sari

Report · July 17, 2006

romeo,

I need to have you run fixwareout again - I missed removing a line with hijackthis, and I want to make sure it's completely removed. I apologize for that.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://swandog46.geekstogo.com/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis will launch. Please click Scan, and check the following items:

O4 - HKLM\..\Run: [peqdj.exe] C:\WINDOWS\System32\peqdj.exe

O4 - HKCU\..\Run: [sysmon12] ___.exe

Click FIX CHECKED. Close HijackThis, and click OK to proceed.

At the end of the fix, you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt, along with a new HijackThis log into this topic.

Thanks,

sari

July 12, 2006

Stephen,

This is a pretty messy log, so it will take multiple steps to clean you up. It's important that you follow all the directions carefully and stay with me until you're clean. You may want to print these directions for reference.

Please download Qoofix by Rubber Ducky to your desktop.

Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
Close all windows and programs, including internet windows.
Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
Click Begin Removal and wait for the scan to finish
If Qoofix finds an infection, select yes to restart your computer
You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.

Download smitRem.exe Â©noahdfear, and save the file to your desktop.

Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:

http://www.ewido.net/en/download/

Please read Ewido Setup Instructions

Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:

Ad-Aware SE Setup

Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.

Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

Click on scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.

Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
[*]If it wants to install an ActiveX component allow it
[*]It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
[*]When the download is complete, click on My Computer to start the scan
[*]When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply. Your logs may be too long for one post - please make as many as you need to post them all.

Let us know if any problems persist.

Thanks,

sari

July 12, 2006

Stephen,

I'm currently reviewing your hijackthis log and will be posting a response shortly.

sari

July 11, 2006

Thanks, everyone My day was made better by the best wishes of all my friends online.

sari

Report · July 11, 2006

Hi romeo,

Welcome to Besttechie. You have a few problems there, so let's get started cleaning you up. There will be several steps involved in the cleanup, so please stay with me to the end.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:

http://downloads.subratam.org/Fixwareout.exe

http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.

The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

R3 - URLSearchHook: (no name) - {344D6535-30F3-81CC-C664-BD1F81CDA43E} - FLKPT.dll (file missing)

O4 - HKLM\..\Run: [serviceprocess] XTermInit.exe

O4 - HKLM\..\Run: [zlybe.exe] C:\WINDOWS\System32\zlybe.exe

O4 - HKCU\..\Run: [rzzm] C:\PROGRA~1\COMMON~1\rzzm\rzzmm.exe

O4 - HKCU\..\Run: [MSTCPDLL] CToolBar.exe

O4 - HKCU\..\Run: [bogobot] StartCpl.exe

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: NDWCab - http://www.neededware.com/ndw4.cab

O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} - http://a19.g.akamai.net/7/19/7125/4056/ftp...302/Coupons.cab

O16 - DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} (View22RTE Class) - http://hgtv2.view22.com/view22/app/view22rte.cab

O16 - DPF: {D50AF668-390B-4D2E-92B8-12289AF33958} (ClinicStationLib.ctlCS) - http://143.111.222.240/ClinicStationLib.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{39CBBE5C-CE35-4709-B44D-50547B566A60}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{7DC122E3-FB03-4F71-BC6D-15EE27DB6307}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{B821443B-D772-4392-A6BF-28E93BD36F8D}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{BE212EC9-633A-4F08-B53D-5E6D1460AD58}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\..\{EAD1FB58-9EDC-47F8-9A4B-22C01ADD893A}: NameServer = 85.255.116.54,85.255.112.126

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.54 85.255.112.126

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Click FIX CHECKED. Close HijackThis.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

Thanks,

sari

June 6, 2006

qwertyuiop,

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.

Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

[*]Open Spybot Search & Destroy.

[*]In the Mode menu click "Advanced mode" if not already selected.

[*]Choose "Yes" at the Warning prompt.

[*]Expand the "Tools" menu.

[*]Click "Resident".

[*]Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.

