# Solved: Major worm/trojan horse problem



## mgbgtgrimm (Apr 22, 2002)

I have been invaded on my WinME computer by a Trojanhorse/worm.
Spybot scan lists 21 files and says that they cannot be deleted nor quarentined nor cleaned. Access denied no matter what the 'properties boxes say. An example of one of the file listings:
C:\_RESTORE\TEMP\A0130014.CPY Infected Trojan Name Generic BackDoor.b
C:\_RESTORE\TEMP\A0131024.CPY Potentially unwanted program 
Program Name Adware-Ezula
Mcaffe virus scan also says that they cannot be deleted or other wise delt with.
Don't know where this Adware thing came from but it also won't let me access the net at my wowway.com home page. When I click the Internet Explorer icon I get a blank page that says about blank in the address bar.  
Greg & Grimm P.S. I'm sorry it seems this should have been posted under security. Is there a way I can send it over there?
I just read in a post by 'dvk01' about "How did I get infected in the first place" and he mentions about Microsoft JavaVM and I had just installed Microsoft JavaVM the other day because some site I was visiting said I needed it, don't remember where/who. dvk01 says it is a favorite for hackers.


----------



## Cheeseball81 (Mar 3, 2004)

Welcome to TSG 

First download and run these:

Ad-Aware SE Personal
http://www.lavasoftusa.com/support/download/

Install the program and launch it.

In the bottom right-hand corner of the main window click on Check for updates now then click Connect and download the latest reference files.
Then, in the main window: Click Start and under Select a scan Mode tick Perform full system scan.
Then, deselect Search for negligible risk entries.
To start the scan, click the Next button.
When the scan is finished mark everything for removal and get rid of it. (Right-click the window and choose select all from the drop down menu and then click Next)

Reboot your computer

SpyBot Search & Destroy
http://majorgeeks.com/download2471.html

Open the program.
Click online, Search for updates, Download all available updates. Close all Browser windows, Click ''Check for Problems''. Anything that needs to be fixed it will show in red and have a green check in the box to the left. Click ''Fix Selected Problems''.

Reboot your computer again

Create a permanent folder on your hard drive and download this program to it: Hijack This: http://www.majorgeeks.com/download3155.html

Close out any open web browsers
Launch the program
Hit Scan, then Save Log
Open the log in Notepad
Then copy and paste the log into this thread

Do not attempt to fix anything yet :up:


----------



## MFDnNC (Sep 7, 2004)

He cannot get into the restore points - Turn off your restore point and turnthem back on in addition to doing what cheese said.


----------



## mgbgtgrimm (Apr 22, 2002)

MFDnSC
How do I turn off 'restore points'? I tried to use restore to go back two days but I got the message that restore was unsuccessfull. 
I have Ad-Aware and SpyBot and Hijack This though they have not been used for a few months. I ran SpyBot but there are some files that SpyBot can't touch "access denied".
I will update these and run them and then report back tomorrow because I gotta go feed the puppy and then it will be cocktail hour and book reading time. however I will report back. Thanks. Greg & Grimm


----------



## MFDnNC (Sep 7, 2004)

http://service1.symantec.com/SUPPOR...2001012513122239?OpenDocument&src=sec_doc_nam


----------



## telecom69 (Oct 12, 2001)

The two examples you gave showed the problems were lodged in the restore files,anti-virus progs cannot remove them from there all you need to do is to disable system restore,reboot then enable system restore again which will get rid of them .....then run another scan to check .....


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.98.0
Scan saved at 6:56:13 AM, on 12/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\OBRTYM.EXE
C:\WINDOWS\TEMP\I8AOA2SL.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\PNQ.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACK THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [N7UG] C:\WINDOWS\OBRTYM.EXE
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

This is my hijack this log as of today Fri morn. Greg & Grimm
When I hit the restore and get to the calendar page it says "You have no restore pionts"


----------



## mgbgtgrimm (Apr 22, 2002)

OK i downloaded Ad-Aware SE Personal and ran the program. The window showed 532 items that I should get rid of. I clicked select all and then clicked next and then clicked quarentine but nothing happens and the window just sits there for 2 hours. My screen was not froze because I could shrink the window and enlarge it again. When I finally clicked the X to close the window I got a lot of error messages that all said so-and-so caused an error in KERNELL32.DLL
once the window closed I clicked my computer icon on desktop and everything went completely black/blank.
So I'm caught in some deep s__t here and need some help badly.
Greg & Grimm


----------



## telecom69 (Oct 12, 2001)

The adaware situation first because it will clear some of the hijack log ....maybe asking it to delete in excess of 500 was asking it a bit too much and perhaps if you got rid of them in smaller amounts till the total was lower might have better effect,there is no need to press the quarantine button,just press next when the entries to delete are selected ....

*Also the hijackthis you have is out of date so go here and get the current version http://www.majorgeeks.com/download3155.html then post a new log when you have finished in adaware*


----------



## mgbgtgrimm (Apr 22, 2002)

I'm sorry that I used the wrong one. I thought when I said OK to rplace the existing file I was using the new one but the old one is still there.
I ran the latest Ad-Aware and it got stuck with the window saying it was deleting items and was stuck there for over an hour. When I clicked the X to close the window I got some error in KERNELL32.dll messages and then screen went totally black. Had to re-start.
Greg & Grimm

Logfile of HijackThis v1.98.2
Scan saved at 2:41:20 PM, on 12/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\OBRTYM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\WINDOWS\TEMP\I8AOA2SL.EXE
C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\PNQ.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [N7UG] C:\WINDOWS\OBRTYM.EXE
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll


----------



## mgbgtgrimm (Apr 22, 2002)

I posted a new log in a new thread thinking that's what you meant by posting a new log. Sorry. Greg & Grimm


----------



## mgbgtgrimm (Apr 22, 2002)

I re-ran AdAware and got 395 objects identified this time. I tried to do only 11 objects and a half hour later the "deleting objects" window was still just sitting there. I would get periodic error messages about KENELL32.DLL and some thing called "Virtual Bouncer" keeps poping up and telling me that my computer is infected with a malicous virus and that Virtual Bouncer can clean it up for $29.95. I have deleted and emptied the re-cycle bit 15 times with the file Virtual bouncer in it and it keeps coming back. Also I can't seem to get rid of the "about blank" that pops up in my address bar when I click IE. I have to manually enter my browsers location in order to get the net working.Man I got a big time mess here. Greg & Grimm


----------



## Cheeseball81 (Mar 3, 2004)

Duplicate: http://forums.techguy.org/t306017.html

Let's see if a Mod can merge these together for you :up:


----------



## ~Candy~ (Jan 27, 2001)

Merged threads, please keep posting back to this thread until this problem is solved


----------



## mgbgtgrimm (Apr 22, 2002)

Aca Candy,
I have donated twice but if I get this bigo problem fixed I will definately make another donation of a respectable sum.
My emotions are my worst enemy when my computer is going berserk!
Like this "THING" that has invaded my computer is driving me bonkers. Right whilst I'm viewing forum postings this thing jumps in with new advert web pages and knocks off my forum link and I can't get it back unless I close down and re- activate the forum url. this is very frustrating.
Greg & Grimm


