Small problem

[Fenway Squid]

I've got a few issues here on my computer. For starters, whenever I run a virus scan using norton antivirus 2004 it finds three pieces of what it considers adware in C:\undo\backup.cab. The files, named pcsvc.dll, init.dll, and pcsvc.exe are all supposedly located in the C:\windows\system32\pcs folder. The program is unable to manually delete these files, and when I try to do so myself I find that the folder does not exist. (I am looking at hidden files and folders also.) This has been going on for a while, and for the most part I haven't really noticed my computer acting out of the ordinary at all. However, recently certain words now turn into hyperlinks, whether I am using internet explorer or copy and paste a text file from internet explorer to microsoft word. Worlds like "million, smoking, stocks." Also, now when I try to open a text file in ASCII format it becomes one gigantic horizontal line, rather than what it is supposed to look like. And finally, rather than seeing symbols like quote marks, I get a little box. Here is my hijackthis log. Any assistance you can give will be greatly appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 9:12:27 AM, on 03/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ICMFILTE.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rmoc3260.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\klee-veg\Local Settings\Temporary Internet Files\Content.IE5\DB3RH8GW\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peoplesforum.com/cgi-bin/...PX.16@.efaabb7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [TCsOZLTC] C:\documents and settings\klee-veg\local settings\temp\TCsOZLTC.exe
O4 - HKLM\..\Run: [k] C:\documents and settings\klee-veg\local settings\temp\k.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [17b21e2bde4d] C:\WINDOWS\System32\ICMFILTE.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZpwvM0QsD] C:\windows\temp.--0\ZpwvM0QsD.exe
O4 - HKLM\..\Run: [8565ddee1fcb] C:\WINDOWS\system32\rmoc3260.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\navapw32.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing) (HKCU)
O9 - Extra button: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll (HKCU)
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Not sure if it will help but here is my hijackthis log analyzer log

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 9:45:21 AM, on 03/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\ICMFILTE.exe
C:\WINDOWS\system32\rmoc3260.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peoplesforum.com/cgi-bin/forum?14@78.dbdgalaflPX.16@.efaabb7
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O4 - HKLM\..\Run: [TCsOZLTC] C:\documents and settings\klee-veg\local settings\temp\TCsOZLTC.exe
O4 - HKLM\..\Run: [k] C:\documents and settings\klee-veg\local settings\temp\k.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [17b21e2bde4d] C:\WINDOWS\System32\ICMFILTE.exe
O4 - HKLM\..\Run: [ZpwvM0QsD] C:\windows\temp.--0\ZpwvM0QsD.exe
O4 - HKLM\..\Run: [8565ddee1fcb] C:\WINDOWS\system32\rmoc3260.exe
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\navapw32.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing) (HKCU)
O9 - Extra button: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll (HKCU)
O16 - DPF: Win32 Classes -
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


End of KRC HijackThis Analyzer Log.
====================================================================

[POADB]

Hi Fenway Squid,

I am currently reviwing your log, under the supervision of an expert analyst. This wont take long, please be patient with me during this time.

You may wish to Subscribe to this thread (Thread tools) so that you know when I have returned with a fix for your problem.

Please be patient duing this time!

-POADB

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Please download Ad-aware SE and install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also go here to get the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware for better scan results. Run the scan and fix everything that it finds.

Download and install Spybot S&D. Run Spybot and click on the 'Search for Updates' button. Install any updates that are available. Next click on the 'Check for Problems' button. Let it run the scan. If it finds something, check all those in RED and hit the Fix Selected Problems button. Exit Spybot. If you keep getting the DSO Exploit entries, even after you updated Windows and fixed them, then download the Spybot DSO Exploit Fix and install it over the current Spybot installation.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\WINDOWS\System32\ICMFILTE.exe
C:\WINDOWS\system32\rmoc3260.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

WebSearch Toolbar
MaxSpeed

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\Searchx.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\windows\SYSTEM\blank.htm
O4 - HKLM\..\Run: [TCsOZLTC] C:\documents and settings\klee-veg\local settings\temp\TCsOZLTC.exe
O4 - HKLM\..\Run: [k] C:\documents and settings\klee-veg\local settings\temp\k.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [17b21e2bde4d] C:\WINDOWS\System32\ICMFILTE.exe
O4 - HKLM\..\Run: [ZpwvM0QsD] C:\windows\temp.--0\ZpwvM0QsD.exe
O4 - HKLM\..\Run: [8565ddee1fcb] C:\WINDOWS\system32\rmoc3260.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing)
O9 - Extra button: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\remove_me.dll (file missing) (HKCU)
O9 - Extra button: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {805FD200-FB6D-11D8-8735-0011AE972223} - C:\WINDOWS\SYSTEM32\intlmain.dll (HKCU)
O16 - DPF: Win32 Classes


Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\System32\ICMFILTE.exe
C:\WINDOWS\system32\rmoc3260.exe
C:\WINDOWS\system32\Searchx.htm
c:\windows\SYSTEM\blank.htm
C:\windows\temp.--0\ZpwvM0QsD.exe
C:\WINDOWS\system32\rmoc3260.exe
C:\WINDOWS\System32\maxspeed.exe
C:\WINDOWS\System32\remove_me.dll
C:\WINDOWS\SYSTEM32\intlmain.dll


C:\Program Files\MaxSpeed
C:\PROGRA~1\Toolbar\

Run CleanUp! once more.

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum

[Fenway Squid]

Okay, followed all the instructions. I already had ad-aware installed, but had to get the VX2 add-on. I also had to download spybot and cleanup! and run them.

