# Home Search



## daisy flower (Jul 25, 2004)

I have encountered a problem that I have done some research on and believe I have become hijacked with failed attempts to correct it myself. But see that is seems to be a common issue. My home page is http://forums.techguy.org/archive/index.php/t-249504.html" and will return to that even after changing internet options. When it opens it has which when it opens, has "Home Search" in the upper left by a Windows logo/flag and tons of search links. It also opens with a small pop-up window that briefly says "search-all-fast.com" with a form of advertisement or spyware link. Home Search Assistent fails to delete in add/remove programs, with error "looking-for.cc/unistall/HomeSearchAssistant.html"

My hijack log is

Logfile of HijackThis v1.97.7
Scan saved at 6:53:32 PM, on 7/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\mfcch.exe
C:\techbox\techbox.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\WebCam Control\CamTray.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\System32\NAVscan32.exe
C:\WINDOWS\System32\dailin.exe
C:\windows\system32\ns.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\America Online 9.0\aoltray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\WINDOWS\javand32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Watkins\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.gocyberlink.com/registra...red_Company&FName=Preferred_Customer&Lang=Enu
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\WebCam Control\CamTray.exe
O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32x] c:\windows\system32\ns.exe
O4 - HKLM\..\Run: [javand32.exe] C:\WINDOWS\javand32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [NAV Scan Service] NAVscan32.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38192.5297222222
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab

and my AboutBuster log reads

- Scan 1 --------
About:Buster Version 1.31
Removed! : C:\WINDOWS\fkcwt.dat
Removed! : C:\WINDOWS\dxock.dat
Removed! : C:\WINDOWS\javand32.exe
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\System32\azgha.dat
Removed! : C:\WINDOWS\System32\ymrms.dll
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

I have tried to follow other threads to fix this myself...but realize that they are all not the same, and I need assistance.

Thank you
Daisy


----------



## Byteman (Jan 24, 2002)

Hi- You are using an older version of HJT the current one, with a hotfix, is this:

http://www.lurkhere.com/forum/DCForumID6/684.html

It may not be neccessary for you to get it right now, please wait for expert help. I just didnt want you to get pointed to the un-fixed version of 1.98 which may still be posted at some places, or you may have downloaded before the info came out and try to use....

Here's what to do first: IN SAFE MODE--stay offline until done! 
You should print these pages if you can- you will be in Safe Mode to do the work and will not have access to them, unless you have another computer to read them with.
Please make sure that you can view all hidden files. 
Instructions on how to do this:
1.
1. On the Tools menu in Windows Explorer, click Folder Options.

2.
Click the View tab.

3.
Under Hidden files and folders, click Show hidden files and folders.

Note To access Windows Explorer, click Start, point to All Programs, and then click Windows Explorer.
NEXT::

These steps, stopping the services that the malware uses, appear to be needed, as well you should look for the Registry keys as explained below, in the proper sequence...
I see a lot of the experts at other forums still using this method for XP/ so I have included them also!

to stop the service that the malware uses:
Step 1:

Click on start, the control panel, then administrative programs, then services. Look for a service called

Workstation NetLogon Service or
Network Security Service or 
Remote Procedure Call (RPC) Helper

Double click on those/ that service and click stop. Also write down the name and path of the file listed in the Path to executable field.

OK< NEXT -- We need to End Task on any of these .exe processes that may be running: 
dailin.exe
ns.exe
wuamgrd.exe
mfcch.exe
NAVscan32.exe
javand32.exe

Just press CTRL+ALT+DEL once to get the Task Manager open. A HIGHLIGHTED ITEM is the one you are working with, either the down arrow OR a mouse click will move to any item you need to get to. 
Then, End Task on any that show, you may have to wait a bit until the End Task works
At any time you feel you made a mistake ending a task, just hit the Cancel button and wait a bit, then open up Task Manager again...

....just do not hit CTRL+ALT+DEL more than once rapidly or you will reboot>> should it happen, F8 back to Safe Mode>>>
and you will have to start all over again>> so work carefully, take your time, open and reopen the Task Manager until you do not see any of these guys there, then as your last move, hit CANCEL to close Task Manager.

NEXT, Run HijackThis again, 
With only HJT open, all browser windows etc CLOSED, have these fixed-- they may not all show in your log but carefully put CHECKS IN BOXES NEXT TO ANT THAT ARE THERE , and have 
HijackThis "FIX" them.

C:\WINDOWS\System32\dailin.exe
C:\windows\system32\ns.exe
C:\WINDOWS\System32\wuamgrd.exe
C:\WINDOWS\mfcch.exe
C:\WINDOWS\System32\NAVscan32.exe
C:\WINDOWS\javand32.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ymrms.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\ymrms.dll/sp.html#28129

O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll

O4 - HKLM\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\Run: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\Run: [Micro Update] dailin.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [win32x] c:\windows\system32\ns.exe
O4 - HKLM\..\Run: [javand32.exe] C:\WINDOWS\javand32.exe
O4 - HKLM\..\RunServices: [Microsoft Update] wuamgrd.exe
O4 - HKLM\..\RunServices: [NAV Scan Service] NAVscan32.exe
O4 - HKLM\..\RunServices: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Microsoft Update] wuamgrd.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [NAV Scan Service] NAVscan32.exe

O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe

NEXT STEP(5) 
In the next step we are going to remove a service that gets installed by this malware. The service will always start with __NS_Service. For the purposes of this step, we will assume that it is called NS_Service_3 ---but may be called something differently on your computer.
Navigate by clicking on the + signs, like Windows Explorer has---be very careful in the Registry and follow the steps exactly.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\__NS_Service_3 ( (- or whatever is there with _NS_Service))

If __NS_Service_3 exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY___NS_Service_3 ((or whatever LEGACY__NS__Service is showing))

If LEGACY___NS_Service_3
exists then right click on it and choose delete from the menu.
Close the Registry Editor.

STEP (6)

Still in safe mode, run AboutBuster and COPY the log it makes and save it to put into your reply.

NEXT do THIS:::



flrman1 said:


> *Here is the only variation this time:*
> 
> Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.
> 
> ...


 {{Hmmm it looks like I have you making 3 A/Buster logs...one after fixing items with HJT and in the quote I am using from flrman1, he had that person make 2...one after the HJT fix, and then after a reboot might do it, or you can make all three but number them and post them, in numerical order, I know its a lot to do! Try! }}
AboutBuster is used from Safe Mode, did you run it that way,and did you RE-BOOT TO Safe Mode and run it again???...
there should be 2 logs, one made just before the other, both in Safe Mode, with a reboot back into Safe Mode between them.... the experts will need to see them. Please try again. 
You definitely should not be connected to the Net as much as possible, if you have another pc that can connect OK, use that to read the posts here if you like.

looks like you will probably need this, too:

This info is from this page:

http://www.russelltexas.com/malware/HOSTS.htm

The Hoster download may not be needed, it's just in case you do have a HOST file hijack, explanation below.

"" Download the hoster from here: http://members.aol.com/toadbee/hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
Note: if you were using a custom Hosts file you will need to replace any of those entries yourself.

You can CHECK FIRST if you have a hostfile hijacking >>
Open Windows Explorer: type the word explorer at Start/Run box and click OK:

Find this file: (XP systems)
C:\Windows\system32\Drivers\ETC\HOSTS file

The hijacked HOSTfile can display in HJT logs...but I think you have to put the checkmark in a box, you might have taken it out or something...check for a long list of sites in the HOST file this way:

To open and view the HOSTS file to doublecheck for bad entries, left button double click on the HOSTS file. A message will appear saying Windows can't open the file. Check the circle at the bottom entitled:

Select the program from a list.

Now click OK. In the next window....Scroll down in programs until you see Notepad and select it and click OK.

If you see this line below the header info:

127.0.0.1 localhost

....And nothing below it then you have not been hijacked.

If you see many double column entries and most are antivirus and anti-malware sites then remove all the entries leaving only the 127.0.0.1 localhost entry.""

NOTE> pros: -- I hope I got this right, please correct or advise if you spot anything else to "eject" 

This post was assembled with of course, a quote from a previous reply by flrman1....some of my experience and a lot of reading....
and, some copy and paste work from a "canned fix" from a very good forum over at: http://www.dslreports.com/forum/remark,10862998~mode=flat
They have come up with several different methods...
All in all, I don't think you have the type of infection that AboutBuster takes out, but it cannot hurt anything to use it far as I know...the main key seems to be killing the service, ending the processes, using HJT to fix the things, deleting the files, and AboutBuster...and in this case editing the Registry though I am not sure that would have to be done...

I think a lot more of us are going to have to try fixing these types of infections. I need a canned something right about now  ...


