728D7EE05E6}\RP115\A0023638.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\cWpesnpn.dll
C:\WINDOWS\system32\cWpesnpn.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\k0pmla711d.dll
C:\WINDOWS\system32\k0pmla711d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\r2p80c7uef.dll
C:\WINDOWS\system32\r2p80c7uef.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunServices

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9DA893A7-7E70-4022-8466-C3CBFAF1E2C1}"
HKCR\Clsid\{9DA893A7-7E70-4022-8466-C3CBFAF1E2C1}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


--------
Logfile of HijackThis v1.99.1
Scan saved at 3:59:47 PM, on 3/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

0

Yes, it's gone.

You still have one Symantec service running, let's disable it and then delete the folder

Start>Run type Services.Msc

Locate Symantec Network Drivers Service
-Right click and choose Stop
-Choose Properties and change Startup Type to Disabled

Now reboot to Safe Mode and delete this folder
C:\Program Files\Common Files\Symantec Shared

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.