Hijacklog, I think I have a virus

[Jester73440]

Here is my hijacklog I hope someone can find what is causing this white pop up screen to keep appering when on the internet and running rundll32.exe. Thanks for the help
-Steve



Logfile of HijackThis v1.97.7
Scan saved at 8:35:43 PM, on 10/17/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\SYSTEM32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\msdtc.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\tcpsvcs.exe
C:\WINNT\System32\nvsvc32.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\inetsrv\inetinfo.exe
C:\WINNT\System32\mqsvc.exe
C:\WINNT\system32\P2P Networking\P2P Networking.exe
C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\explorer.exe
C:\Documents and Settings\Administrator\Desktop\downloads\HijackThi s.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
F2 - REG:system.ini: UserInit=C:\WINNT\system32\Userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [P2P Networking] C:\WINNT\system32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [iolo Task Agent] C:\Program Files\iolo\Common\Task Agent\Task_Agent.exe
O4 - HKCU\..\Run: [System Mechanic Popup Stopper] "C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKLM\..\RunOnce: [System Mechanic Cache Cleanup] C:\Program Files\iolo\System Mechanic 4 Professional\SysMech4.exe /COMPLETECACHE
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\cdlsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\lspak.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: Bridge by pogo - http://bridge.pogo.com/applet-5.9.1....-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.0.0...-ob-assets.cab
O16 - DPF: Command and Conquer Comanche by pogo - http://ccstrike.pogo.com/applet-5.9....-ob-assets.cab
O16 - DPF: Dice Derby by pogo - http://checkeredflag.pogo.com/applet...-ob-assets.cab
O16 - DPF: Dominoes by pogo - http://domino.pogo.com/applet-6.0.0....-ob-assets.cab
O16 - DPF: Double Deuce Poker by pogo - http://doublebonus.pogo.com/applet-5...-ob-assets.cab
O16 - DPF: Euchre by pogo - http://euchre.pogo.com/applet-5.9.2....-ob-assets.cab
O16 - DPF: EZ Win Bingo by pogo - http://bingoe.pogo.com/applet-5.9.1....-ob-assets.cab
O16 - DPF: First Class Solitaire by pogo - http://game3.pogo.com/applet-5.9.5.3...-ob-assets.cab
O16 - DPF: Fortune Bingo by pogo - http://superbingo.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Greenback Bayou by pogo - http://greenback.pogo.com/applet-5.9...-ob-assets.cab
O16 - DPF: Hearts by pogo - http://hearts.pogo.com/applet-5.9.5....-ob-assets.cab
O16 - DPF: High Stakes Pool by pogo - http://pool2.pogo.com/applet-5.9.2.2...-ob-assets.cab
O16 - DPF: Jungle Gin by pogo - http://gin.pogo.com/applet-5.9.5.37/...-ob-assets.cab
O16 - DPF: Mah Jong Garden by pogo - http://mahjong2.pogo.com/applet-5.9....-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-5.9.5.3...-ob-assets.cab
O16 - DPF: Pop Fu by pogo - http://popfu.pogo.com/applet-5.9.1.2...-ob-assets.cab
O16 - DPF: Spades by pogo - http://spades.pogo.com/applet-5.9.5....-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Sweet Tooth TM by pogo - http://sweettooth.pogo.com/applet-5....-ob-assets.cab
O16 - DPF: Texas Hold'em Poker by pogo - http://holdem2.pogo.com/applet-5.9.2...-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-5.9.5.3...-ob-assets.cab
O16 - DPF: Turbo 21 TM by pogo - http://game5.pogo.com/applet-5.9.5.3...-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-5.9...-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.0....-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-5.9.5.3...-ob-assets.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://active.macromedia.com/director/cabs/sw.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minib...ansporter.cab?
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...20/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Dave]

If you don't recognize the urls in the R0 thru R4s, you can have HJT fix it.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

Fix:
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

010 are Winsock hijackers. It is best to fix them using SpyBot S&D or LSP-Fix.

016 are ActiveX downloads. If you don't recognize the name, then have HJT fix it, but I didn't see any that looked bad.

IMO, you should get rid of any P2P programs since this is an easy way for "intruders" to get into your PC.

Dave

[wead]

Shady shiet you should get rid of Bro :
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\iolo\System Mechanic 4 Professional\PopupStopper.exe
C:\PROGRA~1\EFFICI~1\ENTERN~1\app\EnterNet.exe

Im not gonna reply to the IE spyware you have all im going to say is this : Sounds like you got the Netsky worm, I noticed people that use Pogo.com are more suceptible to that type of virri. Here are my suggestions :
1. Stop playing on pogo.com
2. Get a firewall. (a lot of them are free)
3. Stop using IE. Use mozilla firefox.
4. Download Adaware SE
5. Restart in Safe mode.
6. Scan with Anti Virus, Adaware, disable sys restore.
If that doesn't work try doing a remote scan from trend.com or other AV company sites.

Mozilla Firefox is so much better than IE, securitywise and happynesswise.

[southernlady]

Jester73440, Your log is an outdated one. You need to download and run a new updated HiJack Log. You can find it here: http://www.merijn.org/downloads.html make sure it reads version 1.98.2. if that link is out of order, go to this one:
http://www.majorgeeks.com/download3155.html Liz

[southernlady]

Closing thread due to lack of activity. Liz