----------



## Byteman (Jan 24, 2002)

Hi, Some info provided by an expert indicates we are proceeding OK, and you DO indeed need to use AboutBuster...
You most definitely should print all the instructions and ask about anything that is not clear to you. 
If you find it too technical to attempt {I do not blame you! It is not very easy to understand it at all}

There are some experts here, who can really write the steps down a lot clearer than I, so just yell if you would like that done! 
It is not as hard as it may seem, but you do need to do the things accurately, in order, etc...
It can take some time...especially on a poor running Internet connection...another pc to read replies from, as I said, will make it easier, and leave the infected one off the Net as much as possible. If you have a way to burn CDs that can be a very big plus, as you can simply install programs that way, even update the antispyware tools if need by with floppy disks or CD. And, of course you can copy the logs back to floppy disk to post them here...
Most folks continue using the hijacked pc successfully through the procedures. The success rate is not 100% but getting better. 

You had one question I did not reply to: The HomesearchAssistant entry in Add/Remove Programs fails to uninstall from there with an error:
I will look for more info, but, usually these uninstallers do not very much at all, they are fake in other words.
You may need to be connected for them to work,when they actually uninstall anything... but still I do not think it will help...will post if I find anything about it, OK? 
Take your time- someone here can help.


----------



## daisy flower (Jul 25, 2004)

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\msnk.exe
Removed! : C:\WINDOWS\wfbbq.dat
Removed! : C:\WINDOWS\reroa.dll
Removed! : C:\WINDOWS\jungl.exe
Error Removing! : C:\WINDOWS\wzwdyxsh.exe
Removed! : C:\WINDOWS\lsasss.exe
Removed! : C:\WINDOWS\avserve2.exe
Removed! : C:\WINDOWS\ipeg32.exe
Error Removing! : C:\WINDOWS\alchem.exe
Removed! : C:\WINDOWS\crwq.exe
Removed! : C:\WINDOWS\wjuvqn.exe
Removed! : C:\WINDOWS\ipeg32.exe.bak
Removed! : C:\WINDOWS\System32\zpikj.dat
Removed! : C:\WINDOWS\System32\xspvz.dat
Removed! : C:\WINDOWS\System32\iepr32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\wzwdyxsh.exe
Error Removing! : C:\WINDOWS\alchem.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 9:36:59 PM, on 7/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gocyberlink.com/registra...red_Company&FName=Preferred_Customer&Lang=Enu
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
O2 - BHO: (no name) - {D050E6CE-E315-8255-E932-EE88CA55D832} - C:\WINDOWS\system32\ipob32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vettncfz.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {95844941-7934-4693-92D9-8202EA7B20ED} - http://www.stumbleupon.com/stumble.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/2000XP/CDTInc/bridge.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


----------



## Byteman (Jan 24, 2002)

Hi, Good work! Now there are some things to check for me: You should PRINT this info> (there is a printer-friendly button here at the top of pages, no pics or fancy stuff, just text) Unless you have another pc to read messages> that is the best thing to do. 
I'd like you to re-download AboutBuster, they are updating today....hopefully it will include more files that it finds! 
http://tools.zerosrealm.com/AboutBuster.zip

You may delete the other aboutbuster.zip file if you still have it.
I think you can simply DELETE aboutbuster.exe>> or rename it to aboutbuster.old so you dont get confused with a new copy.
Unzip the new download to your desktop. We will run it a bit later on....

If you use cable modem, or DSL to get on the Net, and are on the infected machine to read the threads, get a download, etc after you are done and have printed the info, etc, close Internet Explorer etc, and disconnect the network cable from the back of the computer...if you are keeping the bad pc off the Net, so much the better...

By the way> do NOT use AdAware just yet if you have it, there are a few things to do FIRST > we will be getting AdAware later if you do not have it> you will have to download as it does not fit on floppy disk (CD maybe?
It does have to be updated online....more later!

{{Note, I have asked flrman1 to check on one item in the HJT log and post the right way to fix it...so if you get a reply from flrman1, please do what it says!!}

Go to Add/Remove Programs:

Look for and uninstall any of these- VX2, WindowsSA, Internet Optimizer, WebRebates or similar,Cashback, NaviSearch,,Blackstone>> some may not be there at all. Post any that you are not sure about or any questions...

Download from link just below directions, and run it. It may find and delete some files or nothing.

Read the directions, these are the key ones:

If you are running Windows Me or XP, then disable System Restore. Directions for this below>
here is an info page, if you are familiar with this, here are just the steps:
Click Start > Programs > Accessories > Windows Explorer 
Right-click My Computer, and then click Properties. 
Click the System Restore tab. 
Check the "Turn off System Restore" or "Turn off System Restore on all drives" check box .
Click Apply. OK the message about turning it off.

If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet. 
Close open programs before running the tool.
It fits on a floppy disk and you can copy it over to a folder or the desktop and run from there. (if you are using another computer to download small tools, etc)
Double-click the FxSasser.exe file to start the removal tool. 
Click Start to begin the process, and then allow the tool to run. 
Restart the computer. 
Run the removal tool again to ensure that the system is clean. 
http://securityresponse.symantec.com/avcenter/FxSasser.exe

NEXT: From Safe Mode ((almost all our work will be))
Using HJT, have the following fixed:

F2 - REG:system.ini: UserInit=C:\Windows\System32\wsaupdater.exe,
R3 - Default URLSearchHook is missing
O2 - BHO: twaintecObj Class - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINDOWS\twaintec.dll
O2 - BHO: brdg Class - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - C:\WINDOWS\Downloaded Program Files\bridge.dll (file missing)
O2 - BHO: (no name) - {D050E6CE-E315-8255-E932-EE88CA55D832} - C:\WINDOWS\system32\ipob32.dll
O4 - HKLM\..\Run: [Windows Automation] mslaugh.exe
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Cryptographic Service] C:\WINDOWS\System32\vettncfz.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebSavingsfromEbates] wjview /cp "C:\Program Files\WebSavingsfromEbates\System\Code" Main lp: "C:\Program Files\WebSavingsfromEbates"
HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\RunServices: [Microsoft Update] msconfg.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Micro Update] dailin.exe
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} (brdg Class) - http://static.flingstone.com/cab/20...TInc/bridge.cab

O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

After checks are in all of those, fix them. Remember, close all other windows, offline, etc.

RUN box, type services.msc- if any of these are listed double click them, click Action>Properties, and Click STOP, for each of them.
Change their startup type to>>Disabled and click OK and close the Services window.
mslaugh.exe
msconfg.exe- watch the spelling of this one!!!
myrzhg.exe
hzqaxr.exe
alchem.exe--may not be found but look anyway.

((don't stop msconfig.exe, which should not be there, you never know tho))

and, find or search for these files and delete them:
wsaupdater.exe
mslaugh.exe
dailin.exe
msconfg.exe
myrzhg.exe
omniscient.exe
alchem.exe

{I left out hzqaxr.exe hoping that AboutBuster will pick it up}

For those above you will/may have to use the Search>Files or Folders routine, set it to LOOK IN C: or My Computer to find the above files. That's always a good way to check for duplicates or files that sometimes are in other folders than we see in your logs... good typing skills are essential using the FIND/SEARCH feature...

NEXT: 
Delete these if found: in Windows Explorer::

C:\WINDOWS\twaintec.dll
C:\Program Files\Internet Optimizer\optimize.exe
C:\WINDOWS\System32\vettncfz.exe
C:\Program Files\CashBack\bin\cashback.exe
C:\Program Files\NaviSearch\bin\nls.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\Program Files\SideFind\sidefind.dll
C:\WINDOWS\msopt.dll
C:\Program Files\WindowsSA\omniscient.exe

NEXT:

FOLDERS to delete:
NaviSearch
BullsEyeNetwork
SideFind
Internet Optimizer
Cashback
WindowsSA 
I probably missed a few but we will clean them up.

Post back whether you run into any that will not give permission:
Now, do NOT reboot and do NOT open IE for this:In safe mode still: 
Run AboutBuster that you unzipped to your desktop earlier, Start it, hit Ok, Start, And Ok again to start the scan. and save the two logs it makes and post them. And, post a fresh HJT log, please. There will be more HJT work and possibly another run of AboutBuster.

One last: Do you know what these below go to, a program you have, or something?
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe

O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe

Above seems to be ok, it's in your user folder /Watkins, I assume it may be something you created? A scan later on may pick it up. Just run AboutBuster, post the logs and a new HJT log :up:


----------



## daisy flower (Jul 25, 2004)

Panda virus check today. 
Ran - W32.Sasser.Worm has not been found on your computer.

In safe mode...internet/cable disconnected

aboutbuster redownloaded today

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\apicg32.exe
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\agzvm.dat
Removed! : C:\WINDOWS\dfppw.dat
Removed! : C:\WINDOWS\cabvn.dll
Removed! : C:\WINDOWS\apicg32.exe.bak
Removed! : C:\WINDOWS\System32\yttad.dat
Removed! : C:\WINDOWS\System32\ipyp.exe
Removed! : C:\WINDOWS\System32\wingp32.exe
Removed! : C:\WINDOWS\System32\ipue32.exe
Removed! : C:\WINDOWS\System32\addzy32.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

programs removed- ? Sidefind & SLotchbar

turned off system restore

no items to stop in run box, no items to delete

delete C: files, did not find C:\Program Files\WindowsSA\omniscient.exe, but do have C:\Program Files\WindowsSA\update,

deleted WindowsSA

no reboot, in safe mode - Aboutbuster scan

-- Scan 1 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 9:39:07 PM, on 7/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D87A0FBB-86E1-A961-D4CD-331BD3168F91} - C:\WINDOWS\system32\sysfe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\RunOnce: [javagx.exe] C:\WINDOWS\javagx.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

I do not know what hzqazr.exe or oeta.exe is.