----------



## ~Candy~ (Jan 27, 2001)

mgbgtgrimm said:


> Aca Candy,
> I have donated twice but if I get this bigo problem fixed I will definately make another donation of a respectable sum.
> My emotions are my worst enemy when my computer is going berserk!
> Greg & Grimm


Worry not, my friend, if we can't fix it, we'll send it troops to destroy it  

Actually, let me see who I can find to beckon assistance


----------



## telecom69 (Oct 12, 2001)

Put a tick by each of the following and have hijack FIX them after closing all open windows

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kkgmc.dll/sp.html#12345
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YSB.DLL (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\PROGRAM FILES\SEP\SEP.DLL (file missing
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: AdDestroyer.lnk = C:\Program Files\AdDestroyer\AdDestroyer.exe
O9 - Extra button: Translate - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldlingo.com/UP62768/P...pword=lingocnet (file missing)
O9 - Extra 'Tools' menuitem: Translate Page - {174AD5F0-A97B-11D3-99A2-000000000000} - http://www.worldlingo.com/UP62768/P...pword=lingocnet (file missing)

*If you did not put these in your trusted zones fix these also * 
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab

You also need to delete the following in safe mode

C:\PROGRAM FILES\ISTSVC\ISTSVC.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE

Post back a modified log


----------



## mgbgtgrimm (Apr 22, 2002)

telecom69,
I know how to 'put a tick by each of the following and have hijack FIX them' however I'm still not sure how to "close all open windows".
I have printed out all your instructions via my WinXP computer because my WinME is the one that is malfunctioning.
I don't understand this "If you did not put these in your trusted zones fix these also".
I don't know where/what is/are my "trusted zones".
Where can I go to get instructions on how to boot in "safe mode".
Thanks for trying to help.


----------



## ~Candy~ (Jan 27, 2001)

FYI guys, I was trying to reach cybertech to assist here, here is the message I received back from her:

This is the new VX2 and I don't know how to fix it. I hope Mark get's your e-mail, maybe you should PM him...


----------



## Flrman1 (Jul 26, 2002)

Not only do you have the new VX2 variant, you also have a CWS hijack,. Neither one of these can be removed by the conventional methods.

We will have to work one one and ehn the other. Let's get CWS first.

Please rescan with Hijack This and post a fresh log.

*Click here* to download ServiceFilter.zip and unzip it to your desktop. Open the ServiceFilter folder and doubleclick on the ServiceFilter.vbs file to run it.

If your antivirus has a script blocker, you will get a warning asking if you want to allow ServiceFilter.vbs to run. It might say something like "Malicious Script Warning". This script is not malicious so you are safe in allowing it to run.

When the script is finished it will open a wordpad document called POST_THIS.TXT. The script may not be able to access wordpad. If this happens, you will see a message box telling you so and you can doubleclick the POST_THIS.TXT to open it in notepad.
Copy and Paste the contents of POST_THIS.TXT in a reply to this thread.

After you post the next Hijack This log and the POST_THIS.TXT file, it is very important that you not restart your computer or attempt to do anything to remove this until I have posted the removal directions because the files and the entries in HJT will change and we will have to start all over again. It would be best that you do nothing at all with the computer until you get the directions.


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.98.2
Scan saved at 11:25:07 AM, on 12/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\I8AOA2SL.EXE
C:\PROGRAM FILES\VBOUNCER\VIRTUALBOUNCER.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\PNQ.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\ADDESTROYER\ADDESTROYER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

This is my latest log. I did not do the safe mode deletes yet because I'm not too sure about operating in safe mode. I downloaded some instructions from the "service1.symantec.com/SUPPORT" but haven't studied them enough yet.
Could I ask how come you did not ask for me to click the one for "about blank"


----------



## mgbgtgrimm (Apr 22, 2002)

So I went into safe mode and deleted ISTSVC.EXE,VIRTUALBOUNCER.EXE, and ADDESTROYER.EXE
Now they are all back again according to a Spybot search.
Something is in my computer and is accessing the net with out me or my permission and is opening up all kinds of windows and interupting what I'm doing.


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.98.2
Scan saved at 1:27:39 PM, on 12/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\I8AOA2SL.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\PNQ.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\HPFSTSC0.EXE
C:\WINDOWS\SYSTEM\HPZSTATX.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SAIE.EXE
C:\WINDOWS\BUNDLES\2504041110.EXE
C:\WINDOWS\TEMP\GLBF164.TMP
C:\PROGRAM FILES\VBOUNCER\INSTALLT.EXE
C:\WINDOWS\BUNDLES\VL_EZSTUB.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\WINDOWS\SYSTEM\HDUMTEF.EXE
C:\WINDOWS\EZINSTALL.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\WINDOWS\SYSTEM\WINUPDT.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\PROGRAM FILES\WEB_REBATES\WEBREBATES0.EXE
C:\WINDOWS\SYSTEM\WLDPOST.EXE
C:\WINDOWS\SYSTEM\DMSCFILT.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\WOINSTALL.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe
O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe
O4 - HKLM\..\Run: [vlgazhdcfp] C:\WINDOWS\SYSTEM\hdumtef.exe
O4 - HKLM\..\Run: [jgmiyc] C:\WINDOWS\SYSTEM\jgmiyc.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [rt5X36T] DMSCFILT.EXE
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe
O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe
O4 - HKCU\..\Run: [aAu7RWf7W] WLDPOST.EXE
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\BUNDLES\VL_EZSTUB.EXE
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Here's my latest highjack this log


----------



## Flrman1 (Jul 26, 2002)

Sorry but I just realized that you are running ME so my previous directions are not applicable.

First copy the contents of the quotebox to notepad. Go to File > Save As and name it *Fix.reg* (save as type: 'all files' )



> REGEDIT4
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]
> 
> ...


___________________________________________________________________________

Click here to download CWShredder. *Do Not* run it yet. Download it to the desktop and have it ready to run later.

____________________________________________________________________

Click here to download AboutBuster created by Rubber Ducky.

*Unzip* AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit" because I don't want you to run it yet. Just get the updates so it is ready to run later in safe mode. 
_____________________________________________________________________

Now go ahead and set your computer to show hidden files like so:

click on My Computer. 
Select the Tools menu and click Folder Options. 
Select the View Tab. 
Under the Hidden files and folders heading select Show hidden files and folders. 
Uncheck the Hide protected operating system files (recommended) option. 
Click Apply then OK. Click Yes to confirm.

______________________________________________________________________

*Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access. You *must* follow these directions exactly and you *cannot* skip any part of it.
______________________________________________________________________

Restart to safe mode.

