# Unable to Open Internet Explorer



## Pocky (Oct 13, 2004)

hi,
for some reason, everytime i try to open an internet explorer window, it immediately closes. because of this, whenever i click on a link that opens a new window, i am unable to view that link. i have had and attempted to remove many viruses and spyware on my computer, and i'm afraid that i may have deleted something vital to my system. what should i do? i don't even know where to begin >.< 

please help!

thank you very much,
---desperate, pathetic, and confused


----------



## FinestRanger (Oct 13, 2003)

So, are you saying you can open IE, but you can't open links from within it?

Please go to the link below and download _HiJackThis_ by Merijn Bellekom:

Save it to a permanent folder.

****NOTE****Do not FIX anything without a log analyzer's guidance. MOST of what's listed is necessary for your computer to operate normally. 

http://www.majorgeeks.com/download3155.html

Alternate download links:

http://www.spychecker.com/program/hijackthis.html

HiJackThis download link

*Download and unzip to a permanent folder of your own creation.*

Open HiJackThis. Click "_Scan_". Then, in the lower left corner, click "_Save Log_".

Save it to your permanent HiJackThis folder (or floppy disk if necessary).

The log will open in Notepad. Click "_Edit_" then "_Select All_".

Copy and paste the log back to this thread.

After that's done, open HiJackThis. Click "Config" and put a checkmark in the "Make backups before fixing items" box.


----------



## Pocky (Oct 13, 2004)

no, i can't open internet explorer at all. in order to have a web browser, i'd have to open windows explorer - my computer, my network places, etc. - instead. and when i _do_ open windows explorer to surf the net and click on a link that's supposed to open a new window, i wouldn't be able to see the new window because it, being automatically run on internet explorer, would just close just as soon as it'd open. >.<


----------



## FinestRanger (Oct 13, 2003)

Can you download HiJackThis and post a log? It's a very small program.


----------



## Pocky (Oct 13, 2004)

Logfile of HijackThis v1.98.2
Scan saved at 3:39:58 PM, on 10/21/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Browser Mouse\2.03\mouse32a.exe
C:\KMaestro\KMaestro.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Windows SyncroAd\SyncroAd.exe
C:\WINDOWS\System32\nziwrhs.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\Msbb.exe
C:\Program Files\Windows SyncroAd\WinSync.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Ares Lite Edition\AresLite.exe
C:\KMaestro\WTS_KEY.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\BitTorrent\btdownloadgui.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\PROGRA~1\INTERN~1\iexplore.exe
C:\WINDOWS\explorer.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\System32\COMET.DLL
O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: ohb Class - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll
O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll
O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [FLMMEMOREX203] C:\Program Files\Browser Mouse\2.03\mouse32a.exe
O4 - HKLM\..\Run: [KeyMaestro] C:\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msupdates] msupdt.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Win32 exe file] winstr32.exe
O4 - HKLM\..\Run: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\Run: [Microsoft Macro Protection Subsystems] msmacroprotxz.exe
O4 - HKLM\..\Run: [zervpack2] update2.exe
O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe
O4 - HKLM\..\Run: [REEGRUN] C:\index.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [gghvxp] C:\WINDOWS\System32\nziwrhs.exe
O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKLM\..\Run: [vahup] C:\WINDOWS\vahup.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Msbb.exe] Msbb.exe
O4 - HKLM\..\RunServices: [msupdates] msupdt.exe
O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe
O4 - HKLM\..\RunServices: [Microsoft upnp Update] msie.exe
O4 - HKLM\..\RunServices: [Msbb.exe] Msbb.exe
O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprotxz.exe
O4 - HKLM\..\RunServices: [zervpack2] update2.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - HKCU\..\Run: [RealJukeboxSystray] "c:\Program Files\Real\RealJukebox\tsystray.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Win32 exe file] winstr32.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h
O4 - HKCU\..\Run: [Msbb.exe] Msbb.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.net/DM0/cab/1w2fcksh.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...b0a1e2aa4d99:18d9855a145f802cd2a921ef7de749b0
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096773460341
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - AppInit_DLLs: mad.dll


----------



## FinestRanger (Oct 13, 2003)

OK, Pocky. I'm working on it now.