Thanks


----------



## Byteman (Jan 24, 2002)

Hi, Well there is a bit more to do:

Run HJT and fix these items:

O2 - BHO: (no name) - {D87A0FBB-86E1-A961-D4CD-331BD3168F91} - C:\WINDOWS\system32\sysfe.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\RunOnce: [javagx.exe] C:\WINDOWS\javagx.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

you do still have "Show all Files" enabled, correct?
And, unchecked "Hide file extensions for known file types" correct?
Those settings are in the Windows Explorer top tab of any WinExplorer window...Tools>Folder Options>View Put a mark into "Show hidden files" and uncheck the other, "hide file extensions..." and apply button.

Then, without rebooting, run About Buster, save the logs etc.

NEXT: Try and find these files:
C:\WINDOWS\msopt.dll
C:\WINDOWS\System32\hzqaxr.exe
C:\WINDOWS\system32\sysfe.dll
C:\Program Files\ISTbar\istbar.dll
C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\javagx.exe
C:\Documents and Settings\Watkins\Application Data\oeta.exe
C:\WINDOWS\System32\hzqaxr.exe

And delete any you find. Quickly empty your Recycle Bin. Next: 
Run Disk Cleanup> Start>All Programs> Accessories>System Tools>Disk Cleanup and put checks into: Recycle Bin, Temp, Temp Internet Files and dump all those....Cookies are good to do, but you have to know your user IDs or passwords and you will have to sign in manually the first time that you go back to sites like TSG where you have a password and username...

Open Windows Explorer and navigate to C: click to expand the folder...there you see Documents and Settings expand that you see All Users...go down a ways past All Users...if there is a Default user, open that, go down to Local Settings....then to Temp and highlight temp>>and up at the top select EDIT and then click "Select All" from the drop down menu and then click on EDIT again...this time, click Delete 
It might take a few tries...should go easily since we did this not very long ago...

You have to do this for ALL the named users....they all have their own temp and temporary Internet Files...that are not removed by Disk Cleanup.
Now for TIFs, there will be one or two files that cannot be deleted, index.dat and perhaps desktop.ini and that is normal. 
Close Windows Explorer>>> and empty the Recycle Bin again...
Now, reboot --and post the new HJT logfile and About Buster logs into a Reply. 
I think a run with AdAware 6.0 fully updated will pull out the remains but need to see one more log...


----------



## daisy flower (Jul 25, 2004)

Logfile of HijackThis v1.98.0
Scan saved at 5:29:26 AM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cabvn.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://cabvn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://cabvn.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\cabvn.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\cabvn.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://cabvn.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {D87A0FBB-86E1-A961-D4CD-331BD3168F91} - C:\WINDOWS\system32\sysfe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: ISTbar - {5F1ABCDB-A875-46c1-8345-B72A4567E486} - C:\Program Files\ISTbar\istbar.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [System Update] C:\WINDOWS\System32\myrzhg.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [sdkos.exe] C:\WINDOWS\sdkos.exe
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [javagx.exe] C:\WINDOWS\javagx.exe
O4 - HKLM\..\RunOnce: [netvr32.exe] C:\WINDOWS\netvr32.exe
O4 - HKLM\..\RunOnce: [sdkho.exe] C:\WINDOWS\system32\sdkho.exe
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Watkins\Application Data\oeta.exe
O4 - HKCU\..\Run: [Muqb] C:\WINDOWS\System32\hzqaxr.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

enabled already - "show all folders"
unchecked already - hide file extensions for known files

-- Scan 1 --------
About:Buster Version 1.32
Removed! : C:\WINDOWS\agzvm.dat
Removed! : C:\WINDOWS\dfppw.dat
Removed! : C:\WINDOWS\cabvn.dll
Removed! : C:\WINDOWS\netvr32.exe
Removed! : C:\WINDOWS\sdkos.exe
Removed! : C:\WINDOWS\zpikjx.dat
Removed! : C:\WINDOWS\System32\yttad.dat
Removed! : C:\WINDOWS\System32\sdkho.exe
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!
-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!

found and deleted hzqaxr.exe, istbar.dll, 
emptied all temp folders for all users and default user
reboot

Logfile of HijackThis v1.98.0
Scan saved at 5:47:48 AM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

-- Scan 1 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!
-- Scan 2 --------
About:Buster Version 1.32
Attempted Clean Of Temp folder.
Pages Reset... Done!


----------



## Byteman (Jan 24, 2002)

NOTE to flrman1--If you take a look at this thread: It appears that at 5:29am today she scanned with HJT and the log shows a lot of about:blank items that we removed just last nite...the log was almost clean! Then after she apparently ran AboutBuster and followed the steps again, she ran HJT and the new log is from 5:47am, I guess that was quick thinking on their part, as it does show us something...seems it is coming back on it's own or I missed something to have her do. 
Tks flrman1> Byteman

Question: What is up with Internet Explorer being in the RUN section...there was one or two there before and I had her fix them... is that the right place for it to be, I looked at other XP NT logs and they did not show but IE was in correct location of Program Files.....what is this bug we have here??
Hi Daisyflower: have asked for help/support with this! Obviously something happened...the infection was back in full force this morning, so hang on until one or more of the experts stop in. Know you have put in a lot of time with this, and we will still help! Have to figure things out so that it does not return every day. Have you been able to run Windows Update and get anything to cooperate there? Were there any downloads installed successfully or were you hijacked immediately?
Perhaps the computer was A> left connected to cable\ Internet all night and things were bad when it started up? Or, after a reboot last nite? Need to find out when things went bad, and what you did then.

It sure looks to me that you have some things turned off somehow> have you used any startup managers to keep anything from loading when Windows does? I looked up Tech in a Box- do you really need that and did it come with the computer? Have you changed anything with that program? 
Have you or anyone been doing what is known as tweaking> trying to improve performance by turning off services to Disable instead of Manual or Automatic> ? Try to answer all the questions, no need to rush, just so any others have some clues to give you good help.
have you by any chance used the Run box command typing msconfig in there....the HJT entry shows repeatedly a <msonfg> entry which I have had you fix with HJT and delete a few times, but comes back with all the other stuff...I am wondering if something like a trojan is loose on there, keeping us from "seeing" everything, or not allowing access to kill it...
Any complaints when you start any programs? Any other popup error messages at startup...any at all legitimate or fake...any blue screens or reboots??


----------



## daisy flower (Jul 25, 2004)

ok...here's how it started...about two weeks ago....the computer crashed...and wouldn't start windows back up....everytime it started to roll into windows, it would reboot. So I restored the whole computer. I have also recently got cable acess instead of dial-up. Now when the installer came...he showed me where my e-mail was through Outlook (which I do not use) and I believe that when he opened it...it released a bunch of virus's and worms. I have gone to the microsoft webpage and have downloaded all the critical updates...and do not recall having any problems. I have downloaded my installation for my Lexmark x73 printer from Lexmark, and I have downloaded yahoo messanger and hotmail messanger, and RealPlayer. And have reinstalled certain hardware, cams, ect. all from disks. Other than those...I have not downloaded any other programs from restore time, except Panda virus scan. 

I have been avoiding using the computer for the most part. Since placing my inital post...I have run several virus scans, and have downloaded the full version of Panda...it caught several viruses. I do not have the log now...nor do I know if it is still on the computer. But do know it had several trojan viruses and like 8 or 9 when I ran Panda. I will run windows update tonight and post back with an update. The downloads appear to be working successfully, but have noticed the problems from the beginning of restore. 

After following instructions last night. I rebooted, posted, and checked my email. I believe I didn't disconnect the cable to the net, but did turn of the connection. This morning, I checked this post, went to safe mode and followed instructions, and then went to post again. I could not get connected to the net again. I was physically connected, but pages would not open. So I posted it at work. In the past I have had errors occuring, (lsass, java/log) but since posting...have not had any, except one last night- called Java.log...something...I'll post it correctly when I get home. Now while checking post this morning before following new instructions, Panda alerted me to a Trojan it disinfected. 


I have not altered any start up managers since restore. Tech in a Box is a factory installed program, and have never used it..but have not removed it. Have never tweaked. When I was preparing to have cable installed...I was instructed to find out what my address was, and I believe the instructions were to open the run box, and type in a form on conf, but don't believe it was msconf. No blue screens, no reboots other than the lsass error shutdown in 60 sec (but have not had this recently).

agghh


----------



## Byteman (Jan 24, 2002)

Sorry you had to buy Panda. It cannot deal with what is running on your computer, but as well certainly cannot hurt much. 
Thanks for the detailed info, it is going to help us.
When you post a log that has what you have, we are using About Buster...plus a manual fix of things in HijackThis, plus perhaps stopping a process or two if needed, plus deleting files manually...