How to start your computer in safe mode

Perform the following steps in safe mode:

____________________________________________________________________

Double click on the fix.reg file you saved at the beginning to enter into the registry. Answer yes when asked to have it's contents added to the registry. 
____________________________________________________________________

Go to Start > Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Put a check by these entries in Hijack This and click the "Fix Checked" button:

O2 - BHO: MultiMPPObj Class - {002EB272-2590-4693-B166-FBD5D9B6FEA6} - C:\WINDOWS\MULTIMPP.DLL

O3 - Toolbar: My Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\PROGRAM FILES\MYSEARCH\BAR\1.BIN\S4BAR.DLL

O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE

O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe

O4 - HKLM\..\Run: [saie] c:\windows\system\saie.exe

O4 - HKLM\..\Run: [WebRebates0] C:\Program Files\Web_Rebates\WebRebates0.exe

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\SYSTEM\winupdtl.exe

O4 - HKLM\..\Run: [vlgazhdcfp] C:\WINDOWS\SYSTEM\hdumtef.exe

O4 - HKLM\..\Run: [jgmiyc] C:\WINDOWS\SYSTEM\jgmiyc.exe

O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE" /HideUninstall /HideDir /PC=CP.FHB /ShowLegalNote=nonbranded

O4 - HKLM\..\Run: [rt5X36T] DMSCFILT.EXE

O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"

O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe

O4 - HKCU\..\Run: [DR_S] C:\Program Files\DR_S\DR_S.exe

O4 - HKCU\..\Run: [aAu7RWf7W] WLDPOST.EXE

O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\BUNDLES\VL_EZSTUB.EXE

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll[/b]

Find and delete these files:

C:\WINDOWS\WOINSTALL.EXE
C:\WINDOWS\EZINSTALL.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\stcloader.exe
C:\WINDOWS\SYSTEM\PNQ.EXE
c:\windows\system\saie.exe
C:\WINDOWS\SYSTEM\winupdtl.exe
C:\WINDOWS\SYSTEM\winupdt.exe
C:\WINDOWS\SYSTEM\hdumtef.exe
C:\WINDOWS\SYSTEM\jgmiyc.exe
C:\WINDOWS\SYSTEM\WLDPOST.EXE
C:\WINDOWS\SYSTEM\DMSCFILT.EXE
C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE

Delete these folders:

C:\PROGRAM FILES\SEP
C:\Program Files\DR_S
C:\PROGRAM FILES\VBOUNCER
C:\PROGRAM FILES\MYSEARCH
C:\PROGRAM FILES\WINDOWS ADSERVICE
C:\Program Files\Web_Rebates
C:\Program Files\AutoUpdate
C:\WINDOWS\BUNDLES

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here to download control_me.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

After you have done all the above then we can remove the VX2 infection. Please do the following to get the info we need to remove VX2:

*Click Here* and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the *Click to Find VX2.Betterinternet* button. It will display the files, and User Agent string. Now click the *Make Log* button. It will open the log in notepad. Copy and paste that log here.

Also *Click here* to download DLLCompare.zip.

Unzip it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished, click on the *Make a log of what was found* button. When it asks to "View log file" click yes and the log will open in notepad. Save the log to copy and paste back here in your next reply.


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.98.2
Scan saved at 4:03:55 PM, on 12/12/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\TEMP\I8AOA2SL.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\PNQ.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\DAD9.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE
O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: CorelCENTRAL Alarms.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\dad9.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

Don't askme how but when I was following your instructions and in safe mode when I ran Highjackthis I got a different logscan than the one dated 1:29:37. The one listed above is what got. So I stopped and exited safe mode and came back here to post the "latest scan".
I did do the part about copy contents to a fix.reg file and it was successfully entered into the registry. I hope this was OK for me to leave safe mode and leave the fix.reg stuff in the registry.


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*O4 - HKLM\..\Run: [Windows AdService] C:\PROGRAM FILES\WINDOWS ADSERVICE\WINADSERV.EXE

O4 - HKLM\..\Run: [I8AOA2SL] C:\WINDOWS\TEMP\I8AOA2SL.EXE

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe

O4 - HKCU\..\Run: [Dyyo] C:\WINDOWS\SYSTEM\pnq.exe

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx

O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab

O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.overpro.com/WildApp.cab

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll*

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. 
Select the Tools menu and click Folder Options. 
Select the View Tab. 
Under the Hidden files and folders heading select Show hidden files and folders. 
Uncheck the Hide protected operating system files (recommended) option. 
Click Apply then OK. Click Yes to confirm.

Now find and delete these files:

C:\WINDOWS\WOINSTALL.EXE
C:\WINDOWS\EZINSTALL.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE
C:\WINDOWS\SYSTEM\stcloader.exe
C:\WINDOWS\SYSTEM\PNQ.EXE
c:\windows\system\saie.exe
C:\WINDOWS\SYSTEM\winupdtl.exe
C:\WINDOWS\SYSTEM\winupdt.exe
C:\WINDOWS\SYSTEM\hdumtef.exe
C:\WINDOWS\SYSTEM\jgmiyc.exe
C:\WINDOWS\SYSTEM\WLDPOST.EXE
C:\WINDOWS\SYSTEM\DMSCFILT.EXE
C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE

Delete these folders:

C:\PROGRAM FILES\SEP
C:\Program Files\DR_S
C:\PROGRAM FILES\VBOUNCER
C:\PROGRAM FILES\MYSEARCH
C:\PROGRAM FILES\WINDOWS ADSERVICE
C:\Program Files\Web_Rebates
C:\Program Files\AutoUpdate
C:\WINDOWS\BUNDLES

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

________________________________________________________________________

Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker.

This hijacker is known to alter or delete certain files so check this out please:

Download the Hoster from here . UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

If you have Spybot S&D installed you will also need to replace one file. 
Go here and download SDHelper.dll. Copy the file to the folder containing your Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

control.exe may have been deleted. 
See if control.exe is present in C:\windows\system

If control.exe isn't there, Click here to download control_me.zip.

Unzip the file and copy the new control.exe file to the C:\Windows\System folder.

*IMPORTANT!:* Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your active x security settings in IE as recommended here.

After you have done all the above then we can remove the VX2 infection. Please do the following to get the info we need to remove VX2:

*Click Here* and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the *Click to Find VX2.Betterinternet* button. It will display the files, and User Agent string. Now click the *Make Log* button. It will open the log in notepad. Copy and paste that log here.

Also *Click here* to download DLLCompare.zip.

Unzip it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished, click on the *Make a log of what was found* button. When it asks to "View log file" click yes and the log will open in notepad. Save the log to copy and paste back here in your next reply.


----------



## mgbgtgrimm (Apr 22, 2002)

C:\WINDOWS\WOINSTALL.EXE
C:\WINDOWS\EZINSTALL.EXE
C:\WINDOWS\APPLICATION DATA\ESRC.EXE "Invalid Folder"
C:\WINDOWS\SYSTEM\stcloader.exe "couldn't find folder"
C:\WINDOWS\SYSTEM\PNQ.EXE
c:\windows\system\saie.exe
C:\WINDOWS\SYSTEM\winupdtl.exe
C:\WINDOWS\SYSTEM\winupdt.exe
C:\WINDOWS\SYSTEM\hdumtef.exe "couldn't find folder"
C:\WINDOWS\SYSTEM\jgmiyc.exe
C:\WINDOWS\SYSTEM\WLDPOST.EXE
C:\WINDOWS\SYSTEM\DMSCFILT.EXE
C:\WINDOWS\SYSTEM\CACHE\CXTPLS_LOADER.EXE "couldn't find folder"

Delete these folders:

C:\PROGRAM FILES\SEP*
C:\Program Files\DR_S*
C:\PROGRAM FILES\VBOUNCER*
C:\PROGRAM FILES\MYSEARCH*
C:\PROGRAM FILES\WINDOWS ADSERVICE
C:\Program Files\Web_Rebates*
C:\Program Files\AutoUpdate
C:\WINDOWS\BUNDLES

*above all returned message "couldn't find folder"
Ran "aboutbuster" and "CWShredder"
Went back to windows and ran online virus scan with "Auto Clean" box checked
After that all went dead and now when I restart and click Internet explorer to log onto internet nothing happens. my AT&T icon doesn't even work anymore so I can't access the internet via my WinME computer anymore!


