WIN XP HIjack log

[meelox]

Guestolo,
   Will you please take a look a this hijack log file. This Computer belongs to a friend and he says he is having a time with pop-ups. His computer is a Win XP and I don't know much about XP. Thanks... here is his log.

Please tell me what to do to help: thanks SO much!

Logfile of HijackThis v1.99.0
Scan saved at 4:38:02 PM, on 1/19/2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\explorer.exe
A:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe


I also ran the DLL compare and there was nothing in the lower panes...here is the log:
*    DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />"
________________________________________________

1,269 items found:  1,269 files, 0 directories.
Total of file sizes:  227,124,748 bytes    216.60 M

Administrator Account =  True

--------------------End log---------------------

[guestolo]

What kind of popups?

Look for this Meelox

Next: Go to START>>>RUN>>>type in services.msc and hit Enter
In the next window, look on the right hand side for this service
name---- Messenger  <<---this isn't MSN Messenger

Double click on it--- STOP the service--
In the drop down menu, change the startup type to Disabled

Do the same for Alerter

Of course I recommend running Ad-Aware if you haven't already
Download and Install the free version of Ad-Aware SE Personal 1.05
Ensure you have this version or the paid version
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates

Perform a Full system scan--"Uncheck Search for Negligible Risk Entries" before scanning
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back to finish the cleaning process

I don't see a popup blocker, do you need a free one?

Why is he so far behind on Windows update
If this is a legit version of Windows there is no reason to be so far behind http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/tongue.gif\' class=\'bbc_emoticon\' alt=\'\' />

If he wants to install SP2 there are steps I do to get my system ready for the Installation
Do the above and let me know the types of popups your getting
Don't install SP2 at this time
Spyware and viruses interfere with the installation of service pack 2
I'll give you the steps I do if you prefer

The log doesn't look too bad actually, again run Ad-Aware and check out those services
Remember to Restart after running Ad-Aware
Let me know if it finds anything and let me know what kind of popups

[meelox]

I installed and ran ad-aware earlier today. It found 95 critical files ....I deleted all that it found.

This is a legit version of windows. He is so far behind because he is "computer terrified". He wanted me to dust the system and start over because he thought the popups would never go away. He thought that he could go back to the web and this would never happen again.
 I talked him out of the the whole start from scratch thing because it did not appear to be in the mess that mine was last week (when you helped me) He says his kids are getting "girlie pics" that just pop up. don't know what's up with that.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/wink.gif\' class=\'bbc_emoticon\' alt=\'\' />  He has sworn off the web for now so he is not connected to any servers. I am transferring these files from my computer to his (the clean up files) so its a slow go.
 I know he needs the WINDOWS updates and I am going to get tehm for him when he gets back ONLINE. yes I need the instructions to prepare for that.

Any suggestions will help ... thanks

[guestolo]

If he's sworn off the Web for now, you should have time to just order the Free CD
From Microsoft

http://www.microsoft.com/windowsxp/downloa...us/default.mspx

Takes about 2 weeks or less to receive
Will he want to be back online before then?

I'll give you a rundown of what I do to prepare the system later Meelox

Just on my way out the door

Of course you will want to order the CD if on Dialup
SP2 has a built in Popup blocker for IE

But I suggest running a safer browser
This is the one I always use
http://www.mozilla.org/products/firefox/

Let me get back to you on the steps I do to prep the system

Post back later  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'\' />

EDIT>>So I assume no popups now then?