Just running HJT log and then running AboutBuster isnt going to work, unless you did your own HJT fixing? If not, About Buster is taking out the CWS things, and the only things not good left in your log look like this:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

You may have been originally infected AFTER the restore during the first 10 or less minutes the machine was first connected to the Net...that's how easy it is to get something downloaded before the most recent protection can be downloaded and installed...something as big as Service Pack 1 would give plenty of time for an "invasion"....if being installed as a download...
It could be any on the Internet activity just after the Restore, with your cable modem connected to the computer's NIC and on. I have seen info about this> that's the info posted to prevent the Sasser worm from coming in, just after a new install or Restore...get updates somehow onto the computer before accessing the Net...but how to do this? The ordinary person isn't going to go to a non-infected computer and build a CD with SP1, antivirus updates for his choice of AV app, and various BHO protectors, spywareblasters, etc...but we may all have to learn to do this> stay disconnected until a lot of protection is added to the computer. I am wondering about XP Service Pack 2 right now> hope the complete version will be around soon, but it too has drawbacks...for one, they may be hard to get and people will not stick with the requirements anyway...I do see lots of online places where you can get CDs like this, with SP1 and a few other things...for not much more than shipping costs as per legality, they charge for the cost of the blank cd and shipping, cannot for Microsoft stuff...Service Pack 2 for XP will probably involve mandatory installation for SP2 according to things being written at sites now. [With win2000 of course you (daisyflower) would use the updates for that operating system.]

The process whatever it is is starting from the Registry and is probably some worm that loads IEXPLORE.EXE itself and loads it from the Registry services...and is probably tied with msopt.dll. Somehow we are not stopping msopt.dll from doing it's deeds in time or completely...
EDIT::
OK found this:

Housecall by Trend Microvirus calls this Winshow:

see here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_WINSHOW.AF&VSect=T

They have it right down to the about:blank items...

Daisy if you want to try> try at the Housecall online scan site
http://housecall.trendmicro.com/

Excerpt from a thread at another forum:

"""My HJT will not delete the msopt.dll file. Is this file important? I can't even find the file in the WINDOWS folder (the path HJT shows it is in). """
Right away it is pretty well hidden> Regedit geniuses, help us!!!!

My reaction= use the Search the registry tool, or at least locate the basic file in Windows....but, how do we simplify the process for Daisyflower?
That's where we need help.

Whether or not it completely cures it depends on what you do after the whole scan and how well that functions> only a complete scan will work and a finished one too....if the files are found to be uncleanable which often they are, next best is quarantine or vault whatever option they give to lock up those files, I am not sure how your computer will react to this, though...if they lock up Internet Explorer's executable file you may not be able to go online on THIS computer...but that might be fixable, too I cannot say.
Any posting ((if you lost access)) would of course have to be from another computer and that can be done.
Any comments welcome! Anyone tried with homepage hijacker and msopt.dll infection at Housecall?
Panda either isnt detecting it, or when you scan it is somehow hidden> maybe a genius can unhide it just before a scan, and you can immediately hit scan and catch the thing...seems that the process can be stopped, but it is pretty tricky! By the time you are online and scanning, the files are "in use" and cannot be stopped there to work on...so they may be able to lock them up, I am not sure...This is what it says about msopt.dll
""However, during testing, this file is not available. "" Meaning I think, when you are running antivirus program that is installed directly on your computer, not meaning the online scan...
MAYBE> a runthough of HJT and AboutBuster, and Unhiding the file by either reanaming it in Safe Mode, changing it's attributes somehow would allow deletion?


----------



## daisy flower (Jul 25, 2004)

while reading post, Panda disinfected w32/Korgo.U.worm

ran Panda - no infections

ran Housecall - Housecall has found and cleared malware.Troj_/miserv.c
virus: worm RBOT.ER, noncleanable, C:\Windows\System32\dialin.exe
virus: TROJ DELF.RA, noncleanable, C:\WINDOWS\2_0_1browserhelper2.dll
virus: TROJ DLOADER.F, noncleanabe, D"\Documents and Settings\Watkins\Application Data\oeta.exe

while running Housecall: Panda found and disinfected w32/Korgo.AH.worm found in C:/windows/system32/ftpupd.exe

only other error that still occurs is Java/lang/object


----------



## Byteman (Jan 24, 2002)

Rather than all my stuff above: Here is a good thread about what Daisyflower has to run through to get rid of this:

With ONE exception> Daisyflower's system is XP, the apparently solved thread at Computer Cops is using win2000, but that should not matter...
ahem I think! 
It is extremely interesting & a must read for those of us helping with AboutBuster, the newer CWS hijacks, homepagesearch, etc....and the Winshow trojan. Much like some other forums I have been reading at in the last few weeks> these guys went to school!!

http://computercops.biz/postp242969.html

You do need to do the whole process to have the WORKSTATION NETLOGON SERVICE shut down as shown...problem is, these services that are only created by the infection can be any of about 3 maybe more named services, and you have to get them all... The link above shows a download that will list the active services, how to shut down the active service, how to find the files to delete, and how to find the correct key in the Registry to delete...
msopt.dll survives all the way to the last regedit...
The whole procedure is still dependent on the user staying off the Internet...which, on cable, means not opening any IE windows at all, and pulling the network cable out of the cable modem, ((for the less protected systems...still, it will prevent an accident!)) 
Following the steps should be easy enough. Print it out if possible.
Note that the key random files are loaded in C:\WINNT on the solved thread while daisyflower's would be found in C:\Windows


----------



## Flrman1 (Jul 26, 2002)

I jus got you PM Bill. I need to answer a ton of emails as I just got home. Will you or Daisy post a synopsis of where you are with this one right now on this and I'll check nack after I answer a few emails.

I did catch the part about HJT not removing this entry:

O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

That is because of a bug in the new HJT. To fix that one do this:

Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg 
Save as Type: All Files 
****Save on the desktop but don't do anything with it yet. You will run it later in safe mode.



> REGEDIT4
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4A8DADD4-5A25-4d41-8599-CB7458766220}]
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\icoo]


----------



## Byteman (Jan 24, 2002)

Right, flrman1, the link in one of my replies above has a solved thread with the .reg file, and also uses Get Active Services to find the service running (if any are.)..our user daisyflower here at TSG is running XP Home but not with NT so here paths are C:\Windows for the random files as you can see.

About Buster works fine on removing all the files, it has twice.
What I did not have her do: 
--The correct steps after typing services.msc in RUN box- got confused with processes and had her looking for random FILES in services  
--change the file attributes for the random file found
--Run the .reg file
--and check for instances of the same random .exe AND same filename but as a .DLL
I guess they can exist so that so might be a good idea...

The end result was a clean log...until next morning when as she posted, things were so bad she just made a new HJT log right then. The trojan downloader worked hard all nite apparently...

Then she posted another log about 15 minutes later AFTER apparently running only aboutbuster, that log was clean except for the Winshow trojan downloader msopt.dll, and I did not know how to deal with that, then. I think she may have done her own fixing with HJT then, not sure...
So, all she needs is a rerun through the steps and then perhaps the Getactiveservices checker and the .reg file and regedit to get rid of it I hope...
There are a lot of Google results today for msopt.dll showing the same thing, but also the correct fix.

You dont really need much else but a new HJT log, and to have her download the two new things. Wonder if AboutBuster has updated...I will give her the link to that below. I will PM her and have her bounce a log back for you and find out if she is going to try tonite.

Does AB have built in updating? I've never used it hands on. She did get the latest 1.32 just a day or two ago.

I was trying to keep using this XP eMachine I was working on the other day when I PMed you twice....to look over the locations of files, etc. BUT> I need to get this back to owner in the morning and I have been up way way too late all week. I got to get the firewall and some other stuff set up on here, I just have SP1 and AVG going... and I dont want these aliens invading tonite! I suppose I could lift the steps from the CC forum post and sub in her filenames but I cannot work that way...



daisy flower said:


> while reading post, Panda disinfected w32/Korgo.U.worm
> 
> ran Panda - no infections
> 
> ...


 This will continue to happen until the msopt.dll issue is fixed!

Don't worry, help will be coming soon. You are able to get online with the infected computer now and pages in IE open?
As I posted above> it would be best if you could read posts here from a good computer at the same location> and keep the infected one off the cable! All the tools or fixing can be done with floppy disk and disconnected completely from the Internet...


----------



## daisy flower (Jul 25, 2004)

Logfile of HijackThis v1.98.0
Scan saved at 9:00:53 PM, on 7/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\Run: [ntoq32.exe] C:\WINDOWS\ntoq32.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe
O4 - HKLM\..\RunOnce: [appzj32.exe] C:\WINDOWS\system32\appzj32.exe
O4 - HKLM\..\RunOnce: [sdkso.exe] C:\WINDOWS\sdkso.exe
O4 - HKLM\..\RunOnce: [atloh32.exe] C:\WINDOWS\atloh32.exe
O4 - HKLM\..\RunOnce: [atluc32.exe] C:\WINDOWS\atluc32.exe
O4 - HKLM\..\RunOnce: [ntcp32.exe] C:\WINDOWS\ntcp32.exe
O4 - HKLM\..\RunOnce: [iezy32.exe] C:\WINDOWS\system32\iezy32.exe
O4 - HKLM\..\RunOnce: [apiti.exe] C:\WINDOWS\system32\apiti.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll


----------



## Flrman1 (Jul 26, 2002)

First please do this:

Download the attached zip file and unzip it to your desktop. Doubleclick to run it. It will get a list of active services. Please post the list that is generated.


