Puter says I have a virus but Norton don't.

[Bearcamp]

Turned the computer on today and it went to a red screen saying I have a Trojan horse virus and there's also 3 new icons on my desktop. They are Error cleaner, Privacy Protector and Spyware +M protection. Never had them til this moring. Now I do know as I was on the net a popup came up stating to upgrade Active X and I did. That's when it all started. I did a full system scan with Norton,,,,it remove a Trojan horse virus and said all was okay. But I still get these popup saying,,,,,,,Windows Security Alert,,,,,Windows has detected an internet attack attempt,,,Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from internet attacks, hijacking attempts and spyware. Click here to download spyware remover for total protection. That's what the window says. Also,,,,a Norton window opens up stating Norton anti virus has blocked multiple attempts to change your homepage to a different web address. Now,,,,,,,,,,,my Norton runs out in 16 days, is that why I'm getting this crap now? They want me to buy again? While typing this I got another different popup window from Secure PC cleaner about downloading it to clean up my PC. I never had a problem til now and now all at once. Well,,,,,,,now what do I do. I tried to delete the icons on my desk top and if I shut down and start up, they're back......................HELP, Please. I'm getting a warning popup about every 1 minute saying security alert.

 

[John McKenna]

This has got nothing to do with Norton expiring. You've plain and simply been knobbled by malware.


Download the NEW ComboFix from either of these links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Double click Combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick Combofix's window whilst it's running. That may cause it to stall.


After running ComboFix....

Download HJTInstall.exe to your desktop.

• Double-click HJTInstall.exe icon on your desktop to start the installation.
• By default it will install to C:\Program Files\Trend Micro\Hijack This.
• Click the Install button and HijackThis will launch automatically.
• Click the Scan button to generate a HijackThis log and then click Save Log to open it as a text file.
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back to this thread and Paste the log (Ctrl+V) in your next reply.

 

[Bearcamp]

ComboFix 07-09-08 - "William xxxxxxx" 2007-09-07 13:50:48.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.602 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\WILLIA~1\Desktop\Error Cleaner.url
C:\DOCUME~1\WILLIA~1\Desktop\internet.lnk
C:\DOCUME~1\WILLIA~1\Desktop\Privacy Protector.url
C:\DOCUME~1\WILLIA~1\Desktop\Spyware&Malware Protection.url
C:\DOCUME~1\WILLIA~1\FAVORI~1\Error Cleaner.url
C:\DOCUME~1\WILLIA~1\FAVORI~1\Privacy Protector.url
C:\DOCUME~1\WILLIA~1\FAVORI~1\Spyware&Malware Protection.url
C:\Program Files\VideoAccessCodec
C:\Program Files\VideoAccessCodec\install.ico
C:\Program Files\VideoAccessCodec\Uninstall.exe
C:\Program Files\VideoAccessCodec\VideoAccessCodec.ocx
C:\WINDOWS\dat.txt
C:\WINDOWS\main_uninstaller.exe
C:\WINDOWS\msmdev.dll
C:\WINDOWS\msmhost.dll
C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm
C:\WINDOWS\rs.txt


((((((((((((((((((((((((( Files Created from 2007-08-08 to 2007-09-08 )))))))))))))))))))))))))))))))
.

2007-09-07 13:50 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-08-26 09:48 <DIR> d-------- C:\Program Files\Microsoft Hardware
2007-08-26 09:46 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2007-08-26 09:46 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-08-17 17:54 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\ZoomBrowser EX
2007-08-17 17:51 <DIR> d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Canon
2007-08-17 17:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ZoomBrowser
2007-08-17 17:47 <DIR> d-------- C:\Program Files\Common Files\Canon
2007-08-17 17:47 <DIR> d-------- C:\Program Files\Canon
2007-08-17 17:07 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-08-17 17:07 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-08-14 18:47 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-08-09 16:28 <DIR> d-------- C:\Program Files\1-2-3 Word Search Maker