Anyways, here's the result.txt log.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 3/2/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 1:16:58 PM, on 03/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peoplesforum.com/cgi-bin/forum?14@78.dbdgalaflPX.16@.efaabb7
O4 - Global Startup: Norton AntiVirus AutoProtect.lnk = C:\Program Files\Norton AntiVirus\navapw32.exe
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab


End of KRC HijackThis Analyzer Log.
====================================================================

[Fenway Squid]

Quick update:

Internet explorer is now acting normal again, as in words are no longer turned into hyperlinks and ASCII files now look as they should. However, when I run norton anti-virus the same 3 files pop up, and still cannot be deleted. Also, when I run spybot S&D it finds two things it cannot delete. One is called Elitum.EliteBar and the other else called Spex. I was able to find what spybot was keying on.

Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\LQ

Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\LQ

Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\LQ

Elitum.EliteBar: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\LQ

Spex: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

Spex: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

Spex: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

Spex: Settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

Now I could easily go in there and delete these things, but I do not have the desire to start messing around with my registry without a little expertise to help me out.

[POADB]

copy the text in bold below to Notepad, and save in a location of your choice preferably on your desktop so it will be easy to find as elitefix.reg (Set filetype to 'all files')

Doubleclick the file we made and confirm you want to merge it with the Registry.


REGEDIT4

[-HKEY_CURRENT_USER\Software\LQ]

[-HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Elitum]

[Fenway Squid]

Okay, I did that. But when I run spybot it still comes up with the same problems as before (Elitum.EliteBar and Spex) and the program still cannot delete them. (I could do that myself, but like I said before I'm a little nervous taking initiative when it comes to my registry.) I haven't run another virus scan with norton anti-virus yet, but I could. It takes about an hour to go all the way through.

Although, just for fun I checked out symantec's page on the Adware.DelFin threat. (According to norton, that's the threat represented by ini.dll, pcsvc.dll, and pcsvc.exe) None of the files exist on my computer, at least not that I can find, and I checked both normal mode and safe mode. And none of the registry keys that symantec says the adware adds to the registry are there. So if the files are there, why can't I find them? Or if they ae not, why does norton detect them and why can't the program delete them?

Ah, the tangled web we weave. Or something like that.

[MicroBell]

Ok..First make sure you have disabled system restore.

Open Norton and clear it's virus vault. Norton makes backup copys of the virus file it's cleaning...so once it cleaned...you need to delete the orginal virus files. Empty the recycle bin also.

Unless you intend to revert to your previous OS...this folder..C:\undo\backup.cab can be deleted. That CAB file contains the virus and no antivirus program can clean it.

Once thats done..reboot into safe mode. We are going to manually delete the elitebar entrys.

Click start...run..type in regedit. Click file...export..and save a copy somewere in case you make a mistake. Now navigate to each of the keys listed and delete the folders in RED

HKEY_USERS\S-1-5-18\Software\LQ

HKEY_USERS\S-1-5-20\Software\LQ

HKEY_USERS\S-1-5-19\Software\LQ

HKEY_USERS\.DEFAULT\Software\LQ

HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\{237AA178-C3BC-4f67-A8BB-D8BC14BA0B89}

Also check the following keys..and if the folder is found..delete it..

HKEY_CURRENT_USER\Software\LQ
HKEY_LOCAL_MACHINE\SOFTWARE\ohbbackup
HKEY_LOCAL_MACHINE\SOFTWARE\Elitum
HKEY_CLASSES_ROOT\CLSID\{825CF5BD-8862-4430-B771-0C15C5CA880F}
HKEY_CLASSES_ROOT\CLSID\{28CAEFF3-0F18-4036-B504-51D73BD81C3A}

Close regedit.

Now run the cleanup utility and reboot/logoff when prompted.

Reboot...run your scans...report back your findings.

[Fenway Squid]

Okay, first thing first. There is no undo folder on my C drive. I did a search (including system folders and hidden files and folders) and was unable to find that or any file named backup.cab. Norton still detects the adware threats, though. Go figure. I also couldn't find the "virus vault."

As for the other stuff, I was able to get into the registry in safe mode and get rid of all the listed keys that were there. However, the key HKEY_USERS\S-1-5-19\ wasn't there at all in safe mode, only normal mode. Spybot still detected the threats under that key in normal mode, so I deleted those keys that way, hopefully that's not a big deal. Also, none of the keys listed under HKEY_USERS\.DEFAULT\ were there in either mode, so no harm no foul, I guess. And now the only threats spybot detects are tracking cookies from whatever sites I've visited and it deletes those no problem.

Is there anything else I need to do?

[POADB]

Are you experiencing any other problems?

[Fenway Squid]

Beyond norton detecting those adware threats that don't seem to exist, no.

[greyknight17]

What adware threats are still currently detected now? If it's just cookies, it should be ok.

[Fenway Squid]

The files, which norton has listed under Adware.DelFin, are named pcsvc.dll, init.dll, and pcsvc.exe. Norton finds them in file C:\undo\backup.cab.

The only problem is there is no undo folder or backup.cab file anywhere on my C drive.

[greyknight17]

Not sure what that backup file could be used for, but take a look at the Symantec site. Follow the instructions there and see if it will still be detected afterwards.

[Fenway Squid]

I've done that before. None of the files the threat generates are on my computer, nor are the registry keys.

In short, the only trace of this threat are the threats that norton internet security finds, and the file it finds them in doesn't even exist.

Wierd, huh?

[CTSNKY]

Quote:

The only problem is there is no undo folder or backup.cab file anywhere on my C drive.

Go to My Computer->Tools/View->Folder Options->View tab and UNCHECK the box labeled 'Hide protected operating system files.

Now see if you can find/delete those buggers.

[Fenway Squid]

Okay, that worked.

[POADB]

resolved.