----------



## Flrman1 (Jul 26, 2002)

As to your mention of the get active services script used at the link at CC. I've been using it for a couple of weeks now Bill. Remember I mentioned it in my PM the other day.


----------



## daisy flower (Jul 25, 2004)

I will completely disconnect infected computer after tonight. Will review post from work, print them out, and bring them home to infected computer. I will patiently wait for specific step by step instructions, and am very grateful for you help and patience.

These are the Current Active Services:

APPLICATION LAYER GATEWAY SERVICE: ALG
C:\WINDOWS\System32\alg.exe

WINDOWS AUDIO: AudioSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

COMPUTER BROWSER: Browser
C:\WINDOWS\System32\svchost.exe -k netsvcs

CRYPTOGRAPHIC SERVICES: CryptSvc
C:\WINDOWS\system32\svchost.exe -k netsvcs

DHCP CLIENT: Dhcp
C:\WINDOWS\System32\svchost.exe -k netsvcs

ERROR REPORTING SERVICE: ERSvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

COM+ EVENT SYSTEM: EventSystem
C:\WINDOWS\System32\svchost.exe -k netsvcs

FAST USER SWITCHING COMPATIBILITY: FastUserSwitchingCompatibility
C:\WINDOWS\System32\svchost.exe -k netsvcs

HELP AND SUPPORT: helpsvc
C:\WINDOWS\System32\svchost.exe -k netsvcs

SERVER: lanmanserver
C:\WINDOWS\System32\svchost.exe -k netsvcs

WORKSTATION: lanmanworkstation
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK CONNECTIONS: Netman
C:\WINDOWS\System32\svchost.exe -k netsvcs

NETWORK LOCATION AWARENESS (NLA): Nla
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS AUTO CONNECTION MANAGER: RasAuto
C:\WINDOWS\System32\svchost.exe -k netsvcs

REMOTE ACCESS CONNECTION MANAGER: RasMan
C:\WINDOWS\System32\svchost.exe -k netsvcs

TASK SCHEDULER: Schedule
C:\WINDOWS\System32\svchost.exe -k netsvcs

SECONDARY LOGON: seclogon
C:\WINDOWS\System32\svchost.exe -k netsvcs

SYSTEM EVENT NOTIFICATION: SENS
C:\WINDOWS\system32\svchost.exe -k netsvcs

INTERNET CONNECTION FIREWALL (ICF) / INTERNET CONNECTION SHARING (ICS): SharedAccess
C:\WINDOWS\System32\svchost.exe -k netsvcs

SHELL HARDWARE DETECTION: ShellHWDetection
C:\WINDOWS\System32\svchost.exe -k netsvcs

TELEPHONY: TapiSrv
C:\WINDOWS\System32\svchost.exe -k netsvcs

TERMINAL SERVICES: TermService
C:\WINDOWS\System32\svchost.exe -k netsvcs

THEMES: Themes
C:\WINDOWS\System32\svchost.exe -k netsvcs

DISTRIBUTED LINK TRACKING CLIENT: TrkWks
C:\WINDOWS\system32\svchost.exe -k netsvcs

UPLOAD MANAGER: uploadmgr
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS TIME: W32Time
C:\WINDOWS\System32\svchost.exe -k netsvcs

WINDOWS MANAGEMENT INSTRUMENTATION: winmgmt
C:\WINDOWS\system32\svchost.exe -k netsvcs

PORTABLE MEDIA SERIAL NUMBER: WmdmPmSp
C:\WINDOWS\System32\svchost.exe -k netsvcs

AUTOMATIC UPDATES: wuauserv
C:\WINDOWS\system32\svchost.exe -k netsvcs

WIRELESS ZERO CONFIGURATION: WZCSVC
C:\WINDOWS\System32\svchost.exe -k netsvcs

DNS CLIENT: Dnscache
C:\WINDOWS\System32\svchost.exe -k NetworkService

EVENT LOG: Eventlog
C:\WINDOWS\system32\services.exe

PLUG AND PLAY: PlugPlay
C:\WINDOWS\system32\services.exe

LEXBCE SERVER: LexBceS
C:\WINDOWS\system32\LEXBCES.EXE

TCP/IP NETBIOS HELPER: LmHosts
C:\WINDOWS\System32\svchost.exe -k LocalService

SSDP DISCOVERY SERVICE: SSDPSRV
C:\WINDOWS\System32\svchost.exe -k LocalService

WEBCLIENT: WebClient
C:\WINDOWS\System32\svchost.exe -k LocalService

NVIDIA DRIVER HELPER SERVICE: NVSvc
C:\WINDOWS\System32\nvsvc32.exe

PANDA PROCESS PROTECTION SERVICE: PavPrSrv
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe

PANDA ANTI-VIRUS SERVICE: PAVSRV
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe

TREND MICRO PERSONAL FIREWALL: PccPfw
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe

PROTECTED STORAGE: ProtectedStorage
C:\WINDOWS\system32\lsass.exe

SECURITY ACCOUNTS MANAGER: SamSs
C:\WINDOWS\system32\lsass.exe

REMOTE PROCEDURE CALL (RPC): RpcSs
C:\WINDOWS\system32\svchost -k rpcss

PRINT SPOOLER: Spooler
C:\WINDOWS\system32\spoolsv.exe

WINDOWS IMAGE ACQUISITION (WIA): stisvc
C:\WINDOWS\System32\svchost.exe -k imgsvc

TREND NT REALTIME SERVICE: Tmntsrv
"C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe"

TREND MICRO PROXY SERVICE: tmproxy
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

WORKSTATION NETLOGON SERVICE: ½O.#õØÂ´â
C:\WINDOWS\mfcch.exe /s


----------



## Flrman1 (Jul 26, 2002)

*To Bill*

The following is the fix that I have been using Bill. It is almost identical to the one at the link you posted from Computer Cops. I didn't want to interupt the thread and interject this method the yesterday as you were using a method that has worked on occassion albeit a hit and miss scenario. I am a member of the Security Experts group at Computer Cops. The SE group is a private group where the Experts from just about every forum you can think of get together and hash out a lot of these fixes. There are a couple of threads in the SE forum where the fixes for this hijacker are being worked out.

*To Daisy:*

First Click here to download CWShredder. *Do Not* run it yet. Download it to the desktop and have it ready to run later.

___________________________________________________________________________
Copy the contents of the Quote Box to Notepad.

Name the file as fix.reg 
Save as Type: All Files 
****Save on the desktop but don't do anything with it yet. You will run it later in safe mode.



> REGEDIT4
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
> 
> ...


______________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options". 
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

Next click on My Computer. Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and "Hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"
______________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop and have it ready to run, but don't run it yet.
_____________________________________________________________________

Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.

Restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on fix.reg that you saved earlier to enter into the registry. Answer yes when asked to have it's contents added to the registry. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qibrs.dll/index.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qibrs.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qibrs.dll/index.html#28129

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {27F01197-47D8-D201-61BE-174D3F206568} - C:\WINDOWS\ipeg32.dll

O4 - HKLM\..\Run: [Internet Explorer] IEXPLORE.EXE

O4 - HKLM\..\Run: [ntoq32.exe] C:\WINDOWS\ntoq32.exe

O4 - HKLM\..\RunServices: [Internet Explorer] IEXPLORE.EXE
O4 - HKLM\..\RunOnce: [mfcch.exe] C:\WINDOWS\mfcch.exe
O4 - HKLM\..\RunOnce: [appzj32.exe] C:\WINDOWS\system32\appzj32.exe
O4 - HKLM\..\RunOnce: [sdkso.exe] C:\WINDOWS\sdkso.exe
O4 - HKLM\..\RunOnce: [atloh32.exe] C:\WINDOWS\atloh32.exe
O4 - HKLM\..\RunOnce: [atluc32.exe] C:\WINDOWS\atluc32.exe
O4 - HKLM\..\RunOnce: [ntcp32.exe] C:\WINDOWS\ntcp32.exe
O4 - HKLM\..\RunOnce: [iezy32.exe] C:\WINDOWS\system32\iezy32.exe
O4 - HKLM\..\RunOnce: [apiti.exe] C:\WINDOWS\system32\apiti.exe
O4 - HKCU\..\Run: [Internet Explorer] IEXPLORE.EXE

Find and delete these files:

C:\WINDOWS\IEXPLORE.EXE
C:\WINDOWS\mfcch.exe 
C:\WINDOWS\ipeg32.dll
C:\WINDOWS\sdkso.exe
C:\WINDOWS\atloh32.exe
C:\WINDOWS\atluc32.exe
C:\WINDOWS\ntcp32.exe
C:\WINDOWS\ntoq32.exe
C:\WINDOWS\mfcch.exe
C:\WINDOWS\system32\appzj32.exe
C:\WINDOWS\system32\iezy32.exe
C:\WINDOWS\system32\apiti.exe

Delete any files that have the same name as these files but end with a dll. You should see them right next to each other.

