HELP PLEASE! after windows xp os rebuild, system acting like its infected with blaster (among other things) butis not infected with it also svchos1.exe bug

ok, I ran housecall... 3 files all worm agobot.bk   I pressed delete but it could only delete 2: svchos1.exe was "in use"

I ran hjt again and fixed what you said to, rebooted in safe mode, but there was no amsnmgr.exe file to delete.

 

here is the new logfile:

Logfile of HijackThis v1.97.7
Scan saved at 5:52:34 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchos1.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\iexplore.exe
C:\WINDOWS\System32\AMSNMGR.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\Run: [Configuration Loading] svchos1.exe
O4 - HKLM\..\RunServices: [WinSock Control] iexplore.exe
O4 - HKLM\..\RunServices: [Configuration Loading] svchos1.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

 

Jenna

My new HJT log is posted above after following the instructions given.  Please Help if you can, I am desperate!

Also I dont know if this helps any but this is the CW shredder scan results

You still have the same issue as before.

First make sure you can view hidden files and folders.  That is probably why you did not see AMSNMGR.EXE  Ooen My Computer and select Tools>Folder Options>View and make sure Show Hidden Files and Folders is checked.

Close all windows and have hijackthis fix the following.

O4 - HKLM\..\Run: [WinSock Control] iexplore.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKCU\..\RunOnce: [Winsock2 driver] AMSNMGR.EXE

Then reboot to safe mode and delete the file: C:\WINDOWS\System32\AMSNMGR.EXE

Post another log when done.

 

 

Have you run Trendmicro's housecall?  Let's see if we can get rid of it that way.  Also you must enable your firewall if it is not enabled.

Message Edited by Yellowhammer on 01-23-2004 07:47 PM

whoops... here they are

CWShredder v1.46.4 scan only report

Windows XP (5.01.2600 SP1)
Windows dir: C:\WINDOWS
Windows system dir: C:\WINDOWS\system32
AppData folder: C:\Documents and Settings\Owner\Application Data
Username: Owner

Found Hosts file: C:\WINDOWS\system32\drivers\etc\hosts (734 bytes, A)
Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe
UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINDOWS\system32\userinit.exe,
Found Win.ini file: C:\WINDOWS\win.ini (472 bytes, A)
Found System.ini file: C:\WINDOWS\system.ini (231 bytes, A)

- END OF REPORT -

Here's the new log

 

Logfile of HijackThis v1.97.7
Scan saved at 8:28:01 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\spools.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~1\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

 

 

I am sure I deleted it, but is that it under winsock2?

Firewall is and has been enabled

ok, ran houscall again and this time it got more than the first time...

6 files:

BKDR SDBOT.GEN   NON CLEANABLE   IN DOCUMENTS AND SETTINGS  temp internet files maybe?  cant see the rest of the line

WORM AGOBOT.BK  NON CLEANABLE  IN RECYCLER (there are 2 of these..maybe the deleted ones...)

3 more named BKDR SDBOT.GEN  all non cleanable in:

windows\system32\spools.exe

windows\system32\spools.exe.poly

windows\system32\winhlpp32.exe

 

I pulled up task manager and it showed that both spools.exe and IEXPLORE.EXE were taking up all or most of the CPU.  there are 2 processes running under IEXPLORE.EXE and then spools.ese and spoolsv.exe.

should I try and delete all of these with housecall even though it wont delete some since they are running?

---

@Jenn7285 wrote:

ok, ran houscall again and this time it got more than the first time...

6 files:

BKDR SDBOT.GEN   NON CLEANABLE   IN DOCUMENTS AND SETTINGS  temp internet files maybe?  cant see the rest of the line - Delete all your temp internet files

WORM AGOBOT.BK  NON CLEANABLE  IN RECYCLER (there are 2 of these..maybe the deleted ones...) - Empty your recycle bin

3 more named BKDR SDBOT.GEN  all non cleanable in:

windows\system32\spools.exe
windows\system32\spools.exe.poly
windows\system32\winhlpp32.exe

ALL three of these are not legitimate files.  Use Housecall to delete them if it will.  If not, shut them down using task manager and then delete them and remove them from your recycle bin.  You may have to be in safe mode to do so.

---

Delete the items that were quarantined.

Have hijackthis fix the following:

O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe

Hopefully these will not return after a fresh boot now that it appears the viruses are gone.

Yes, I would run ad-aware, and spybot S&D.  You should also install SpywareBlaster and SpywareGuard.  Both are available via links here.

ok, sorry that took so long.  did all that and when I restarted normally everything seemed ok... even Norton Antivirus started which it hadnt done since I installed it.  then I had to reboot to activate Norton and then I ran a virus scan on the whole computer.  it found 2 things, couldnt repair them, so I quarantined them...

 

ms64.exe in system 32 folder

ob.exe in the C:\ drive folder

 

new log from Hijack this:

Logfile of HijackThis v1.97.7
Scan saved at 10:23:38 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Norton AntiVirus\QConsole.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Configuration Loader] spools.exe
O4 - HKLM\..\Run: [Winsock2 driver] AMSNMGR.EXE
O4 - HKLM\..\RunServices: [Configuration Loader] spools.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

Is it clean?  if so (or if not) do I need to download spybot search and destroy and adaware or any other things? also what should I do with the quarantined items?

 

That is windows update.  Your log looks clean now.  Does everything seem to be working OK now?

yes, Thank you SOOO much!  you're a lifesaver!  

and now I have Norton running so that will catch most stuff and I am fixing to download the 4 spyware programs.

Thank you again!

Jenna

new log:

 

Logfile of HijackThis v1.97.7
Scan saved at 10:59:31 PM, on 1/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bu.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Boston University
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.bu.edu
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\Software\..\Telephony: DomainName = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS1\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7
O17 - HKLM\System\CS2\Services\Tcpip\..\{3DEB0B3F-93A4-4EFF-8A10-DB4F9AD7E124}: Domain = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = bu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 128.197.253.188,128.197.253.126,128.197.27.7

 clean???

the only one I dont know about is in red....   something weird happened though,  when I "fixed" those things with HiJack this, a window came up and apparently something had gone wrong with the os and i had to put that cd back in for the service pack one...