----------



## mgbgtgrimm (Apr 22, 2002)

I can't run highjackthis and post the log because I can't access the internet anymore on my WinME computer!!!


----------



## Flrman1 (Jul 26, 2002)

You need to physically navigate to those files and folders to find and delete them by clicking on My Computer then Local Disk (C etc...... You will have to set the folder options to show hidden files and folders like I posted in my last post.

Try using LspFix to repair the internet connection. It will fit on a floppy disk.

*Click here* to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox. (Don't do anything else)

Then click Finish.


----------



## mgbgtgrimm (Apr 22, 2002)

Your comments in single quotes below

'My Computer then Local Disk (C etc......' I think I need a little more detail as to how to find those files via navigationing! When I did search for files and folders that's where the computer said "couldn't find folder" and "invalid folder"
'You will have to set the folder options to show hidden files and folders like I posted in my last post.'
I did set the folder options to show hidden files and folders!
Don't know where the yellow smile face came from!


----------



## mgbgtgrimm (Apr 22, 2002)

OK I downloaded to a floppy LspFix and launched the application just as you instructed and I got Rundll32 has caused an error, Rundll32 will now close.
Outlook Express still works and goes to get my emails but Internet Explorer and ATT don't work and I can not access the internet on the WinME computer. IT IS DEAD man I mean deader than a door nail.


----------



## mgbgtgrimm (Apr 22, 2002)

Look this is getting ridiculous. Can't I just erase everything on my C: drive and re-install my WInME and start over. Re-installing a few programs that I still want to use should be easyier than what I'm going thru now!


----------



## Flrman1 (Jul 26, 2002)

mgbgtgrimm said:


> Look this is getting ridiculous. Can't I just erase everything on my C: drive and re-install my WInME and start over. Re-installing a few programs that I still want to use should be easyier than what I'm going thru now!


Yes you can if that's what you want to do.


----------



## mgbgtgrimm (Apr 22, 2002)

OK now where do I go to find out how to do this, erase all and re-install WinME, but why do that WinME is unstable that's why I purchased a new computer with WinXP on it that I'm using to type this. So why don't I just super clean the hard drive and install WinXP. Make sense to you.
I un-installed Aquazone and Sims and yet when I run the virus scan it is scanning Aquazone and Sims files plus other programs that I have un-installed


----------



## Flrman1 (Jul 26, 2002)

You know you can only install XP from the same disk on one machine, right?


----------



## mgbgtgrimm (Apr 22, 2002)

No I didn't know that. I hope you will forgive my demeaner as I not only have a sick computer but I also have a sick puppy dog named Grimm. I'm coming back to reality now and am determined to fix my WinME computer.
I downloaded to the A floppy disk LspFix and launched the application by clicking "I know what I'm doing" checkbox.
However my IE icon still doesn't work. When I click it I get the "hour glass" for a few seconds and then nothing happens. Same thing when I click my AT&T toolbox.
However, OE works and goes out and gets my emails from wowway.com


----------



## Flrman1 (Jul 26, 2002)

Click Start > Settings > Control Panel, then double-click Add/Remove Programs 
On the Install/Uninstall tab, doubleclick "Microsoft Internet Explorer 6 SP1 and Internet Tools", click the Repair Internet Explorer option, and then click OK. Now see if you can get online.


----------



## mgbgtgrimm (Apr 22, 2002)

The stuff in Quotes is from your posting:
"Next run aboutbuster. Double click aboutbuster.exe, click OK, click Start, then click OK. This will scan your computer for the bad files and delete them.
_______________________________________________________________________

Finally, run CWShredder. Just click on the cwshredder.exe then click "Fix" (Not "Scan only") and let it do it's thing.
_______________________________________________________________________

Boot back into Windows now.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself. Housecall will detect the leftover files from this hijacker."

When I got to this point that's when screen went blank! 
I did what you instructed "Click Start > Settings > Control Panel, double clicked "Microsoft Internet Explorer 6 SP1 and Internet Tools" clicked repair option.
OK this allowed me to launch IE window but no matter which I put into address bar I would get the message "The Page cannot be displayed". No matter which Favorites I clicked I got same error message. So I left computer for 30mins to have abowl of soup
WELL NOW WHEN I RETURNED, GUESS WHAT!, YOU GOT IT, ALL THE VIRUSES WERE BACK IN FULL FORCE WITH POPUPS FLASHING ALL OVER THE PLACE AND MY IE WORKING.
I left the internet plugged in because I thought it wasn't working, man that was a bad thought. These popups are for businesses trying to sell things, they aren't porn things or nothing bad just super annoying. There must be a way to get at the offending company that is doing this.


----------



## mgbgtgrimm (Apr 22, 2002)

OK I went through the whole scenario again and whilst I came back on line to run housecall 5 files were somehow downloaded. I know this because when I click properties the dates/time listed coincided with the time I was running housecall.
I previously had deleted all files that had a date newer than and including 12-6-2004 of which I did not recognize the name of.
Now (in safe mode net disconnected) when I went into delete these 5 files I get the message "Cannot delete file: source file may be in use"
WHERE/WHAT IS THE "SOURCE FILE" How do I locate a source file. Changing the properties of the files had no effect because of the SOURCE FILE being in use.
I'm on a deadend alley right now because in less than 5 mins of being online files are downloading and I can't see what/where this is happening so as to stop it. I don't even get a popup window that asks me if I want to save this file or open it like most downloads do. IT is just going right on ahead on IT"S own and doing it. This has to be ILLEGAL!!!


----------



## Flrman1 (Jul 26, 2002)

Post a fresh HJt log please.


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.98.2
Scan saved at 7:02:24 AM, on 12/15/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.wowway.com/portal/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mynemc] C:\WINDOWS\SYSTEM\mynemc.exe
O4 - HKLM\..\Run: [hwb] C:\WINDOWS\hwb.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\RunServices: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunServices: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6

This is my latest highjack this log taken with out being connected to internet. Ran hjt on WinME computer and saved to flopy and brought up stairs to WinXP computer so as to post here. If I connect WinME to internet and run hjt and save log and come back and run hjt again I get a different log because that's how fast this worm/virus is acting. In fact in that length of time IT will have added at least two new icons on my desktop.


----------



## Flrman1 (Jul 26, 2002)

*Click here* to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox.

Check all instances of *winlspak.dll* (and nothing else) , and move them to the "Remove" pane. 
Then click Finish.