----------



## FinestRanger (Oct 13, 2003)

Enter the control panel. 
Double-click on the Add/Remove Programs link. 
Look for and uninstall the following entries if found:

WebSearch Toolbar
WebSearch Tools
Search Assistant
Win-Tools Easy Installer

Do not reboot until they have all been removed even if prompted.

When you are uninstalling the last program you can then reboot when prompted.

_________________________________________________________________

Uninstall TV Media.

Restart your computer.

_________________________________________________________________

Uninstall:

Bargain Buddies

Windows SyncroAd or WindUpdates

Internet Optimizer

Restart your computer.

_________________________________________________________________

Before we start, let's disable your System Restore. After the infection's been cleaned re-enable system restore.

Disabling System Restore in Windows XP Disable System Restore in Windows ME

*IF, for some reason, you lose the ability to use IE or lose your internet connection...open HJT-->"Config"-->"Backups"-->"Restore".*

Open _HiJackThis_. Click "Scan". Put a checkmark next to these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.begin2search.com/googlesidesearch.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.begin2search.com/googlesidesearch.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - C:\Program Files\TV Media\TvmBho.dll

O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com
O1 - Hosts: 216.130.185.143 websearch.com
O1 - Hosts: 216.130.185.143 www.adwave.com
O1 - Hosts: 216.130.185.143 adwave.com
O1 - Hosts: 216.130.185.143 www.xzoomy.com
O1 - Hosts: 216.130.185.143 xzoomy.com
O1 - Hosts: 216.130.185.143 www.advnt01.com
O1 - Hosts: 216.130.185.143 advnt01.com

O2 - BHO: MxTargetObj Class - {0000607D-D204-42C7-8E46-216055BF9918} - C:\WINDOWS\mxTarget.dll

O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O2 - BHO: CometCursor Class - {1678F7E1-C422-11D0-AD7D-00400515CAAA} - C:\WINDOWS\System32\COMET.DLL

O2 - BHO: Var1Helper Class - {1C4DA27D-4D52-4465-A089-98E01BB725CA} - C:\WINDOWS\System32\inetdctr.dll

O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll

O2 - BHO: ohb Class - {4D568F0F-8AC9-40AB-88B7-415134C78777} - C:\WINDOWS\System32\winb2s32.dll

O2 - BHO: (no name) - {83DE62E0-5805-11D8-9B25-00E04C60FAF2} - C:\WINDOWS\2_0_1browserhelper2.dll

O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem302.dll

O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll

O3 - Toolbar: Begin2Search.com Bar - {52FE5233-367C-4EFB-BDD7-0BE4D212C107} - C:\WINDOWS\System32\winb2s32.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [msupdates] msupdt.exe

O4 - HKLM\..\Run: [Win32 exe file] winstr32.exe

O4 - HKLM\..\Run: [Microsoft upnp Update] msie.exe

O4 - HKLM\..\Run: [Microsoft Macro Protection Subsystems] msmacroprotxz.exe

O4 - HKLM\..\Run: [zervpack2] update2.exe

O4 - HKLM\..\Run: [intdctrr] C:\WINDOWS\System32\idctup20.exe

O4 - HKLM\..\Run: [REEGRUN] C:\index.exe

O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKLM\..\Run: [gghvxp] C:\WINDOWS\System32\nziwrhs.exe

O4 - HKLM\..\Run: [alchem] C:\WINDOWS\alchem.exe

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe

O4 - HKLM\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKLM\..\Run: [vahup] C:\WINDOWS\vahup.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [Msbb.exe] Msbb.exe

O4 - HKLM\..\RunServices: [msupdates] msupdt.exe

O4 - HKLM\..\RunServices: [Win32 exe file] winstr32.exe

O4 - HKLM\..\RunServices: [Microsoft upnp Update] msie.exe

O4 - HKLM\..\RunServices: [Msbb.exe] Msbb.exe

O4 - HKLM\..\RunServices: [Microsoft Macro Protection Subsystems] msmacroprotxz.exe

