NAV viruses not showing, now have one

NAV virus

Do you want the logs from both Hijack and Spybot. If so, will send the spybot separately, as told both are too long.
Logfile of HijackThis v1.97.7
Scan saved at 10:07:33 AM, on 6/1/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe
C:\WINDOWS\System32\yppmhoe.exe
C:\WINDOWS\System32\ieptopen.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\All Users\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.scoresandodds.com./ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\SCAN&F~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [OPfv.exe] C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe
O4 - HKLM\..\Run: [fnpdyyuewekwx] C:\WINDOWS\System32\yppmhoe.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AutoLoaderwF5t1QKXIQaX] "C:\WINDOWS\System32\ieptopen.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [wsmR3EX] ieptopen.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm41433
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall
Heard many times--DON'T USE ADAWARE--yet you'all recommend it highly.
Comment. Spybot says Per is gone, yet still man popups.

Laura

 

Please try running the peper fix I posted, or get Lonny's to run through completely. No, we don't need a Spybot log. YES, we HIGHLY recommend using Ad-aware!! Many, many folks on this board, and MANY others, not only recommend it but use it. There are some rouge programs with names that are very similar to Ad-aware, and should be avoided, but Ad-aware by Lavasoft is the one to get.

Post a new HJT log when done.

Where did you hear NOT to use Ad-aware????

 

twichell HI again
No need for a spybot log

Great Peper is gone good work
Wait until noahdfear responds before taking any action, He might spot something I have missed, and probaly will.


Download CWSredder , dont use it until further down, (link below)

Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders) that show in the taskbar. Then Hit fix checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\SearchBar.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\SCAN&F~1\SPYBOT~1\SDHelper.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [OPfv.exe] C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe
O4 - HKLM\..\Run: [fnpdyyuewekwx] C:\WINDOWS\System32\yppmhoe.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [AutoLoaderwF5t1QKXIQaX] "C:\WINDOWS\System32\ieptopen.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [wsmR3EX] ieptopen.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm41433
==========
run CWShredder
http://www.net-integration.net/tools/hijackthis.html#cwshredder <<from there
Click Fix, don't just scan. You have several CoolWebSearch components which it should remove.
If you already have it, just download another copy and overwrite the old one..
To ensure its the latest version. currently its ver 1.57


Restart PC find and delete (ONLY THESE EXACT) files and folder's,
Be very carefull if your unsure leave them be.
You might have to have windows show hidden file's and folder's in order to see them.
How to Show hidden files and folders.
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ieptopen.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\SearchBar.htm
C:\WINDOWS\System32\yppmhoe.exe

Important Clear IE's cache via control panel internet options [delete files] button and mark the popup to also delete offline content
And delete the contents of all your temp folders, as in.
C:\documents and settings\(all your pc users)\local settings\temp
(Contents only. Not the folders)
and the contents of the C:\windows\temp folder (folder's inside it to)

=============

I suggest you uninstall SpyBot then download it again if nessesary (version 1.3) and install it once more this time using the default install paths and settings, dont install programs to the start menue or even to the
C:\Documents and Settings folders let programs install where they want to which is usualy
C:\programs files

then run it again check for updates then check for problems > restart the pc after fixing what it finds then come back and make/post a new hijackthis log

Who is it that has told you Ad-Adware the anti spyware program isnt a good thing ?

 

Looks good Lonny. Only other things I would recommend, after clearing temps and TIF's, open C:\Windows\Prefetch, select all and delete. Then empty recycle bin and if you have it, Norton protected storage. Disable system restore and re-enable after reboot.

 

Laura,
Is that exactly what Housecall found....malware...sandbox? "Malware" is a general term that covers many different types of code, including viruses, trojans, spyware, adware, dialers, keyloggers, unsafe ActiveX, hostile java applets and more, so you really need a program like AdAware or SpybotSD in addition to an antivirus program, and run it periodically.
See:
Dealing with Unwanted Spyware and Parasites
http://mvps.org/winhelp2002/unwanted.htm
and:
Combating Nonviral Malware
http://infosecuritymag.techtarget.com/2002/may/combatingmalware.shtml

This page includes free technical support options for NAV2003:
http://www.symantec.com/techsupp/nav/nav_2003_tasks.html
The virus issue link takes you to
http://www.symantec.com/techsupp/nav/nav_2003_info_solve_virus.html

