Hi everyone: My PC is infected with trojan.popper I have Spyware Doctor, Spy Sweeper, and Norton Internet Security. None of them can eliminate it. They find it, say it's been deleted, but it always reappears. I call Norton; they charged me $40 to direct me to a FREE page of instruction thqat I had already tried. When I complained they just hung up!!! Can ANYBODY help?!?!? Trojan.popper is interferring with a lot of programs. Thank you, thank you, thank you.
Hi: Thanks for the quick response. Here is the file: Logfile of HijackThis v1.99.1 Scan saved at 10:35:32 AM, on 6/30/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\csrss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\ccProxy.exe E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe G:\PC BackUp\NMSAccess.exe G:\PC BackUp\NSENGINE.exe g:\Spyware Doctor\sdhelp.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe E:\WINDOWS\system32\wdfmgr.exe E:\Program Files\Microsoft IntelliPoint\point32.exe E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe F:\iTunes\iTunesHelper.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\WINDOWS\Mixer.exe E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe E:\WINDOWS\System32\alg.exe E:\Program Files\Winamp\winampa.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\iPod\bin\iPodService.exe E:\Program Files\QuickTime\qttask.exe G:\PC BackUp\NbkCtrl.exe E:\Program Files\Messenger\msmsgs.exe G:\SPYWAR~1\swdoctor.exe E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE E:\Program Files\Internet Explorer\iexplore.exe E:\Documents and Settings\H. Finn MD.HSF.004\Local Settings\Temporary Internet Files\Content.IE5\UND3Z2UZ\HijackThis_v1.99.1[1].exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [DVD43] F:\DVDREG~2\DVDREG~1\DVDRegionFree.exe /hidden O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "G:\PC BackUp\NbkCtrl.exe" O4 - HKCU\..\Run: [NBJ] "F:\Nero\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] G:\SPYWAR~1\swdoctor.exe /Q O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147838620234 O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Norton Internet Security\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NMSAccess - Unknown owner - G:\PC BackUp\NMSAccess.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: NsEngine - Unknown owner - G:\PC BackUp\NSENGINE.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - g:\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip Unzip it (folder named SmitFraudFix) to your desktop: Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist) Download eScan to your desktop -> http://www.spywareinfo.dk/download/mwav.exe Run the file mwav.exe and unzip it to its default location, C:\Kaspersky 1. Updating the scanner (close the eScan window if open) -> Go to My Computer -> C:\ -> Kaspersky -> Run the file kavupd.exe, it starts downloading updates -> When downloading is finished, go to C:\Downloads -> Copy all the files in the Downloads folder by pressing CTRL+A and then CTRL+C -> Then go back to the C:\Kaspersky folder and paste the files by pressing CTRL+V -> Answer Yes to all when it asks about replacing files -> Now the scanner has been updated 2. Scanner settings -> Go to folder C:\Kaspersky and run the file mwavscan.com (or mwavscan.exe) -> The scanner window opens -> Select the same settings than in this picture -> http://koti.mbnet.fi/pattaya1/eScan6.jpg -> When ready, press the Scan Clean button -> Scanning for infections begins 3. Posting the results -> When the scan has finished (scan may take a quite long time), you'll need to post the findings -> Copy all the text in this field -> http://koti.mbnet.fi/pattaya1/eScan10.jpg -> Click the field, press CTRL+A, CTRL+C -> Then open Notepad and paste the findings into a new document by pressing CTRL+V -> Save the document to your desktop -> Post the contents of that textfile to here Boot comp Send asked logs
tapiiri: Here are the files you asked for. And again, Thanks so much for your help! SmitFraudFix v2.65 Scan done at 20:28:51.60, Fri 06/30/2006 Run from F:\smitfraud\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode »»»»»»»»»»»»»»»»»»»»»»»» E:\ »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\H. Finn MD.HSF.004\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\HFINNM~1.004\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ===================================================================== Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\064F7AAF.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\0A4E076D.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\103A42A1.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\138D18B0.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\21FD5F29.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\22000926.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\3015226E.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\38CD5642.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\4DEA5CBC.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\5210342F.exe infected by "Trojan-Downloader.Win32.Tiny.bw" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\57BD2FEF.exe infected by "Trojan.Win32.Dialer.oy" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\66561FF3.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\665949EF.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\68460DD1.WIN infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\684D61C9.exe infected by "Trojan-Downloader.Win32.Adload.az" Virus! Action Taken: No Action Taken. File E:\Documents and Settings\All Users.WINDOWS\Application Data\Symantec\Norton AntiVirus\Quarantine\78EB7503.exe infected by "Trojan-Downloader.Win32.Zlob.rj" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{7F87E836-B1CD-4D96-BB59-153291F12E71}\RP58\A0007847.exe infected by "Trojan-Clicker.Win32.VB.ij" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005779.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005780.exe infected by "Trojan-Downloader.Win32.Small.buy" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005781.exe infected by "Trojan-Downloader.Win32.Small.bke" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005782.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005784.dll infected by "Backdoor.Win32.Agent.oo" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005785.dll tagged as "not-a-virus:AdWare.Win32.Suggestor.o". Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005786.exe infected by "Trojan-Downloader.Win32.Small.ayl" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005787.exe tagged as "not-a-virus:AdWare.Win32.Raze.a". Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP77\A0005788.exe infected by "Trojan-Downloader.Win32.Agent.sy" Virus! Action Taken: No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP78\A0006962.exe tagged as not-a-virus:RiskTool.Win32.PsKill.n. No Action Taken. File E:\System Volume Information\_restore{99E0A354-0CE2-419D-BEAE-5E0C2EFEA573}\RP79\A0007514.exe tagged as not-a-virusownloader.Win32.Agent.h. No Action Taken. .............................................................................................................................................................................................................................. Total Critical Objects: 30 Total Errors: 67
Clean your system restore : http://www.pchell.com/virus/systemrestore.shtml Only those we have to examine closer. Object "ezula Spyware/Adware" found in File System! Action Taken: No Action Taken. Object "zlob Trojan-Downloader" found in File System! Action Taken: No Action Taken. Locate and remove EZULA * Reboot your computer in Safe Mode http://www.pchell.com/support/safemode.shtml * Double-click smitfraudfix.cmd * Select 2 and hit Enter to delete infect files. * You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection. * The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file. * A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt Send it here along with a fresh HjT log.
Here are the other logs: Logfile of HijackThis v1.99.1 Scan saved at 12:31:54 AM, on 7/1/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: E:\WINDOWS\System32\smss.exe E:\WINDOWS\system32\csrss.exe E:\WINDOWS\system32\winlogon.exe E:\WINDOWS\system32\services.exe E:\WINDOWS\system32\lsass.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\system32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe E:\WINDOWS\Explorer.EXE E:\Program Files\Common Files\Symantec Shared\ccProxy.exe E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe E:\WINDOWS\system32\spoolsv.exe E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe G:\PC BackUp\NMSAccess.exe G:\PC BackUp\NSENGINE.exe g:\Spyware Doctor\sdhelp.exe E:\WINDOWS\System32\svchost.exe E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe E:\WINDOWS\system32\wdfmgr.exe E:\Program Files\Microsoft IntelliPoint\point32.exe E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe F:\iTunes\iTunesHelper.exe E:\Program Files\Common Files\Symantec Shared\ccApp.exe E:\WINDOWS\Mixer.exe E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe E:\Program Files\Winamp\winampa.exe E:\Program Files\Common Files\Real\Update_OB\realsched.exe E:\Program Files\QuickTime\qttask.exe G:\PC BackUp\NbkCtrl.exe E:\Program Files\Messenger\msmsgs.exe G:\SPYWAR~1\swdoctor.exe E:\Program Files\iPod\bin\iPodService.exe E:\WINDOWS\System32\alg.exe E:\Program Files\Internet Explorer\iexplore.exe E:\WINDOWS\system32\wuauclt.exe E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE E:\Program Files\Symantec\LiveUpdate\AUpdate.exe E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE E:\Documents and Settings\H. Finn MD.HSF.004\Local Settings\Temporary Internet Files\Content.IE5\UND3Z2UZ\HijackThis_v1.99.1[1].exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe E:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - G:\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - G:\SPYWAR~1\tools\iesdpb.dll O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - E:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - G:\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [DVD43] F:\DVDREG~2\DVDREG~1\DVDRegionFree.exe /hidden O4 - HKLM\..\Run: [IntelliPoint] "E:\Program Files\Microsoft IntelliPoint\point32.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [iTunesHelper] "F:\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ccApp] "E:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup O4 - HKLM\..\Run: [SpySweeper] "E:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray O4 - HKLM\..\Run: [WinampAgent] E:\Program Files\Winamp\winampa.exe O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NovaBackup 7 Tray Control] "G:\PC BackUp\NbkCtrl.exe" O4 - HKCU\..\Run: [NBJ] "F:\Nero\Nero BackItUp\NBJ.exe" O4 - HKCU\..\Run: [MSMSGS] "E:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Spyware Doctor] G:\SPYWAR~1\swdoctor.exe /Q O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\OFFICE\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - G:\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://symantec.atgnow.com/sdccommon/download/tgctlsi.cab O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (DownloadManager Control) - http://dlmanager.akamaitools.com.edgesuite.net/dlmanager/versions/activex/dlm-activex-2.0.5.0.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147838620234 O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://liveca12.custhelp.com/7530-b327h/rnl/java/RntX.cab O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: WRNotifier - E:\WINDOWS\SYSTEM32\WRLogonNTF.dll O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - G:\Norton Internet Security\ccPwdSvc.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: COM Host (comHost) - Symantec Corporation - G:\Norton Internet Security\comHost.