Now start your computer in Safe Mode and delete this file:

C:\windows\system\*winlspak.dll* file

*Click Here* and download the VX2Finder9x.exe tool. Click on the VX2Finder9x.exe and then click on the *Click to Find VX2.Betterinternet* button. It will display the files, and User Agent string. Now click the *Make Log* button. It will open the log in notepad. Copy and paste that log here.

Also *Click here* to download DLLCompare.zip.

Unzip it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished, click on the *Make a log of what was found* button. When it asks to "View log file" click yes and the log will open in notepad. Save the log to copy and paste back here in your next reply.


----------



## mgbgtgrimm (Apr 22, 2002)

OK, here are the two logs that you asked for. Hope I did it correctly. I have not allowed the WINME computer to be hooked up to the internet since I ran the highjack this log dated: 7:02:24 A.M. on 12/15/2004.


* DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\hgink.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\donwsock.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\dhnhupnp.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sutupapi.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\nltbios.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ctsync.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\addrn32.dll Thu Dec 9 2004 5:24:56p A.SH. 98,304 96.00 K
C:\WINDOWS\SYSTEM\ewsmtp.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ijsapi32.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\kzylimit.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\soem0409.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\oomreg.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wzdmlog.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\anipuixx.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\seint80.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\igwdial.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mocuia32.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\edfpix~1.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lmfil70n.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\jqar500.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mqtask.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wdncor~1.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
________________________________________________

1,065 items found: 1,065 files (22 H/S), 0 directories.
Total of file sizes: 203,155,115 bytes 193.74 M

--------------------End log---------------------
Log for VX2.BetterInternet File Finder

Files Found---


User Agent String---
{38187416-01C1-4C77-A99B-FA323A444D0B}


----------



## mgbgtgrimm (Apr 22, 2002)

WARNING
The system has detected that a third party application has removed
180search Assistant, possibly without your consent. This may cause
some programs not to run as expected. PLease choose an option
below.
Re-install 180search Assistant so that your
programs will run as expected. Rquires internet
connectivity

Leave 180search Assistant un-installed, and clean
up any 180search Assistant files or settings that
remain.

Remind me later

Now is this a legitimate Micrsoft program or is this part of my virus CWS-highjack/VX2 infection? I would like some advice as to how to proceed.


----------



## Cheeseball81 (Mar 3, 2004)

It's spyware


----------



## Cheeseball81 (Mar 3, 2004)

Are you referring to the infection from this thread? http://forums.techguy.org/showthread.php?t=306017&page=3&pp=15

You should stick to that thread and let flrman1 know of this. He may ask you to post a new log.


----------



## mgbgtgrimm (Apr 22, 2002)

OK yes that is the same infection however I didn't know if this 180search Assistant was virus or legit. It only just started showing up as I am going thru what flrman tells me to do and I thought maybe I deleted a Microsoft file by mistake. I will go and post this in that thread. Thanks.


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome :up:


----------



## mgbgtgrimm (Apr 22, 2002)

By the way flrman I am now getting a message about 180search Assistant on the Win ME computer. I listed it in a separate forum but I now realize I should have just put it here. Sorry.


----------



## ~Candy~ (Jan 27, 2001)

I merged both, hopefully everything flows


----------



## Flrman1 (Jul 26, 2002)

Download the Hoster from *here* . UnZip the file to your desktop.

*Click here* to download Pocket KillBox.

Unzip the files to the folder of your choice.

*IMPORTANT!*: Before you continue, close *ALL* running programs. *Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access.

Run Pocket Killbox and click on Tools > Delete Temp Files and let it do its thing.

Next in the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. Put a tick by *Standard File Kill* and put a check by *End Explorer Shell While Killing File*. Click on the button with the red circle and an X in the middle after you enter each file. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\SYSTEM\hgink.dll

C:\WINDOWS\SYSTEM\donwsock.dll

C:\WINDOWS\SYSTEM\dhnhupnp.dll

C:\WINDOWS\SYSTEM\sutupapi.dll

C:\WINDOWS\SYSTEM\nltbios.dll

C:\WINDOWS\SYSTEM\ctsync.dll

C:\WINDOWS\SYSTEM\addrn32.dll

C:\WINDOWS\SYSTEM\ewsmtp.dll

C:\WINDOWS\SYSTEM\ijsapi32.dll

C:\WINDOWS\SYSTEM\kzylimit.dll

C:\WINDOWS\SYSTEM\soem0409.dll

C:\WINDOWS\SYSTEM\oomreg.dll

C:\WINDOWS\SYSTEM\wzdmlog.dll

C:\WINDOWS\SYSTEM\anipuixx.dll

C:\WINDOWS\SYSTEM\seint80.dll

C:\WINDOWS\SYSTEM\igwdial.dll

C:\WINDOWS\SYSTEM\mocuia32.dll

C:\WINDOWS\SYSTEM\edfpix~1.dll

C:\WINDOWS\SYSTEM\lmfil70n.dll

C:\WINDOWS\SYSTEM\jqar500.dll

C:\WINDOWS\SYSTEM\mqtask.dll

C:\WINDOWS\SYSTEM\wdncor~1.dll*

*Note:* If KillBox tells you the file cannot be deleted, then put a tick by *Delete on Reboot* for that particular file and then click the button with the red circle and an X in the middle. It will ask for confirmation and if you want to reboot now. Click No then OK on the next prompt. It is also possible that it will tell you that one or more do not exist. Continue on as instructed if that happens.

Run the Hoster and click "Restore Original Hosts" and press "OK" then Exit the Hoster.

Next run VX2Finder and click the "User Agent" button.

Now restart your computer.

Finally, run DLLcompare again. Post the log from it along with a new Hijack This log and a new VX2Finder log.


----------



## mgbgtgrimm (Apr 22, 2002)

OK I died as soon as I started. "C:\WINDOWS\SYSTEM\hgink.dll" right off said "file cannot be deleted" so I ticked "Delete on Reboot" and when I hit the button with the red circle my task bar (the one along the bottom) dissappeared and I couldn't bring back the window with the File list so as to copy the next file. I had to restart.


----------



## Flrman1 (Jul 26, 2002)

There have been new versions of both DLLCompare and KillBox released. Get rid of the old ones and get the new ones.

*Click Here* and download the the new version of Killbox and save it to your desktop.

Also *Click here* to download DLLCompare.exe.

Save it to your desktop.

Now run DllCompare and click on the *RunLocate.com* button. It will scan for the hidden files. When it is finished,you will see in blue Completed the scan, Click Compare to Continue at which time you will click the *Compare* button.

It will sort through the files it found and determine which should be flagged as "No access" and display them in the lower box.
In a few minutes it will complete then you will see in blue Completed.
Click the *Make a Log of what was Found* button. It will ask if you want to view the logfile. Click Yes then copy and paste that log in your next reply.


----------



## mgbgtgrimm (Apr 22, 2002)

OK here's Latest compare log



* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM\donwsock.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\jpdw400.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\sutupapi.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\nltbios.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ctsync.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\addrn32.dll Thu Dec 9 2004 5:24:56p A.SH. 98,304 96.00 K
C:\WINDOWS\SYSTEM\ewsmtp.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\ijsapi32.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\kzylimit.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\soem0409.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\oomreg.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wzdmlog.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\anipuixx.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\seint80.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\igwdial.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mocuia32.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\edfpix~1.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\lmfil70n.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\jqar500.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\mqtask.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
C:\WINDOWS\SYSTEM\wdncor~1.dll Thu Dec 9 2004 5:26:14p ..S.R 217,088 212.00 K
________________________________________________

1,060 items found: 1,060 files (21 H/S), 0 directories.
Total of file sizes: 202,613,931 bytes 193.23 M

--------------------End log---------------------

Also my control alt del window lists the following:
Tbps
Pib
Wtoolsa
DirectCD
Itouch
Systray
Rundll32
Wsup
Mcvsrte
Mcvsescn
Wusb11b
Explorer
Wnpca
Printkey2000
Mfindexer
Webshots
Kbdtray

I couldn't figure out how to print a copy of the Close Program window.
Also I went to the recommended site for ActiveX but my selections don't match what's shown at that site.


----------



## Flrman1 (Jul 26, 2002)

Download the Hoster from *here* . UnZip the file to your desktop.

*IMPORTANT!*: Before you continue, close *ALL* running programs. *Sign off the internet and remain offline until this procedure is complete. Unplug your modem or disconnect the cable or phone line*. Copy these instructions to notepad and save them on your desktop for easy access.

Double-click on Killbox.exe to run it. Now put a tick by *Replace on Reboot*. Under that also put a check in the box by *Use Dummy*. In the "Paste Full Path of File to Delete" box, copy and paste each of the following lines one at a time. After each one it will ask for confimation to delete the file on next reboot. Click Yes. It will then ask if you want to reboot now. Click No. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

*C:\WINDOWS\SYSTEM\donwsock.dll

C:\WINDOWS\SYSTEM\jpdw400.dll

C:\WINDOWS\SYSTEM\sutupapi.dll

C:\WINDOWS\SYSTEM\nltbios.dll

C:\WINDOWS\SYSTEM\ctsync.dll

C:\WINDOWS\SYSTEM\addrn32.dll

C:\WINDOWS\SYSTEM\ewsmtp.dll

C:\WINDOWS\SYSTEM\ijsapi32.dll

C:\WINDOWS\SYSTEM\kzylimit.dll

C:\WINDOWS\SYSTEM\soem0409.dll

C:\WINDOWS\SYSTEM\oomreg.dll

C:\WINDOWS\SYSTEM\wzdmlog.dll

C:\WINDOWS\SYSTEM\anipuixx.dll

C:\WINDOWS\SYSTEM\seint80.dll

C:\WINDOWS\SYSTEM\igwdial.dll

C:\WINDOWS\SYSTEM\mocuia32.dll

C:\WINDOWS\SYSTEM\edfpix~1.dll

C:\WINDOWS\SYSTEM\lmfil70n.dll

C:\WINDOWS\SYSTEM\jqar500.dll

C:\WINDOWS\SYSTEM\mqtask.dll

C:\WINDOWS\SYSTEM\wdncor~1.dll*

When you paste the very last file in Killbox and it asks you if you want to reboot now click Yes and let it reboot.

After it restart, run the Hoster and click the "Restore original Hosts file" button then exit the hoster.

Next run VX2Finder and click on the *User Agent* button to remove that reg entry.

*Restart your computer*

After that second restart, run VX2Finer again and post the log from it. Also runn DLLCompare like you did before and post that log along with another Hijack This log.


----------



## mgbgtgrimm (Apr 22, 2002)

Log for VX2.BetterInternet File Finder

Files Found---

User Agent String---

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found "
________________________________________________

1,039 items found: 1,039 files, 0 directories.
Total of file sizes: 198,173,867 bytes 188.99 M

--------------------End log---------------------
Logfile of HijackThis v1.98.2
Scan saved at 11:12:57 AM, on 12/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WTOOLSA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\TOOLBAR\TBPS.EXE
C:\PROGRAM FILES\TOOLBAR\PIB.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\COMMON FILES\WINTOOLS\WSUP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www1.wowway.com/portal/index.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [mynemc] C:\WINDOWS\SYSTEM\mynemc.exe
O4 - HKLM\..\Run: [hwb] C:\WINDOWS\hwb.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE
O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot
O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - HKCU\..\RunServices: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunServices: [Shes] C:\WINDOWS\Application Data\esrc.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6

OK listed above are three logs after following your instructions above. 
Killbox did NOT ask if I wanted to reboot now it showed a message which said "File will be deleted on next reboot". Killbox also did not ask if I wanted to reboot after I had entered the last item. So I did a reboot via 'START,SHUTDOWN,RESTART'.
Upon that restart I recieved a black screen (ala DOS) which stated:

%1: %2 Windows could not upgrade the file %1: from %2

It displayed this message 8 times exactly the same.

It then displayed the message: "If windows fails to start run setup again"
HIt any button to continue.
So I hit enter and windows booted and my desktop appeared.

When I run VX2Finder the 'USER AGENT' button never highlited.

When I run McAffe virus scan I get 54 files listed as "CANNOT BE DELETED"
They all have this in common:
C:\_RESTORE\TEMP\A013,,,,.CPY
The four commas denoting the only numbers that vary between files.
Program Names that are listed:
Downloader-PX (20 times)
Virtual Bouncer (11 times)
Downloader-KL (4 times)
Adware-180Solutions (2 times)
QDial28 (2 times)
Adware-PortalScan (5 times)
Adware-Virtumundo
Adware-Apropos
Adware-Apropos.dll
Adware-POP.dldr
Tool_IdleUI (2 times)


----------



## mgbgtgrimm (Apr 22, 2002)

Now after doing what's listed above computer will not shut down. When I click: START, TURN OFF COMPUTER, SHUT DOWN I get an error message:
VWIN32(05) + 000012D0 ERROR: 0E : 0028 : C02A44A8
on a BIG BLUE SCREEN!!! also says 'hit any key to continue'
when I do hit "ANY KEY" I end up with the BIG BLACK SCREEN with the DOS type flashing cursor in the upper left corner and NO KEYS WORK!!!


----------



## Flrman1 (Jul 26, 2002)

Run Hijack This again and put a check by these. Close *ALL* windows except HijackThis and click "Fix checked"

*R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa

O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSB.DLL

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL

O4 - HKLM\..\Run: [mynemc] C:\WINDOWS\SYSTEM\mynemc.exe

O4 - HKLM\..\Run: [hwb] C:\WINDOWS\hwb.exe

O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe

O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBOUNCER\VirtualBouncer.exe

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

O4 - HKLM\..\RunServices: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE

O4 - HKLM\..\RunServicesOnce: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe /boot

O4 - HKLM\..\RunServicesOnce: [WinTools] C:\PROGRA~1\COMMON~1\WINTOOLS\WTOOLSA.EXE /boot

O4 - HKCU\..\Run: [Shes] C:\WINDOWS\Application Data\esrc.exe

O4 - HKCU\..\RunServices: [Shes] C:\WINDOWS\Application Data\esrc.exe

O8 - Extra context menu item: Web Rebates - file://C:\PROGRAM FILES\WEB_REBATES\Sy1150\Tp1150\scri1150a.htm

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6*

Restart to safe mode.

How to start your computer in safe mode

First in safe mode click on My Computer. 
Select the Tools menu and click Folder Options. 
Select the View Tab. 
Under the Hidden files and folders heading select Show hidden files and folders. 
Uncheck the Hide protected operating system files (recommended) option. 
Click Apply then OK. Click Yes to confirm.

Now find and delete these files:

C:\WINDOWS\*hwb.exe*
C:\WINDOWS\Application Data\*esrc.exe*
C:\WINDOWS\SYSTEM\*mynemc.exe*

C:\PROGRAM FILES\*WEB_REBATES*
C:\PROGRAM FILES\*TOOLBAR*
C:\PROGRAM FILES\*VBOUNCER*
C:\PROGRAM FILES\COMMON FILES\*WINTOOLS*

Also in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin

Go *here* and download Ad-Aware SE.

Install the program and launch it.

First in the main window look in the bottom right corner and click on *Check for updates now* then click *Connect* and download the latest reference files.

From main window :Click *Start* then under *Select a scan Mode* tick *Perform full system scan*.

Next deselect *Search for negligible risk entries*.

Now to scan just click the *Next* button.

When the scan is finished mark everything for removal and get rid of it.(Right-click the window and choose *select all* from the drop down menu and click *Next*)

*Restart your computer*.

Turn off System Restore:

Click Start, Settings, and then click Control Panel.
Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

Click the Performance tab, and then click File System.
Click the Troubleshooting tab, and then check Disable System Restore.
Click Apply then OK.
Click Yes, when you are prompted to restart Windows.

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

When you are sure you're computer is clean, reenable System Restore by following these directions:

To enable Windows Me System Restore:

Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System, and then click the Troubleshooting tab.
Uncheck Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.


----------



## mgbgtgrimm (Apr 22, 2002)

Will run thru what you have listed later today.
How come when I click "http://public.windupdates.com/getf...8a29296baabeld6"
I end up at "http://www.blazefind.com/404.html


----------



## Flrman1 (Jul 26, 2002)

Don' be clicking on that! . You are just going to reinfect yourself!


----------



## ~Candy~ (Jan 27, 2001)

Dang! I almost clicked on that one in the reply email 

Thanks for that info Mark


----------



## Flrman1 (Jul 26, 2002)

Candy, if you have your ActiveX settings at the proper security level it wouldn't affect you, but judging from his logs, I suspect that he is accepting all activex!


----------



## mgbgtgrimm (Apr 22, 2002)

I went to the site you had earlier sent me so as to reset my ActiveX settings but the problem is what shows up in my ActiveX window does not match all of what is in the web sites window for ActiveX.
Also when I try to do 'end task' in the Program Manager window so as to close all windows "Pib.exe and TBPS.exe will not allow to be shut down.
Also my scan disk for errors doesn't work any more. It boops up the message "Scandisk has restarted 10 times because another program has been wrighting to this drive".
I clicked on that http thingy because I thought you had put it there as a place where I could go to fix the "DPF:" thingy.
I have to go cook some LUKNNYZER (Belgian) cookies for Christmas and will tackle machine when finished.


----------



## mgbgtgrimm (Apr 22, 2002)

This is terrible. I can't even log on to internet now on WinME computer. I think when you instructed me to click "Restore Web Settings" that was bad. The computer started out using a dial up & ATT system (internet explorer provided by att). Then I converted to cable with wowway but my att still worked for a fee for email connection so I wouldn't lose all my contacts (in fact it works fine on this my WinXP computer) but downstairs my WinME is DEADER THAN A DOOR NAIL!!! You know I'm an idiot for not converting to Apple! I need a rest. have a nice weekend


----------



## ~Candy~ (Jan 27, 2001)

Scandisk runs best in safe mode.

Thanks Mark, not sure where I have my settings, but guess I'd best check


----------



## Flrman1 (Jul 26, 2002)

It sounds to me like you are venturing out on your own and trying to take extra steps other than what we are recommending to fix this. You shouldn't be worried about trying to run scandisk until you get all this garbage off your computer anyway. Scandisk certainly won't help with that. All this sorta makes me wonder what you may have done to cause the loss of internet connection. Clicking "Reset Web Settings" certainly wouldn't do that. You should have been well on your way to a clean machine by now.

You can try LspFix to retore the connection, but having no idea what you have done makes that a stab in the dark. You can put it on a floppy disk and run it on the ME box.

*Click here* to download LspFix

Launch the application, and click the "I know what I'm doing" checkbox. (Don't do anything else)

Then click Finish.


----------



## MommyCPA (Oct 25, 2004)

I've been reading this thread with great interest because I have the same @#[email protected] problem. It's awful!!! I've even bgotten help here a few times over the last 2 weeks, but everything kept coming back. My Spybot and Adaware lock up when I try to delete things. BMy CWS shredder locks up and does no good. Hija k this doesn't remove things and when it does, it comes back. Now, somethings funky with my keyboard and if I backspace, it deletes the whole message that I wrote. That's why I have these typos. It's gotten to the point that AOL sometimes evern opens itself and tries to log on. I've taken to turning off the computer when not it in use. I'm scared to attempt these fixes, even thorugh I'm usually very computer literate. I know have I hve the same thing, because my hijack this file of my registry has the same stuff as this guys. !!!!! UGH!!! It's too late at night to start trying, but I'll probably post my hijack this file tomorrow and try to work on it them. I've saved all the instructions here, but my big concern is that I won't be able to get on the web at all if this ME computer gets screwed up too much. This is truly an EVILLE!!!! thing!!!


----------



## telecom69 (Oct 12, 2001)

*Mommy CPA * You will need to start a new thread of your own if you want advice,its far too complicated to answer more than one topic in a thread ....just click on New Thread....Start by posting a hijack this log with the latest hijack from here http://www.majorgeeks.com/download3155.html


----------



## mgbgtgrimm (Apr 22, 2002)

Now let me explain what happened. After I did all that you had outlined above and restarted my computer I tried going online to do the online scan and I ended up with a screen freeze. This computer (WinME) has dogged me with screen freezes and blue screen errors since the day I got it. ( That's why I bought this new computer with WinXP because it's supposed to be more stable).
Well the only way out is power shut off. When I turned the power back on and sarted the computer I naturally get the little window that says "Windows has detected an inproper shut down. Scan disk will now check for errors", however, that's when I ended up with the message about restarting 10 times. That is the only reason for running scan disk.


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.98.2
Scan saved at 7:21:17 AM, on 12/20/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted Zone: *.frame.crazywinnings.com
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

This is my latest highjackthis log. I ran LspFix and there was one file to be got rid of which I did but internet still only shows "page cannot be displayed"


----------



## Flrman1 (Jul 26, 2002)

mgbgtgrimm said:


> This computer (WinME) has dogged me with screen freezes and blue screen errors since the day I got it.


It sounds to me like there are other isssues here besides the malware. You may very well have hardware problems.