 

NAV viruses

Hijack's 6/2 log
Logfile of HijackThis v1.97.7
Scan saved at 1:08:04 PM, on 6/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\IEHost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe
C:\WINDOWS\System32\yppmhoe.exe
C:\WINDOWS\System32\ieptopen.exe
C:\WINDOWS\System32\ieptopen.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\macromed\flash\GetFlash.exe
C:\Applications\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.scoresandodds.com./ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [OPfv.exe] C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe
O4 - HKLM\..\Run: [fnpdyyuewekwx] C:\WINDOWS\System32\yppmhoe.exe
O4 - HKLM\..\Run: [AutoLoaderwF5t1QKXIQaX] "C:\WINDOWS\System32\ieptopen.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [wsmR3EX] ieptopen.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Downloaded Ad-aware and Schredder and ran both, then did Hijack.
Not allowedc to delete the following astold to:
:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ieptopen.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\SearchBar.htm
C:\WINDOWS\System32\yppmhoe.exe

Stilo many popups.
Laura

 

NAV viruses

Sorry, forgot. Also did the following:
deleted TIF, cache and temp files & Prefetch. Then recycle Bin.
Couldn't find if I have Norton's protected storage

Laura

 

OK Let's do it this way.
Restart the PC into safe mode
How to start in safe mode

Start Hijackthis and place a check next to these items
Close all browser windows and shut down all other programs(even Folders) that show in the taskbar. Then Hit fix checked.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [OPfv.exe] C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe
O4 - HKLM\..\Run: [fnpdyyuewekwx] C:\WINDOWS\System32\yppmhoe.exe
O4 - HKLM\..\Run: [AutoLoaderwF5t1QKXIQaX] "C:\WINDOWS\System32\ieptopen.exe" /PC= "AM.WILD" /HideUninstall
O4 - HKLM\..\Run: [wsmR3EX] ieptopen.exe
======
Then delete those files
:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\System32\ieptopen.exe
C:\WINDOWS\alchem.exe
C:\WINDOWS\System32\SearchBar.htm
C:\WINDOWS\System32\yppmhoe.exe
C:\Documents and Settings\Owner\Local Settings\Temp\OPfv.exe

Restart back to a normal windows come back then make and post a new log

 

twichell - if you were running Norton's protected storage you would see both it (Norton Protected Recycle Bin I think is the label) and your normal recycle bin when you right-clicked the icon to empty. If you only see the normal recycle bin then you aren't using it.

BTW - one of your entries makes me think you are using Norton Speed Disk to defrag your hard drive(s). With XP that isn't a good thing to do since XP (running a diskkeeper product) and Norton have different ideas about a properly defraged drive and the second Norton finishes, XP will start to change things. Causes lots of fragmentation in a hurry. I'd suggest just using the XP utility.

 

NAV viruses

Did as you instructed. But 2 things: In Hijack,couldn't find '/PC= "AM.WILD "/
Hide/Uninstall. Also, unable to delete the file C:\WINDOWS\System32\SearchBar.htm. Searched, plus looked in the System32 folder...no luck.
Deleted the other five. As a result, Norton's WinDoctor is not happy. 2 missing or invalid keys...Twain and VX2.And alchem is a missing startup file. Can't figure out how to send you their fullo statement. Won't let me copy/paste.

Logfile of HijackThis v1.97.7
Scan saved at 9:09:56 AM, on 6/3/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Sierra\Planner\PLNRnote.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE

Prefetch. What is it & how often do I delete the fioles in the folder?
Didn't know Norton Speed Disk conflict with XP. Had used it a lo0t with 98.
Ignore or way to disable?

Laura

 

Prefetch loads previously used prorams/applications into memory so they can be accessed more quickly should you decide to use them. Some of the things you want to remove can remain active in the Prefetch folder, even though they have been removed elswhere, allowing them to continue working. It will automatically rebuild itself after deleting everything, as you use your computer.

Your last log is not complete. Please post another.

 

You should be able to take speed disk off any auto-run settings (and remove the scheduled task if you have one).

I used the app and liked it well from 98 to NT4 to 2K. I even used it with XP until I finally figured out why my drive kept getting so badly fragmented in such a short time.