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: NMSAccess - Unknown owner - G:\PC BackUp\NMSAccess.exe O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE O23 - Service: NsEngine - Unknown owner - G:\PC BackUp\NSENGINE.exe O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - G:\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - g:\Spyware Doctor\sdhelp.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - E:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Symantec Core LC - Symantec Corporation - E:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe ==================================================================== SmitFraudFix v2.65 Scan done at 20:28:51.60, Fri 06/30/2006 Run from F:\smitfraud\SmitfraudFix OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT Fix ran in normal mode ***[It says "normal mode", but it was in Safe Mode.]*** »»»»»»»»»»»»»»»»»»»»»»»» E:\ »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32 »»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles »»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\H. Finn MD.HSF.004\Application Data »»»»»»»»»»»»»»»»»»»»»»»» Start Menu »»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\HFINNM~1.004\FAVORI~1 »»»»»»»»»»»»»»»»»»»»»»»» Desktop »»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="My Current Home Page" »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler !!!Attention, following keys are not inevitably infected!!! SrchSTS.exe by S!Ri Search SharedTaskScheduler's .dll »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection »»»»»»»»»»»»»»»»»»»»»»»» End ==================================================================== So, am I cured?
Unfortuneately, the virus was not removed. When running a backup, I again got the following alert message from Norton Anitvirus. It is the same one I always get: Virus Location: \device\HarddiskVolumeShadowCopy3\System Volume Information\_restore{7F87E836-B1CD-4D96-BB59-153291F12E71}\RP58\A0007847.EXE Virus: Trojan.Popper Action Taken: Unable to repair this file. Action Taken: Access to the file was denied. =============================================================== Below are the removal instructions from Symantec. However, the is no "Windows Overlay Components" in services.msc and none of the registry key listed can be found by me or the registry FIND command. 3. To find and stop the service Click Start > Run. Type services.msc, and then click OK. Locate and select the service "Windows Overlay Components". Click Action > Properties. Click Stop. Change Startup Type to Manual. Click OK and close the Services window. 4. To scan for and delete the infected files Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files. For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files. Run a full system scan. If any files are detected, click Delete. Important: If you are unable to start your Symantec antivirus product or the product reports that it cannot delete a detected file, you may need to stop the risk from running in order to remove it. To do this, run the scan in Safe mode. For instructions, read the document, How to start the computer in Safe Mode. Once you have restarted in Safe mode, run the scan again. After the files are deleted, restart the computer in Normal mode and proceed with the next section. Warning messages may be displayed when the computer is restarted, since the threat may not be fully removed at this point. You can ignore these messages and click OK. These messages will not appear when the computer is restarted after the removal instructions have been fully completed. The messages displayed may be similar to the following: Title: [FILE PATH] Message body: Windows cannot find [FILE NAME]. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search. 5. To delete the value from the registry Important: Symantec strongly recommends that you back up the registry before making any changes to it. Incorrect changes to the registry can result in permanent data loss or corrupted files. Modify the specified subkeys only. For instructions refer to the document: How to make a backup of the Windows registry. Click Start > Run. Type regedit Click OK. Note: If the registry editor fails to open the threat may have modified the registry to prevent access to the registry editor. Security Response has developed a tool to resolve this problem. Download and run this tool, and then continue with the removal. Navigate to the subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run In the right pane, delete any values that refer to the filenames noted in Step 4(c) above. The value will be of the form: "random" = "%Windir%\[RANDOM].exe" Navigate to and delete the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Uninstall\OvMon HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Windows Overlay Components HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Windows Overlay Components Exit the Registry Editor. ================================================================= This is SO frustrating!!! Any other ideas? Thanks
Hi fincab, Update escan, and norton. Turn off your system restore : http://www.pchell.com/virus/systemrestore.shtml * Reboot your computer in Safe Mode http://www.pchell.com/support/safemode.shtml Scan with both, escan All hard drives and norton : Start your Symantec antivirus program and make sure that it is configured to scan all the files. For Norton AntiVirus consumer products: Read the document: How to configure Norton AntiVirus to scan all files. For Symantec AntiVirus Enterprise products: Read the document: How to verify that a Symantec Corporate antivirus product is set to scan all files. Run a full system scan. If any files are detected, click Delete. Boot normally. Let me know if appears error messages after rebooting. Then I'll make fix script to registry