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Next navigate to the C:\Documents and Settings\Watkins (Repeat for all user names)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Check in the System32 folder to be sure you have a file named Shell.dll. If you do not have one, go to System32\dllcache 
Find shell.dll and right click on it. Choose Copy from the menu. 
Open System32 and right click on an empty space in the window. Choose Paste from the menu.

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system32

If control.exe isn't there, go here, and download control.exe per the instructions at the site.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

When you are sure you are clean turn System Restore back on and create a restore point.

To create a restore point:

Single-click Start and point to All Programs.
Mouse over Accessories, then System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point. Something like "After trojan/spyware cleanup". Click Create and you're done.


----------



## daisy flower (Jul 25, 2004)

ok....now I have tried to go back and run get active services...and get error "the compressed (zip) folder is corrupted or invalid when trying to open it...When unzipping it....no files found


----------



## Flrman1 (Jul 26, 2002)

daisy flower said:


> ok....now I have tried to go back and run get active services...and get error "the compressed (zip) folder is corrupted or invalid when trying to open it...When unzipping it....no files found


Don't worry about that now. I got the info that I needed from the Active services list that you posted. I posted the directions for the fix already. See my last post.

Good luck! :up:


----------



## Byteman (Jan 24, 2002)

DF- 
You may need to find the folder that you first unzipped the original download to...zipped files often put up that message when extraction has taken place before...
[EDIT::: never mind the above as flrman1 replied while I was posting]
Hi Mark! Nice work. I have seen you use the tools many times> very aware here of the good work you are into. I just posted what I could find, that CC thread was the first result in a Google search. I wasn't referring her there... just in case someone may have need of a possible fix... if it is an old .reg or does not work as well --will change to something new. Newer tools are what we all going to be getting tons of it looks like! Your hard work is appreciated! 
anyway, thank you very much...
Now I see what you mean about services and I think what you meant in regard to AB not always showing/removing running services... this whole type of thing will pretty much be a work in progress, seems to me...given the things that are invading computers recently. 
Just trying to keep up with the latest is the real work. 
Well I have to go make this eMachine XP Home Edition into XP Second Edition somehow so the owner's kids can play safely.

Daisyflower: You did a great job...after you get all cleared up> the one more thing you can do after finishing with the pc for the evening is...simply turn off the cable modem by pressing the power button, unhooking the cable is also effective but may give something a jolt of current...
Of course the protective programs can help a lot but the safe bet is to turn off the modem, that's what I do every shutdown.


----------



## daisy flower (Jul 25, 2004)

whew....everything went fine...the only issue I had in safe mode was I could not run aboutbuster. Will do it all again if needed, but wanted to check first. No viruses found in online housecall scan...but do have two that were popping up while, doing online housecall, in Trend Micro Internet Security that I loaded earlier. Doesn't seem to be any problems with anything right now, but will wait to hear a reply before doing any play on computer.


Thanks again

Here is the virus log


Log List
"Time","Scan Type","Source Type","Virus Name","Infected Source","First Action","Second Action"
"19:13","Real-time Scan","File","WORM_RBOT.ER","C:\windows\system32\dailin.exe","Quarantine Successful",""
"19:28","Real-time Scan","File","TROJ_DELF.RA","C:\WINDOWS\2_0_1browserhelper2.dll","Quarantine Successful",""
"19:29","Real-time Scan","File","TROJ_DLOADER.F","C:\Documents and Settings\Watkins\Application Data\oeta.exe","Quarantine Successful",""
"20:35","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:35","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"20:37","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:37","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"20:39","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:40","Real-time Scan","File","SPYW_TWANT.C","C:\windows\ipeg32.dll","Deny Access",""
"20:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\ntoq32.exe","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:44","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:45","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:45","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:45","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ipeg32.dll","Deny Access",""
"20:50","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:51","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:56","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:57","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"20:57","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"21:03","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:05","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"21:05","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\NTOQ32.EXE","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:06","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netqa.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\netoy32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:07","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ntoq32.exe","Deny Access",""
"21:08","Real-time Scan","File","TROJ_EMT.A","C:\WINDOWS\ntoq32.exe.$$$","Quarantine Successful",""
"21:11","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netqa.exe","Deny Access",""
"21:21","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javace.exe","Deny Access",""
"21:24","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"21:36","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"21:36","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ipcw32.exe","Deny Access",""
"21:36","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\apiih.exe","Deny Access",""
"21:38","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netnf.exe","Deny Access",""
"21:38","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\winmf.exe","Deny Access",""
"21:39","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\appkh.exe","Deny Access",""
"21:39","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\d3lq32.exe","Deny Access",""
"21:43","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netqa.exe","Deny Access",""
"21:44","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\apiih.exe","Deny Access",""
"21:44","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netnf.exe","Deny Access",""
"21:46","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\winmf.exe","Deny Access",""
"21:46","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\d3lq32.exe","Deny Access",""
"21:55","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"22:11","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\mfcgs32.exe","Deny Access",""
"22:14","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\addlc32.exe","Deny Access",""
"22:14","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\cryw.exe","Deny Access",""
"22:14","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\msup.exe","Deny Access",""
"22:20","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javavu.exe","Deny Access",""
"23:09","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"23:14","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\system32\sysfe.dll","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netqa.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\apiih.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\netnf.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\winmf.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\d3lq32.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\atlge.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\d3rs.exe","Deny Access",""
"23:15","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\mfcgs32.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\addlc32.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\system32\ipob32.dll","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\cryw.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\msup.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\system32\crks.exe","Deny Access",""
"23:16","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netqa.exe","Deny Access",""
"23:18","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\apiih.exe","Deny Access",""
"23:18","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\netnf.exe","Deny Access",""
"23:19","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\winmf.exe","Deny Access",""
"23:20","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\d3lq32.exe","Deny Access",""
"23:20","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\atlge.exe","Deny Access",""
"23:21","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\vkxwvc.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\opvvxx.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javace.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\lotvoi.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\iquetf.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\ekqxcc.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\sianib.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\syhodm.dat","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\netoy32.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ipcw32.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\appkh.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\atllq.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javavu.exe","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\Documents and Settings\Watkins\Desktop\backups\backup-20040728-204226-246.dll","Deny Access",""
"23:22","Real-time Scan","File","SPYW_TWANT.C","C:\Documents and Settings\Watkins\Desktop\backups\backup-20040729-052929-447.dll","Deny Access",""
"23:23","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\d3rs.exe","Deny Access",""
"23:24","Real-time Scan","File","ADW_ISTBAR.II","C:\Program Files\ISTsvc\istsvc.exe","Deny Access",""
"23:27","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\mfcgs32.exe","Deny Access",""
"23:29","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\addlc32.exe","Deny Access",""
"23:29","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"23:32","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\cryw.exe","Deny Access",""
"23:32","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\msup.exe","Deny Access",""
"23:32","Real-time Scan","File","SPYW_TWANT.B","C:\windows\system32\crks.exe","Deny Access",""
"23:38","Real-time Scan","File","ADW_ISTBAR.II","C:\PROGRAM FILES\ISTsvc\istsvc.exe","Deny Access",""
"23:39","Real-time Scan","File","SPYW_TWANT.B","C:\windows\javace.exe","Deny Access",""
"23:39","Real-time Scan","File","SPYW_TWANT.B","C:\windows\netoy32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\ipcw32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\appkh.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\atllq.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\windows\javavu.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javace.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\netoy32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\ipcw32.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\appkh.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\atllq.exe","Deny Access",""
"23:40","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\javavu.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\netqa.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\apiih.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\netnf.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\winmf.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\d3lq32.exe","Deny Access",""
"23:41","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\atlge.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\d3rs.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\mfcgs32.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\addlc32.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\cryw.exe","Deny Access",""
"23:42","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\msup.exe","Deny Access",""
"23:43","Real-time Scan","File","SPYW_TWANT.B","C:\WINDOWS\System32\crks.exe","Deny Access",""


----------



## daisy flower (Jul 25, 2004)

I did run aboutbuster after posting the last post.


----------



## Byteman (Jan 24, 2002)

DaisyFlower: It looks like a couple of items (trojans) were put into quarantine, that is OK for now, they are locked up...

flrman1 may have you delete those in quarantine later on.
I am not that familiar with Panda logs, but also it appears that the SPYW_ entries it could not deal with, that is expected> the special programs we use for ad-junk will handle them coupled with "manual" fixes. Depending on when you made this scan, the files may or may not actually be present. 
You do need to check that files your system needs are present RE:



flrman1 said:


> *To Daisy:
> 
> This hijacker is known to alter or delete certain files so check this out please:
> 
> ...


*

You should tell us if you had to replace any of those files AND that you have checked Active X settings> you may find that they are changed!
You did have a successful run of AboutBuster after your post, if I read that right....? When you have some time later I am sure flrman1 will be asking for those or NEWER logs along with a new HJT logfile. He may have some steps that differ from the usual way so wait for his directions.*


----------



## Flrman1 (Jul 26, 2002)

Let's see another Hijack This log please.