[*]In the File menu click "Exit" to exit Spybot Search & Destroy.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/...://my.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com

O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file)

O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)

O2 - BHO: (no name) - {00A6FAF1-072E-44cf-8957-5838F569A31D} - (no file)

O2 - BHO: (no name) - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - (no file)

O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)

O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe

O4 - HKLM\..\Run: [Microsoft Update 64 BIT] WININIT32.EXE

O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe

O4 - HKLM\..\RunServices: [Microsoft Update 64 BIT] WININIT32.EXE

O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe

O4 - HKCU\..\Run: [sOProc_RegSoAlertWxLiteNnAj] rundll32 shell32.dll,ShellExec_RunDLL C:\PROGRAM FILES\SOFTWAREONLINE\SOPROC.EXE -pack RegSoAlertWxLiteNnAj

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab

O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} -

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Please delete these folders using Windows Explorer(if present):

C:\PROGRAM FILES\SOFTWAREONLINE

Please delete these files using Windows Explorer(if present). You'll have to search for these files:

windir32.exe

WININIT32.EXE

After that, Reboot.

Please post a new hijackthis log.

Thanks,

sari

June 4, 2006

qwertyuiop,

Due to the length of your bitdefender log, your hijackthis log got cut off. Could you please post a full log for me?

Thanks!

sari

June 2, 2006

qwertyuiop,

That happens sometimes. Try this: BitDefender. Please post the results of the scan in your next reply.

sari

May 31, 2006

qwertyuiop,

I'm sorry you had trouble with that, but the good news is that it worked. Let's move on to the next step, as you still have quite a few things that you don't want on there. I'd like you to do an online virus scan next.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
If it wants to install an ActiveX component allow it
Select either Home User or Company
Click the big Scan Now button
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post the contents of the Activescan report and a new hijackthis log. We'll still have some entries to remove after that, and I may have files you'll need to delete as well.

Thanks,

sari

May 31, 2006

qwertyuiop,

You do have a few issues in this log! We're going to start by getting rid of something called pokapoka.

Please download LQfix.exe from one of the following locations:

http://www.downloads.subratam.org/LQfix.exe
http://miekiemoes.geekstogo.com/tools/LQfix.exeSave it to your desktop.
Double-Click LQfix.exe and click Next > Next > Install.
Leave the default settings, if you change them, the fix will Fail!
You need an active Internet Connection, so make sure your you're not blocking any connection now.
Now make sure the "Launch LQfix" box is checked.
Click the Finish button, after clicking the Finish button the fix will start.
Follow the on-screen prompts.
Your system will reboot afterwards.
Please be patient after the reboot, there is a script running in the background that needs to complete.

Then do a scan with HiJackThis and post a new log by using Add Reply

Thanks,

sari

March 30, 2006

jeebusllama,

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select:
- Delete on Reboot
- then Click on the All Files button.
[*]Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\DOCUMENTS AND SETTINGS\Eddie\LOCAL SETTINGS\Temp\bwgo0000a8c3.exe
C:\WINDOWS\SYSTEM32\ot.ico
C:\WINDOWS\SYSTEM32\shellexp.exe
C:\WINDOWS\videoc.ocx
C:\WINDOWS\SYSTEM32\1024
C:\Documents and Settings\Eddie\Local Settings\Temp\cfdata.txt.expanded
[*] Return to Killbox, go to the File menu, and choose Paste from Clipboard.
[*]Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post back with a new hijackthis log and let me know how things are running.

Thanks,

sari

March 21, 2006

Jeebusllama,

Hi, and welcome to Besttechie. I will be helping you with your log.

I see that you are running HijackThis from a temporary directory; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the program into it. It is very important you do this, as Hijackthis creates backups that you don't want deleted!

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll

O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

O4 - HKLM\..\Run: [cd1] c:\windows\system32\cd1.exe /nocomm

O4 - HKLM\..\Run: [ms2src] c:\program files\common files\system\ms2src.exe /install

O4 - HKLM\..\Run: [MPlay64] c:\program files\common files\system\mplay64.exe /noerrorinfo

O4 - HKLM\..\Run: [wzdmg] c:\windows\system32\wzdmg.exe /nocomm

O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Seekmo/ie/bridge-c420.cab

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint

Please note any other programs that you dont recognize in that list in your next response

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Viewpoint

C:\Program Files\Security Toolbar

Please delete these files using Windows Explorer(if present):

ALCMTR.EXE <---You'll need to use the search function to find this entry

c:\windows\system32\cd1.exe

c:\program files\common files\system\ms2src.exe

c:\program files\common files\system\mplay64.exe

c:\windows\system32\wzdmg.exe

C:\DOCUMENTS AND SETTINGS\WENDYCAMPIONE\LOCALSETTINGS\Temp\bwgo11fcd1ad.exe

After that, Reboot.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Please post back with a new hijackthis log and the activescan log.