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-07 13:23 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-07 12:36 --------- d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\OpenOffice.org2
2007-07-26 14:17 --------- d-------- C:\DOCUME~1\WILLIA~1\APPLIC~1\Google
2007-07-26 14:06 --------- d-------- C:\Program Files\Google
2007-07-25 15:05 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-13 18:16 --------- d-------- C:\Program Files\Norton AntiVirus
2007-07-13 18:14 806 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-07-13 18:14 8014 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-07-13 18:14 115000 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-07-13 18:14 --------- d-------- C:\Program Files\Symantec
2007-07-13 18:13 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-06-13 03:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-01-23 19:46 6126 --a------ C:\DOCUME~1\WILLIA~1\xx_tempopt.bin
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" []
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-08-20 14:15]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 11:12]
"HPHUPD05"="C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-20 14:23]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-07-25 07:14]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-12-31 21:30]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30]
"POINTER"="point32.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-29 06:16]

C:\DOCUME~1\WILLIA~1\STARTM~1\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Lightsurf.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Lightsurf.lnk
backup=C:\WINDOWS\pss\Lightsurf.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SATARaid.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SATARaid.lnk
backup=C:\WINDOWS\pss\SATARaid.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nForce Tray Options]
sstray.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
C:\PROGRA~1\Nero\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Start WingMan Profiler]


R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\si3112r.sys
R3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINDOWS\system32\Drivers\ALABULK2.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
R3 WmHidLo;Logitech WingMan USB Filter Driver;C:\WINDOWS\system32\drivers\WmHidLo.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-09-03 16:39:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-07-29 14:56:00 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7900#CN39D310DXEV.job"
- C:\Program Files\HP\hpcoretech\comp\hpdarc.exe
"2007-09-07 18:56:00 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\pexpress\hphped05.exe
"2007-09-01 03:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - William Neiswender.job"
- C:\PROGRA~1\NORTON~1\Navw32.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-08 13:55:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-09-08 13:57:38 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-08 13:57
.
--- E O F ---

 

[Bearcamp]

I'll tell you what John. I'm not a computer wiz at all and you made that so simple for me. And everything is gone and seems to be working okay. Was that the fix or is that malware still there? Icons are gone and the popups stopped.

 

[Punk]

Post your Hijackthis log, we'll see if there is still something.

 

[Bearcamp]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:40:06 PM, on 9/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wnep.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 8297 bytes

Is this what you wanted? Hope so. Thanks.

 

[Punk]

Yes but I will let John McKenna do this, after all he's the one who's taking care of you

 

[John McKenna]

It looks like everything was removed in one foul swoop.

Scan with HijackThis and place a checkmark in the boxes before the following entries:-

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Close all other windows except HijackThis and click the "Fix Checked" button.


Then using Internet Explorer, click here to use the Eset Online Scanner.

• Accept the terms of use and click the Start button.
• When prompted to install an ActiveX Control, click the yellow notification bar and select Install ActiveX Control..
• Click the Install button on the Security Warning window which appears.
• Once the ActiveX installs click the Start button to download the signature database when prompted.
• On the "Computer Scan" options window select Remove found threats but leave Scan unwanted applications unchecked, then hit the Scan button.
• A log file of the results can be found at C:/Program Files/EsetOnlineScanner/log.txt
• Post the results in your next reply please.

 

[Bearcamp]

You want everything above deleted? Correct?

 

[John McKenna]

Scan with HIjackThis and remove this entry only:

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

Then run the online scan at Eset as instructed.

 

[Bearcamp]

They want me to install ActiveX control first. Is that okay as I do believe that's where it all started. Seems that way.

 

[Jabes]

yea its a legit copy of active x I had somebody that brought a pc into work that installed a fake copy of active x by accident and they got the same thing

 

[John McKenna]

You can read about ActiveX here:

http://en.wikipedia.org/wiki/ActiveX

The Eset ActiveX is fine to install.

 

[Bearcamp]

ALL CLEAN............Thanks alot John, You explained everything in MY terms that I could understand and I even learned alot. Thanks again.

 

[Jabes]

John how do you know so much about sypware removal

 

[John McKenna]

I was taught by a Grand Master!!

 

[Jabes]

I was taught by a Grand Master!!

what in school? and btw I like your sig

 

[John McKenna]

what in school?

Sort of. Click here if you want to get involved in the fight.

 

[oscaryu1]

C:\WINDOWS\privacy_danger
C:\WINDOWS\privacy_danger\images\capt.gif
C:\WINDOWS\privacy_danger\images\danger.jpg
C:\WINDOWS\privacy_danger\images\down.gif
C:\WINDOWS\privacy_danger\images\spacer.gif
C:\WINDOWS\privacy_danger\index.htm

^ What are those?

 

[John McKenna]

The images a victim gets on their desktop.