----------



## daisy flower (Jul 25, 2004)

ran Holster
do not have Spybot
copied and pasted shell.dll
control.exe is present
ActiveX settings set to recommendations

About buster Scan from last night

-- Scan 1 --------
About:Buster Version 2.0
Removed! : C:\WINDOWS\bsahe.dat
Removed! : C:\WINDOWS\erruo.dat
Removed! : C:\WINDOWS\javace.exe
Removed! : C:\WINDOWS\pxwxi.dat
Removed! : C:\WINDOWS\netoy32.exe
Removed! : C:\WINDOWS\ntqq32.exe
Removed! : C:\WINDOWS\ipcw32.exe
Removed! : C:\WINDOWS\wmbrn.dat
Removed! : C:\WINDOWS\qibrs.dat
Removed! : C:\WINDOWS\qibrs.dll
Removed! : C:\WINDOWS\escuk.dat
Removed! : C:\WINDOWS\fvuqx.dat
Removed! : C:\WINDOWS\appkh.exe
Removed! : C:\WINDOWS\sysem.exe
Removed! : C:\WINDOWS\ipyv32.exe
Removed! : C:\WINDOWS\atllq.exe
Removed! : C:\WINDOWS\addfq.exe
Removed! : C:\WINDOWS\syspz32.exe
Removed! : C:\WINDOWS\javavu.exe
Removed! : C:\WINDOWS\System32\zfumw.dat
Removed! : C:\WINDOWS\System32\deczg.dll
Removed! : C:\WINDOWS\System32\msbk32.exe
Removed! : C:\WINDOWS\System32\viiva.dat
Removed! : C:\WINDOWS\System32\xegly.dat
Removed! : C:\WINDOWS\System32\qhzik.dll
Removed! : C:\WINDOWS\System32\ekhov.dat
Removed! : C:\WINDOWS\System32\hgffs.dll
Removed! : C:\WINDOWS\System32\netqa.exe
Removed! : C:\WINDOWS\System32\addvc32.exe
Removed! : C:\WINDOWS\System32\apiih.exe
Removed! : C:\WINDOWS\System32\netnf.exe
Removed! : C:\WINDOWS\System32\winmf.exe
Removed! : C:\WINDOWS\System32\d3lq32.exe
Removed! : C:\WINDOWS\System32\atlge.exe
Removed! : C:\WINDOWS\System32\d3rs.exe
Removed! : C:\WINDOWS\System32\sysyf32.exe
Removed! : C:\WINDOWS\System32\mfcgs32.exe
Removed! : C:\WINDOWS\System32\addlc32.exe
Removed! : C:\WINDOWS\System32\cryw.exe
Removed! : C:\WINDOWS\System32\msup.exe
Removed! : C:\WINDOWS\System32\syslz.exe
Removed! : C:\WINDOWS\System32\crks.exe
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 --------
About:Buster Version 2.0
Attempted Clean Of Temp folder.
Pages Reset... Done!

Logfile of HijackThis v1.98.0
Scan saved at 6:32:40 PM, on 7/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


----------



## Flrman1 (Jul 26, 2002)

Clean! :up:

*IMPORTANT!:* I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" *ASAP!*. This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates *IMMEDITELY!*


----------



## daisy flower (Jul 25, 2004)

all critical updates and services packs installed


----------



## Flrman1 (Jul 26, 2002)

Is everything OK now?


----------



## daisy flower (Jul 25, 2004)

other than getting warning about spyware ( is what I have ok for it or do I need more) Everything else is wonderful


----------



## Byteman (Jan 24, 2002)

And, just to throw in this> good work! You need to keep your antivirus program well updated, you can do this automatically with most programs that update detections with their built in Update feature. You may be able to set predetermined times to have it search for updates automatically and download them. The time must conincide with a time you have the computer on or there may be the option for it to try every so often if you are not able to be online right then..it can run at startup (that bugs most people but it is an option with broadband since it runs fairly quickly) or a setting for how long after you start up, there can be many options in the full featured programs. 
You can also disable automatic updating for most Antivirus programs and then YOU have to remember to get them done. Updating almost every day is becoming a neccessity with a lot of AVs. 
I would get AdAware and SpyBot programs to have in case someone else uses the computer. 
And, from info in your previous posts, maybe check the security settings for Outlook Express so your emails do not try to automatically disply in the Preview Pane> here is what I mean.
http://www.webterrace.com/outlook/security.htm

The settings are adjustable, and you may find them changed if there are other users who like things "their" way! So, you will be more aware of what to check for, etc. Feel free to ask if there are any questions...


----------



## Flrman1 (Jul 26, 2002)

daisy flower said:


> other than getting warning about spyware


What do you mean? What kind of warning? Is this a popup?


----------



## daisy flower (Jul 25, 2004)

I just mean that Trend MIcro is constantly alerting me of spam, and I assume is blocking it.

Log List
"Time","Scan Type","Source Type","Virus Name","Infected Source","First Action","Second Action"
"00:58","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"01:17","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"08:10","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"08:18","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:18","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:19","Real-time Scan","File","ADW_ISTBAR.II","C:\Program Files\ISTsvc\istsvc.exe","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:19","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"08:20","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"08:27","Real-time Scan","File","ADW_ISTBAR.II","C:\program files\istsvc\istsvc.exe","Deny Access",""
"08:29","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"08:32","Real-time Scan","File","ADW_ISTBAR.II","C:\program files\istsvc\istsvc.exe","Deny Access",""
"08:32","Real-time Scan","File","ADW_ISTBAR.II","C:\program files\istsvc\istsvc.exe","Deny Access",""
"10:02","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"10:03","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:04","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:04","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:05","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:05","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:05","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:05","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:05","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:05","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\sysfe.dll","Deny Access",""
"10:06","Real-time Scan","File","SPYW_TWANT.C","C:\WINDOWS\System32\ipob32.dll","Deny Access",""
"10:21","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"12:37","Real-time Scan","File","TROJ_DLOADER.F","C:\DOCUME~1\Watkins\LOCALS~1\Temp\rs.exe","Quarantine Successful",""
"13:24","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"13:43","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""


----------



## Flrman1 (Jul 26, 2002)

Those look like files from the hijack that we just removed. Let's see another Hijack This log.


----------



## daisy flower (Jul 25, 2004)

Logfile of HijackThis v1.98.0
Scan saved at 9:25:05 PM, on 7/31/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Watkins\Desktop\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Tech-In-A-Box] C:\techbox\techbox.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\DOWNLO~1\STUMBL~1.DLL/blogimage
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


----------



## Flrman1 (Jul 26, 2002)

The log still looks clean. You said before that you had installed all the critical updates and service packs, but according your log you have not. The header of your log still says this:

Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

With all the updates installed it would look like this:

Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


As far as those alerts go I'd like for you to update your virus definitions then boot to safe mode and do a full system scan.


----------



## Byteman (Jan 24, 2002)

Really strange.....they "had" the SP1 etc: It looks to me that when they got HJT 1.98, things changed...?

The header from the Ist page logfile shows this:



daisy flower said:


> I have encountered a problem that I have done some research on and believe I have become hijacked with failed attempts to correct it myself. But see that is seems to be a common issue. My home page is http://forums.techguy.org/archive/index.php/t-249504.html" and will return to that even after changing internet options. When it opens it has which when it opens, has "Home Search" in the upper left by a Windows logo/flag and tons of search links. It also opens with a small pop-up window that briefly says "search-all-fast.com" with a form of advertisement or spyware link. Home Search Assistent fails to delete in add/remove programs, with error "looking-for.cc/unistall/HomeSearchAssistant.html"
> 
> My hijack log is
> 
> ...


----------



## daisy flower (Jul 25, 2004)

Here is the log from previous updates. Going to do a full scan now..