Thanks,

sari

March 10, 2006

marinerschas2,

I wanted you to run an online virus scan because you did have multiple unknown or definite virus files. Could you try one of these instead?

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++

If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

Thanks,

sari

March 9, 2006

marinerschas2,

Do you know what this entry is?

O4 - HKLM\..\Run: [filit] C:\Documents and Settings\Chas\Desktop\foobar.exe

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe

Now close all windows other than HiJackThis, then click Fix Checked. Reboot into safe mode.

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please delete these files using Windows Explorer(if present):

windir32.exe <== You'll have to search for this file

C:\Program Files\Common Files\Windows\mc-110-12-0000080.exe

After that, Reboot.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report and a new hijackthis log for review.

Thanks,

sari

March 8, 2006

marinerschas2,

Umm, could you tell me what you did exactly? And did you disable startup programs in msconfig? If so, I need you to re-enable everything so I can see what's there, to verify there's nothing bad starting up. We don't really recommend that users delete items from hijackthis on their own, nor hide items in msconfig, as it makes it more difficult for us.

Thanks,

sari

March 7, 2006

marinerschas2,

I'm not sure what you did either, but let's get you cleaned up!

First, Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.

To Get rid of NewDotNet, go to:

Start > Control Panel > Add or Remove Programs and remove the following:

New.Net Applications or New.Net Domains (anything that says New.Net)

If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Please post back with a new hijackthis log and we'll work on the rest of your issues after that.

Thanks,

sari

March 2, 2006

Yeah, and it wasn't pretty. Mandy had to wash his pants and the floor of #besttechie! :lol:

October 19, 2004

A belated happy birthday, Gwyrox732!

Sari

October 7, 2004

With the correct version of hijackthis....

Logfile of HijackThis v1.98.2

Scan saved at 3:18:46 PM, on 10/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Program Files\NavNT\defwatch.exe

C:\DMI\WIN32\bin\DellDmi.exe

C:\Program Files\Dell\OpenManage\Client\EventAgt.exe

C:\Program Files\Dell\OpenManage\Client\DLT.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\dmi\win32\bin\Win32sl.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NavNT\vptray.exe

C:\WINDOWS\System32\wuauclt.exe

C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe

C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe

C:\Program Files\mIRC\mirc.exe

C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spywareinfo.com/index.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe

O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe

O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe

O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

O4 - HKLM\..\Run: [iPInSightLAN 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe" -l

O4 - HKLM\..\Run: [iPInSightMonitor 01] "C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe"

O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe

O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe

O9 - Extra 'Tools' menuitem: Control Pad - {28D44DAD-D1FC-4d4f-BB1B-ADF037C8DDBC} - C:\Program Files\Verizon Online\Verizon Online Control Pad\VerizonControlPad.Exe

O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab30149.cab

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab

O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab

O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab

October 7, 2004

Thanks, rock

Did that - this is the log from my daughter's user id, then I'll post the one from mine if it looks different.

Logfile of HijackThis v1.98.1

Scan saved at 2:39:48 PM, on 10/7/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\SYSTEM32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Nhksrv.exe

C:\Program Files\Dell\OpenManage\Client\ActionAgent.exe

C:\WINDOWS\system32\drivers\dcfssvc.exe

C:\Program Files\NavNT\defwatch.exe

C:\DMI\WIN32\bin\DellDmi.exe

C:\Program Files\Dell\OpenManage\Client\EventAgt.exe

C:\Program Files\Dell\OpenManage\Client\DLT.exe

C:\Program Files\Dell\OpenManage\Client\Iap.exe

C:\WINDOWS\System32\inetsrv\inetinfo.exe

C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

C:\Program Files\NavNT\rtvscan.exe

C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

C:\dmi\win32\bin\Win32sl.exe

C:\WINDOWS\System32\MsgSys.EXE

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\DELLMMKB.EXE

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\WINDOWS\System32\wuauclt.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\NavNT\vptray.exe

C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe

C:\Program Files\Verizon Online\Visual IP InSight\IPClient.exe

C:\Program Files\Verizon Online\Visual IP InSight\IPMon32.exe

C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe

C:\WINDOWS\System32\ctfmon.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Netropa\OSD.exe

C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe

C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahooligans.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost