Jump to content


Photo

bad spyware... I've tried everything :( Help!


  • Please log in to reply
6 replies to this topic

#1 louisa1212

louisa1212

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 June 2004 - 04:30 PM

First, I kept being taken to a florescent green angelfire site and another site like ewook (sp??)

Norton first noted that I had a virus. It was in systemse.exe and was created zillions of randomly numbered tftp files, size 0 b. Norton slowly deleted most of the tftp files, I deleted more manually. Norton also found problems in msnmsgr.exe, and there was a 9721_upload.exe. Norton called this a w32.spybot.worm but couldn’t cure it… often it couldn’t even quarantine it initially (although later it said quarantine was successful for the same file name).

My computer also seems to be uploading a lot more information than it should!

I have run: adaware, spybot s&d, cwshredder, and aluria’s Spyware eliminator. I fixed everything that came up in Adaware and Spybot s&d. I had no issues according to cwshredder. Aluria’s spyware eliminator said that I had two problems in: HKEY_CURRENT_USER\software\Microsoft\windows\currentversion\internet settings\zonemap\domains\

Also, I’ve read (and followed) all of your instructions. I couldn’t run Panda or Trendmicro… although I tried. Trojanhunter didn’t find anything.

Please help... thank you, thank you!

***

Logfile of HijackThis v1.97.7
Scan saved at 2:23:40 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.internet-search.info
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://calmail.berkeley.edu/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.internet-....info/searchbar
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.internet-....info/keyword%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 20 June 2004 - 05:50 PM

louisa1212:

You have the RBot worm. It does behave exactly as you've said, and it would be uploading more information than you'd normally expect. You can read more about that here.

We can try to eliminate it manually. Run HijackThis! again and place a check mark next to the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.internet-search.info
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.internet-....info/searchbar
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.internet-....info/searchbar
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.internet-....info/keyword%s
O4 - HKLM\..\Run: [Microsoft Update Machine] systemse.exe
O4 - HKCU\..\Run: [Microsoft Update Machine] systemse.exe


The following lines are optional to check. They don't need to be run at startup and only waste system resources:

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE


Now, click on "Fix Checked" and let HijackThis! do its work. After it's finished, you'll need to reboot, but you need to reboot into Safe Mode. If you don't know how to do that, consult this: How do I boot into "Safe" mode?. Once in Safe Mode, delete systemse.exe, then boot back into normal mode. Update your Norton Anti-Virus database through Live Update, then scan your system again. After you've finished, post another HijackThis! log in this thread so that we can see if you're clean.

#3 louisa1212

louisa1212

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 June 2004 - 06:40 PM

I followed all of your directions and have included my most recent HijackThis log.

Thank you so much for your help! I've been absolutely flailing for the past few days and you made things so easy. You are wonderful for helping! And so quickly, too.

I think I'll stick to firefox from now on. :)

Do you recommend I reinstall my OS and Microsoft Office to make extra sure everything is clean? And do I need to worry about msnmsgr.exe? or the RunServices [Microsoft Update Machine] systemse.exe?

Thank you.

***
Logfile of HijackThis v1.97.7
Scan saved at 4:38:29 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://calmail.berkeley.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#4 louisa1212

louisa1212

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 June 2004 - 07:54 PM

Hmm, I just ran Norton again and it found a new virus: c.bat in c:\windows\system32. Norton quarantined but couldn't clean. I tried to get rid of it using spybot s&d, trojanhunter, adaware and nothing worked again... please help. Thank you!!!!

***
Logfile of HijackThis v1.97.7
Scan saved at 5:48:50 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\TrojanHunter 3.9\TrojanHunter.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://calmail.berkeley.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msn] msnmsgr.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe
O4 - HKLM\..\RunServices: [msn] msnmsgr.exe
O4 - HKCU\..\Run: [msn] msnmsgr.exe
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#5 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 20 June 2004 - 08:15 PM

Yes, you have to worry about systemse.exe, since that's the trojan file. That's why I asked you to remove both entries for it using HijackThis! and reboot into Safe Mode to delete the file. msnmsgr.exe is the legitimate MSN Messenger file; only remove it using HijackThis! if you're not using MSN Messenger.

So, go back into HijackThis! and check the following line:

O4 - HKLM\..\RunServices: [Microsoft Update Machine] systemse.exe


Close all browser windows, and click on "Fix Checked". Then reboot into Safe Mode, find systemse.exe, and delete it. Then, reboot into normal mode and do another HijackThis! log.

#6 louisa1212

louisa1212

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 20 June 2004 - 09:03 PM

OK, I deleted the runsystem\...\systemse.exe using hijackthis. I went into my computer in safe mode and searched all files and folders and didn't find systemse. I guess it was deleted the first time go around in safe mode.

I'm still concerned about the c_bat virus that Norton just found. It is located in c:\windows\system32 and Norton said it was quarantined. When I was in safe mode I checked the system32 folder and didn't see any c_bat. Ought I do anything else?

Thank you so much for your help. The constant queries must get tiresome. :)

Good night!

***
Logfile of HijackThis v1.97.7
Scan saved at 7:01:01 PM, on 6/20/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\HPConfig.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\S3tray2.exe
C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe
C:\windows\system\hpsysdrv.exe
C:\PROGRA~1\HPONE-~1\OneTouch.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://calmail.berkeley.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.att.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [HP Display Settings] C:\Program Files\Hewlett-Packard\HP Display Settings\hpdisply.exe /s
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [QT4HPOT] C:\PROGRA~1\HPONE-~1\OneTouch.EXE
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.9\THGuard.exe"
O4 - Startup: ASE Scheduler.lnk = C:\Program Files\Aluria Software\ASE\ASE Scheduler.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.att.net
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#7 The Spie

The Spie

    Member

  • Retired Staff - Helper
  • Pip
  • 68 posts

Posted 21 June 2004 - 03:27 PM

Louisa:

Your log looks clean now. Just empty out Norton's quarantine files and it'll be off your system for good. And the "constant queries" aren't tiresome. We're here to help, after all.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button