Updated again just this morning....Error_ Windows XP SP1 is incompatable with this version of windows 


Windows XP Service Pack 1 (Express) Successful Sunday, August 01, 2004 Windows Update website 

Windows XP Service Pack 1 (Express) Successful Saturday, July 31, 2004 Windows Update website 
Cumulative Security Update for Internet Explorer 6 (KB867801) Successful Friday, July 30, 2004 Automatic Updates 
Windows XP Service Pack 1 (Express) Successful Friday, July 30, 2004 Windows Update website 
Windows XP Service Pack 1 (Express) Successful Friday, July 30, 2004 Windows Update website 
Security Update for Windows XP (KB839643) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB837001) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB839645) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB840315) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB841873) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB828741) Successful Thursday, July 29, 2004 Windows Update website 
Critical Update for ADODB.stream (KB870669) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (329834) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB835732) Successful Thursday, July 29, 2004 Windows Update website 
816093: Security Update Microsoft Virtual Machine (Microsoft VM) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB840374) Successful Thursday, July 29, 2004 Windows Update website 
Critical Update for Windows Media Player Script Commands (KB828026) Successful Thursday, July 29, 2004 Windows Update website 
Cumulative Security Update for Outlook Express 6 (KB837009) Successful Thursday, July 29, 2004 Windows Update website 
Cumulative Security Update for Internet Explorer 6 (KB832894) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Data Access Components (KB832483) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Windows XP (KB828035) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Windows XP (KB825119) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Windows XP (KB328940) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Windows (KB824105) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Windows (KB823182) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Microsoft Windows (KB824141) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (KB821557) Successful Thursday, July 29, 2004 Windows Update website 
823559: Security Update for Microsoft Windows Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (819696) Successful Thursday, July 29, 2004 Windows Update website 
817606: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Security Update for Windows XP (815021) Successful Thursday, July 29, 2004 Windows Update website 
Q329441: Critical Update Successful Thursday, July 29, 2004 Windows Update website 
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
811493: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
810577: Security Update Successful Thursday, July 29, 2004 Windows Update website 
811630: Critical Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
329170: Security Update Successful Thursday, July 29, 2004 Windows Update website 
Q329115: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q329390: Security Update Successful Thursday, July 29, 2004 Windows Update website 
Security Update, February 13, 2002 (MSXML 3.0) Successful Thursday, July 29, 2004 Windows Update website 
Security Update, February 13, 2002 (MSXML 2.6) Successful Thursday, July 29, 2004 Windows Update website 
Q324096: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q326830: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q323172: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q313450: Security Update Successful Thursday, July 29, 2004 Windows Update website 
Q323255: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q324380: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q320920: Security Update (Windows Media Player for Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Q329048: Security Update Successful Thursday, July 29, 2004 Windows Update website 
Q318138: Security Update (Windows XP) Successful Thursday, July 29, 2004 Windows Update website 
Windows XP Application Compatibility Update, April 2002 Successful Thursday, July 29, 2004 Windows Update website 
Q311967: Security Update Successful Thursday, July 29, 2004 Windows Update website 
System Recovered Error Message Update Successful Thursday, July 29, 2004 Windows Update website 
Critical Update, February 10, 2002 Successful Thursday, July 29, 2004 Windows Update website 
Security Update, February 14, 2002 (Internet Explorer 6) Successful Thursday, July 29, 2004 Windows Update website 
Critical Update, February 9, 2002 Successful Thursday, July 29, 2004 Windows Update website 
Security Update, December 17, 2001 Successful Thursday, July 29, 2004 Windows Update website 
Remote Assistance Connection Successful Thursday, July 29, 2004 Windows Update website 
Windows XP Update Package, October 25, 2001 Successful Thursday, July 29, 2004 Windows Update website 
Critical Update, November 19, 2001 Successful Thursday, July 29, 2004 Windows Update website 
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773) 
Realtek Semiconductor Corp. network software update released on April 13 2004. Successful Saturday, July 24, 2004 Windows Update website 
NVIDIA display software update released on October 06 2003. Successful Saturday, July 24, 2004 Windows Update website 
Advanced Micro Devices processor software update released on December 17 2002. Successful Saturday, July 24, 2004 Windows Update website 
Microsoft .NET Framework version 1.1 Successful Saturday, July 24, 2004 Windows Update website 
Windows Media 9 Series Codec Install Package Successful Saturday, July 24, 2004 Windows Update website 
Windows MovieMaker 2 Successful Saturday, July 24, 2004 Windows Update website 
Update for Windows XP Service Pack 1 (KB810243) Successful Saturday, July 24, 2004 Windows Update website 
327979: Recommended Update Successful Saturday, July 24, 2004 Windows Update website 
Q327405: Recommended Update (Windows XP Home Edition) Successful Saturday, July 24, 2004 Windows Update website 
Microsoft Windows Journal Viewer (Windows XP) Successful Saturday, July 24, 2004 Windows Update website 
Q322011: Recommended Update Successful Saturday, July 24, 2004 Windows Update website 
814995: Recommended Update Successful Saturday, July 24, 2004 Windows Update website 
Recommended Update for Windows XP SP1 (817778) Successful Saturday, July 24, 2004 Windows Update website 
820291: Recommended Update (Windows XP) Successful Saturday, July 24, 2004 Windows Update website 
Windows Error Reporting: Recommended Update (Windows XP) Successful Saturday, July 24, 2004 Windows Update website 
Recommended Update for Windows XP SP1 (KB822603) Successful Saturday, July 24, 2004 Windows Update website 
Update for Microsoft Windows XP (KB826942) Successful Saturday, July 24, 2004 Windows Update website 
Update for Windows XP HighMAT Support in CD Writing Wizard (KB831240) Successful Saturday, July 24, 2004 Windows Update website 
Update for Windows XP Shop for Music Online Link (KB833998) Successful Saturday, July 24, 2004 Windows Update website 
814078: Security Update (Microsoft Jscript version 5.6, Windows 2000, Windows XP) Successful Saturday, July 24, 2004 Windows Update website 
816093: Security Update Microsoft Virtual Machine (Microsoft VM) Successful Saturday, July 24, 2004 Windows Update website 
817787: Security Update Windows Media Player for XP Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (819696) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Microsoft Windows (KB824141) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Microsoft Windows (KB823182) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Microsoft Windows (KB824105) Successful Saturday, July 24, 2004 Windows Update website 
Update Rollup 1 for Microsoft Windows XP (KB826939) Successful Saturday, July 24, 2004 Windows Update website 
Critical Update for Windows Media Player Script Commands (KB828026) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Microsoft Windows XP (KB825119) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Microsoft Windows XP (KB828035) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Microsoft Data Access Components (KB832483) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB835732) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB828741) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB837001) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB839645) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB840374) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB839643) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB841873) Successful Saturday, July 24, 2004 Windows Update website 
Update for Background Intelligent Transfer Service (BITS) 2.0 and WinHTTP 5.1 (KB842773) Successful Saturday, July 24, 2004 Windows Update website 
Security Update for Windows XP (KB840315) Successful Saturday, July 24, 2004 Windows Update website 
Cumulative Security Update for Internet Explorer 6 Service Pack 1 (KB832894) Successful Saturday, July 24, 2004 Windows Update website 
Critical Update for ADODB.stream (KB870669) Successful Saturday, July 24, 2004 Windows Update website 
Cumulative Security Update for Outlook Express 6 SP1 (KB823353) Successful Saturday, July 24, 2004 Windows Update website 
Windows XP Service Pack 1 (Express) Successful Saturday, July 24, 2004 Windows Update website


----------



## Byteman (Jan 24, 2002)

daisyflower, see if you have the setting shown below set to "Automatic"



mobo said:


> Go to start / run / services.msc
> Once there scroll down to cryptographic services then double click it. Make sure it is set to automatic then>> START it.


And look at this:
http://support.microsoft.com/default.aspx?scid=kb;en-us;318892&Product=wupd

Check for that setting and change "Discuss" as it tells you.

Since that would be a very rare thing to have set, I think this one is probably what would fix your problem.

However it involves manually editing the Registry! 
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q319109
If you want to wait and see what flrman1 advises please do.

Note that the Microsoft article above has you go to Windows Updates again, and scan for any updates, and re-download all that show...
THEN it has directions for what you are to do...restart, and go back to Windows Updates and try again, this is to check that this is a loop kind of thing> to confirm that the site still lists updates again and again.
I would NOT do any Registry changes unless you confirm that Updates are listed when you go back to Windows Updates just after downloading, installing them etc. and they are showing again as if you had never installed them. For IE 6 SP 1, you download it alone> then you can get other updates, but there are some that must be downloaded singly such as Direct X and Media Players....try just the Critical Items and Service Packs. I think XP SP1 would be a single update as well..


----------



## daisy flower (Jul 25, 2004)

Run/services/msc already set to automatic start, but clicked restart again

Cannot find option to disable "discuss" under View...nor am I finding browserAid

I will wait for further directions.


Panda-no virus

Micro Trend
Log List
"Time","Scan Type","Source Type","Virus Name","Infected Source","First Action","Second Action"
"03:40","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"03:59","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"09:18","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"09:37","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\ipob32.dll","Deny Access",""
"10:19","Real-time Scan","File","SPYW_TWANT.C","C:\windows\system32\sysfe.dll","Deny Access",""
"10:22","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\system32\sysfe.dll","Pass",""
"10:23","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\system32\ipob32.dll","Pass",""
"10:24","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\vkxwvc.dat","Pass",""
"10:26","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\opvvxx.dat","Pass",""
"10:26","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\lotvoi.dat","Pass",""
"10:26","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\iquetf.dat","Pass",""
"10:26","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\ekqxcc.dat","Pass",""
"10:26","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\sianib.dat","Pass",""
"10:26","Manual Scan","File","SPYW_TWANT.C","C:\WINDOWS\syhodm.dat","Pass",""
"10:30","Manual Scan","File","ADW_ISTBAR.II","C:\System Volume Information\_restore{6995F97A-0C11-46E7-AD16-F4EBACBCE82E}\RP6\A0000279.exe","Pass",""
"10:31","Manual Scan","File","SPYW_TWANT.C","C:\Recycled\Dc138\backup-20040728-204226-246.dll","Pass",""
"10:31","Manual Scan","File","SPYW_TWANT.C","C:\Recycled\Dc138\backup-20040729-052929-447.dll","Pass",""


----------