O4 - HKLM\..\RunServices: [zervpack2] update2.exe

O4 - HKCU\..\Run: [Win32 exe file] winstr32.exe

O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe

O4 - HKCU\..\Run: [areslite] "C:\Program Files\Ares Lite Edition\AresLite.exe" -h

O4 - HKCU\..\Run: [Msbb.exe] Msbb.exe

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} (F1 Organizer Class) - http://www.addictivetechnologies.ne...ab/1w2fcksh.cab

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f... 921ef7de749b0

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab

O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50188/QDow_AS2.cab

O20 - AppInit_DLLs: mad.dll

Close *ALL * browser windows (except HiJackThis  ) and click "*Fix checked*."

*NEXT*:

Restart your computer into safe mode.

How to start your computer in Safe Mode

*NEXT*:

Because XP will not always show you hidden files and folders by default, Go to _Start > Search _ under "*More advanced search options*", make sure there is a check by "_Search System Folders_" and "_Search hidden files and folders_" and "_Search system subfolders_"

Next click on "_My Computer_". Go to "_Tools_" ---> "_Folder Options_". Click on the "_View_" tab and make sure that "_Show hidden files and folders_" is checked. Also, *uncheck * "_Hide protected operating system files_" and "_Hide extensions for known file types_" . Now click "_Apply to all folders_"

Click "_Apply_" then "_OK_".

*NEXT*:

Find and delete these *folders*:

C:\Program Files\*TV Media*

C:\Program Files\*Windows SyncroAd*

C:\Program Files\*Internet Optimizer*

C:\Program Files\*Web_Rebates*

C:\Program Files\*WeatherBug*

Find and delete these *files*:

*msupdt.exe*

*winstr32.exe*

*msie.exe*

*msmacroprotxz.exe*

*update2.exe*

C:\WINDOWS\System32\*idctup20.*exe

C:\WINDOWS\System32\*nziwrhs.exe*

C:\WINDOWS\*alchem.exe*

C:\WINDOWS\*wupdt.exe*

C:\WINDOWS\*vahup.exe*

*Msbb.exe*

*msupdt.exe*

*winstr32.exe*

*msie.exe*

*mad.dll*

*NEXT*:

Also *in safe mode * navigate to the *C:\Windows\Temp folder*. Open the Temp folder and go to_ Edit > Select All _ then _Edit > Delete_ to delete the entire contents of the Temp folder.

Go to Start > Run, enter %temp% and then click Edit > Select All and delete the contents.

How to delete Windows Temp files in Windows 2000, Windows 95, Windows 98, Windows NT or Windows ME 

Next navigate to the *C:\Documents and Settings\ <all users>\Local Settings\Temp folder*. Open the Temp folder and go to _Edit > Select All _ then_ Edit > Delete _ to delete the entire contents of the Temp folder.

Finally go to _Control Panel > Internet Options_. On the _General_ tab under "_Temporary Internet Files_" Click "_Delete Files_". Put a check by "_Delete Offline Content_" and click _OK_. Now click the "_Delete Cookies_" button and click _OK._

Empty the Recycle Bin.

Restart to normal mode.

****NOTE**** Disable any active resident Anti-virus program before running the scans

Run at least one of these two on-line anti-virus programs.

As applicable, make sure the "_heuristics_" and "_Auto Clean_" boxes are checked.

If anything's found, allow it to clean the file. If it's "uncleanable" *DELETE* everything the virus scan finds.

*Re-start the computer between each scan*.

Trend Micro's free on-line scan

Panda's free on-line scan

Restart your computer.

Click here for the TV Media uninstaller from MicroSoft.

Run the uninstaller.

Click here for the patch

*Restart your computer.*

Post a fresh HJT log.


----------



## Pocky (Oct 13, 2004)

here's the new log:

Logfile of HijackThis v1.98.2
Scan saved at 4:00:58 PM, on 10/25/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HijackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_5_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1096773460341
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - AppInit_DLLs: mad.dll

ps. when i was going through the selected files to delete, i was not able to delete mad.dll:
"Error Deleting File or Folder
Cannot delete mad: It is being used by another person or program.
Close any programs that might be using the file and try again."


----------