The problem is that it does defrag in a totally different fashion than the one built into XP so each app sees a drive defraged by the other app as being in really bad shape and 'fixes' it. The native XP one cannot really be disabled and it does some housekeeping in the background even if you never run it manually.

An additional benefit of the XP defrag utility is that it will do your registry hives even while the PC is running and I don't think Norton was ever able to do that. I had to run a 3rd party app that would defrag the registry pieces after a reboot.

 

Newt is right. I used to use Norton Utilities, but with XP, it's a constant fight. XP defrags and rearranges on the fly, and Norton is only as good as the updates it receives. SpeedDisk and XP's Defrag are counter-productive. Since XP does the better job, use it. I run WinDr occasionally (old habits are hard to break!) and mostly it finds invalide shortcuts. Cleaning them up serves no purpose whatsoever, but I do it anyway. The next build or reinstall, I won't include NU, but I am very pleased with NIS in all flavors.

Newt

This is not true. It may be for AV users only, but my Live Update goes off about every 6 hours or so, to search for any udates. If there is anything it wants, it directly downloads and installs in the backgroud, showing the little beaming icon while it's busy. I'm on a cable, always on, and I'm pleased that Norton is "set it and forget it "!

Once a week or so I check LU myself to see if there is anything there- Symantec will hold off on downloading anything requiring a reboot. I let Norton do what ever it wants. It's the only thing set for unlimited net access, while it holds back everything else that argues about "phoning home ". By the way, I have NIS 03 on my own computer, NIS 2002 on the kids', and NIS 04 on my mom's. All are on cable, and search for updates 3 or 4 times a day, everyday. FWIW.

Johanna

 

NAV viruses

Not clear as to how often delete contents of Pretech, if really should, or what should really keep.
Logfile of HijackThis v1.97.7
Scan saved at 9:46:22 AM, on 6/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.scoresandodds.com./ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Deleted Speed Disk from scheduled tasks. Still couldn't find auto-run settings. If don't use necessary to uncheck in settings?? Win Doctor is having a fit with 10 ActiveX missing/invalid keys..Inproc32, Twain, VX2.
Didn't click fix and told husband to ignore..he's very dubious of course, & doesn't understand the speed disk thing.
Why are cab & application files in TEMP?

Laura

 

Laura - these hijack thingys are tough to deal with. I'm just starting to learn a little about the whole process but I can see that you have been hijacked between the last hijackthis log and the most recent one.

Wait until one of the security folks replies before doing anything but at least the following should go away via hijackthis

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)


Not positive about these. I always wonder though when seeing a BHO or Toolbar that only lists a CLSID
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

As to your question about things running from a temp folder, that also is usually a bad sign.

I mainly posted this since you hadn't had a response for quite a few hours. I'm fairly sure all the top listed items should go but probably best to hold off until someone can give you a complete list. I may easily have missed a thing or two or five.

 

I see Newt posted while I was preparing this, so some of it is just a repeat. Looks right on to me Newt! BHO with no file is doing nothing anyway, so the entry should go.

Scan with HJT again and place a check next to the following entries. Close ALL other windows and click fix.


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe


Open C:\Program Files and delete the folder My Web Search if present.

Reboot and post a new log. If you do the registry clean outlined below, wait till you're done with it and post a new log then, along with any comments.


To satisfy WinDoctor, my further advice is to download RegSeeker, and when completely done with everything else, reboot, open the program, maximize the window and click clean registry. When scan is complete,verify the backup box in lower left corner is checked and click the select all button. Then right click within the search results and select delete. Now do a quick check of the various programs on your PC for functionality. I've never had RegSeeker remove anything vital that it wasn't supposed to, but you never know. If all is well, run it again and again until it comes up clean, again checking other programs between runs. Should something go wrong, click the backup button and restore last run, then rerun and exclude entries associated with whatever it broke. Reboot when done.


Something else that should be done after the above cleanup and before connecting to the internet. Open Spybot and click immunize, then immunize again. Now connect and click the link on the immunize page for SpywareBlaster, download and install. Also recommend you install a firewall. Here is a link to some freebies. Zone Alarm, Kerio and Sygate are the most popular recommended on this board. This will all help prevent future infections and alert you to what is trying to access the internet from your PC as well as what's tring to access your PC from the internet.