Your log is almost clean. Download the Registry Search Tool here:

http://www.billsway.com/vbspage/

Unzip it and run it. If your antivirus inteferres you may have to disable script blocking in the antivirus. Copy and Paste the following in the search box:

*frame.crazywinnings.com*

Copy and paste the results here.


----------



## mgbgtgrimm (Apr 22, 2002)

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "frame.crazywinnings.com" 12/20/2004 10:52:40 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]

OK here's the regedit log.
When i fired up this morning somehow I lost my logitec wireless mouse. Don't know why don't know how. Changed all batteries and hit all the reset buttons but no luck, so I did a restart and whamoo mouse works fine now.
Right know everything is working fine except fo internet which displays "unable to display page".
I think there is probably something missing in someplace that my service provide input that is nolonger recognizable. I use wowway as a main provider and have access to att.net as a secondary mostly for email. Now they BOTH work fine on this WinXP computer (as they did before the Nalpolean attack) so to me I should be able to go see what settings are on this computer and copy them and then input them to the WinME computer. Gotta go cook Sunday brunch now red wine and sausage.


----------



## Flrman1 (Jul 26, 2002)

Copy the contents of the quotebox to notepad. Go to File > Save As and name it *Fix.reg* (save as type: 'all files' ) and save it to your desktop.


> REGEDIT4
> 
> [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
> 
> [-HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]


Double click on the Fix.reg file you saved to enter it into the registry. Answer yes when asked to have it's contents added to the registry.


----------



## mgbgtgrimm (Apr 22, 2002)

OK flrman1, I have done all what you just posted above and then restarted computer.
I am now typing this on my WinME computer HOW'S that grab you. I have a question about my "close program" window box. Here's the list of what's in it:
Explorer
Autoupdate
Wusb11b
Mfindexer
Webshots
Mcvsescn
Kbdtray
Mcagent
Directcd
Wnpca
Itouch
Systray
Mcvsrte
Now should some of these be gotten away with, I mean are they virus or malware or something bad. How do I protect myself from here on in. 
I still have a couple finnies going on, like when I click the email button on my att tool bar my documents opens. If I go thru IE I land on the att.net home page and then can access my att email crazy.
Looks like we are really getting close on this one. Thanks loads. Don't want to count my chickens before the eggs so I want to wait and see what happens tomorrow.


----------



## mgbgtgrimm (Apr 22, 2002)

I have been on the net for about 50 mins now and have not recieved one popup yet! So I'm still saying my prayers.


----------



## Flrman1 (Jul 26, 2002)

Well I do see one problem. You have both Norton and McaFee Antiviruses running at the same time. You should never have two avs running at the same time as they will conflict with each other and actually reduce your protection. Not only that, but both Norton and Mcafee are known to be major resource hogs so even if you could run two at the same time this would be the worst possibe combination that I can think of. You need to choose one and disable the other.


----------



## mgbgtgrimm (Apr 22, 2002)

I thought I had removed the Norton program because it made my printer take 10min to print a 2min page. Now the computer Co. that installed my new WinXP and LINKSYS installed McAfee on both machines. The only thing that is running with McAfee is the virus scan, none of the other options are installed and the computer Co. did not give me a McAfee CD so I can't install anything more. Shouldn't I have a fire wall installed.
Norton does not show up in my close program window so how do I delete it more thourghly. Norton does not show up in my ADD/REMOVE programs window either. I did a search for "norton" and found 4 files and deleted them, elsewise I don't know how/where to look for norton files so as to delete them.
I still have one funny thing happening. When I click the 'email' button on my desktop att toolbar it brings up the mydocuments window rather than taking me to my att email site. No biggie because when I click the IE icon I go straight to my att home page and when I click email button there I go straight to att email page.


----------



## Flrman1 (Jul 26, 2002)

Fix all these with Hijack This:

*O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccProxy] C:\PROGRA~1\COMMON~1\SYMANT~1\CCPROXY.EXE
O4 - HKLM\..\RunServices: [SndSrvc] C:\PROGRA~1\COMMON~1\SYMANT~1\SNDSRVC.EXE*

Restart your computer.


----------



## mgbgtgrimm (Apr 22, 2002)

Logfile of HijackThis v1.99.0
Scan saved at 2:36:29 PM, on 12/22/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\AT&T\ACP\PROGRAMS\WNPCA.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\WUSB11 WLAN MONITOR\WUSB11B.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\WEBSHOTS\WEBSHOTS.SCR
C:\PROGRAM FILES\PRINTKEY2000\PRINTKEY2000.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\KBDTRAY.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\HIGHJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.att.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [AT&T DSL Service PCA Program] C:\Program Files\AT&T\ACP\programs\wnpca.exe /ws
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ReleaseRAM] C:\PROGRAM FILES\R-RAM\RRAM.exe
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WUSB11B.exe] C:\Program Files\WUSB11 WLAN Monitor\WUSB11B.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Startup: Printkey2000.lnk = C:\Program Files\PrintKey2000\Printkey2000.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O8 - Extra context menu item: Translate Selection with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: Translate Page with Worldlingo.com - http://www.worldlingo.com/UP62768/P5001/l/scripts/btool.js?btool=s&uname=btool48&pword=lingocnet
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O12 - Plugin for .bcf: C:\PROGRA~1\INTERN~1\Plugins\NPBelv32.dll
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: (HKLM)
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB

Here's my latest hjt from the latest hjt V1.99
I deleted what you had out lined.
I shut my computer last night the proper normal way and this afternoon when I turned it on theproper way I got a blue screen "WINDOWS SAFTEY HALT" or something to that order and then it took me into safe mode automatically. So I did the above in safe mode and then shut restarted and here I am running fine so far.


----------



## Flrman1 (Jul 26, 2002)

It all looks good now! :up:


----------



## mgbgtgrimm (Apr 22, 2002)

Thanks flrman1 your posts helped me solve my problem and so I went and donated to the affero thing even though I don't really understand it. Thanks again and have safe holidays. Greg & Grimm


----------



## Flrman1 (Jul 26, 2002)

You're Welcome! 

Now turn off System Restore:

Click Start, Settings, and then click Control Panel.
Double-click the System icon. The System Properties dialog box appears.

NOTE: If the System icon is not visible, click "View all Control Panel options" to display it.

Click the Performance tab, and then click File System.
Click the Troubleshooting tab, and then check Disable System Restore.
Click Apply then OK.
Click Yes, when you are prompted to restart Windows.

Once you have cleaned the virus or other problem from the computer, reenable System Restore by following these directions

To enable Windows Me System Restore:

Click Start, point to Settings, and then click Control Panel.
Double-click System, and then click the Performance tab.
Click File System, and then click the Troubleshooting tab.
Uncheck Disable System Restore.
Click OK. Click Yes, when you are prompted to restart Windows.

*Check this out* for info on how to tighten your security settings and some good free tools to help prevent this from happening again.


----------



## Cheeseball81 (Mar 3, 2004)

Hi ManBehindGod 

Continue posting here: http://forums.techguy.org/t310752.html


----------



## Flrman1 (Jul 26, 2002)

I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