Prefetch is one of those folders that just needs to be emptied occasionally. If you notice programs starting to load slower and you're going to do a disk cleanup and defrag, empty it before the disk cleanup. You don't need to worry about keeping anything inside of it because it will get put back the next time you run the program. The folder sometimes just gets really full and it takes longer for windows to load the program from there than if it went to the source. Just include it with your regular cleanouts.

 

When you are done with all that Dave suggested, wipe out your previous Restore Points and make a new one.

Also, are you using Ghost and GoBack? I didn't think they would play nice with each other. Which one do you rely on? When you are done cleaning up, you may want to make an image for the future, if you should need to clean up again.

If you don't use it, get AOL off of there, too. Use Add/Remove in the Control Panel.

HTH
Johanna

 

NAV virusesd

Johanna: One quick thing regarding your AOL advice. No, I don't use it, but it isn't in add/remove, which I find strange. Anyway, did a search with Agent Ransack and came with over 150MB..some in Documents and Settings\Application Data. Others in ProgramFiles\Common Files. AOL is
also not listed in Norton's uninstall. Did, however, see 2 different uninstalls
in 2 different folders. Use them, and then delete what is left over in a followup seartch?
Will do all recommendations as quickly as I can this weekend. We have been wallwashing, painting, redoing, selecting new carpeting, etc. etc. So if
any of my resaponses seem late, it isn't because I'm sitting around.
Oh, one thing. Had Zone Alarm, but system didn't run right. Due to the peper trojan??? Do you recommend any of the 3 firewalls equally, or is just a personal choice thing?
Again, thanks for all the help. Impressed with both your knowledge, speed,
and clarity of responses.

Laura

 

No. What type of problems? I don't know of any specific problems but I'm sure that someone either knows or can find out(myself included ), what might cause whatever your symptoms are. Really it's just a personal preference. I have used ZA and Sygate and like them both. I now have a version of ZA that is part of the eTrust AV package, and I'm quite satisfied with it. Have Sygate on a Win98 machine and like it as well. Decisions, decisions....

If you use AIM, be careful what you delete related to AOL. You will need to end process on any AOL tasks and then delete the folder(s). Then run RegSeeker (til you get a clean run) to cleanup the registry.

 

NAV viruses

Got rid of AOL, & Norton went nuts. After running RegSeeker all that Norton now shows is(instead of 45 errors): l. CLSID\invalid app trasnsfer\b5f8350b-0548-48bl-abee-88bd00b4a5ef, & 2. At Work Rendering\shell\Print\command. What the heck is 'at work rendering'?
I downloaded Sygate. I guess I.m really thick as I'm not sure what to check as ok in the applications log, besides things like IE, Netscape, Norton. Don't know what all the System32 files are. And can't figure out how to copy/paste to you guys. This was my problem with ZA, & after my hubby couldn't get to necessary sites I just got rid of it. Realize the firewall importance but have a problem configuring it correctly.
I've done everything you suggested. Got RegSeeker & ran 3 times. Immunized with Spybot & downloaded Sygate
Use GoBot, not Ghost, even tho I have it.
Logfile of HijackThis v1.97.7
Scan saved at 12:32:11 PM, on 6/6/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SygateFirewall\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Scan & Fix\Pop-Up Stopper Free Edition\PSFree.exe
C:\Sierra\Planner\PLNRnote.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\PROGRA~1\NORTON~2\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Applications\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://www.scoresandodds.com./ "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\k9zn1qw3.slt\prefs.js)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Atomica BHO - {3392BD0A-A851-4AA4-86E0-4651006F9EA8} - C:\Program Files\Common Files\Atomica Shared\agtbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\ALLUSE~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe "
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE~1\smc.exe -startgui
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Documents and Settings\All Users\Start Menu\Programs\Scan & Fix\Pop-Up Stopper Free Edition\PSFree.exe "
O4 - Global Startup: Event Planner Reminders Tray Icon.lnk = C:\Sierra\Planner\PLNRnote.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: GuruNet... - file:C:\Program Files\GuruNet\Html\atiemenu.htm
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033001/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FE8287E9-5F43-11D3-ABCA-00105A5C1F46} (HouseCall Control) - http://www.housecall.nl/housecall/xscan4.cab

Laura