Explore topic-wise InterviewSolutions in .

Hi, this is the log from the MBR:


Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !

THANKS!Now delete the current mbr.log file from the desktop and then follow the below instructions.

Go to Start > Run then copy and paste the following into the Open field (do not copy the word Code):

Code: [Select]"%userprofile%\desktop\mbr.exe" -f
Double click on the mbr.exe file and post the contents of the new mbr.logOk, here is the newest file

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x012A18AC1
malicious code @ sector 0x012A18AC4 !
PE file found in sector at 0x012A18ADA !

Thank you OK go ahead with the FULL Dr Web scan now and post that log please.

You can delete the mbr.exe and the log file.Ok, heres my log after the full scan:

T-3877633-daddys little girl al martino - greatest hits.mp3;C:\Documents and Settings\Brad\My Documents\Incomplete;Trojan.WMALoader;Cured.;
WxBug.EXE;C:\Program Files\aim\Sysfiles;Adware.Aws;;
morpheustoolbar.exe/data001\data006;C:\Program Files\Morpheus\morpheustoolbar.exe/data001;Adware.Msearch;;
data001;C:\Program Files\Morpheus;Container contains infected objects;;
morpheustoolbar.exe;C:\Program Files\Morpheus;Container contains infected objects;;

Thanks again. OK that found a few more. How is the computer running now?As of yet I've had now problems. So far I've been up for about 24 hours. Thanks again for all your help.Still no problems, thank you very much for all your guys' help. Sorry for the delay.

Download OTMoveIt3 by OldTimer OTMoveIt3.exe and place it on your desktop. (unless you already have it installed)

1. Double click OTMoveIt3.exe to launch it.
Vista users right click and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the INTERNET, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list DOWNLOADED, Do you want to begin cleanup process?)
5. Once complete exit out of OTMoveIt3

----------

Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

• Go to Start > Programs > Accessories > System Tools and click System Restore
  
• Choose the radio button marked Create a Restore Point on the first screen then click Next GIVE the Restore Point a name then click Create.
  
• The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
• Next go to Start > Run and type Cleanmgr
  
• Click OK
  
• Click the More Options Tab.
  
• Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

Hi,

I have AVG 8.5 on my laptop which I DOWNLOADED at a high speed site.

Home I have DIAL up on our tower computer and wonder if SOMEHOW I can transfer AVG using a flash drive from the laptop to the tower?

Is this even possible? Otherwise I DOWNLOAD 66mb by phone and wait...and wait....and wait....aaaarrrgh.

Any help much appreciated.

sampDownload the setup and copy it to the flash drive.

To do this, when you click the download link, instead of clicking RUN, click save and save it to your desktop.Thanks very much...

I will try this.

Great forum by the way.

Gracias again,
sampAnytime.

Good Luck.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

I downloaded a program that i thought was a audio recording program but it asked me restart and it stopped my antivirus from running and firewall then I open them up manualy and avast is finding stuff. I have ran scans with MBAM and SAS but nothing much was found.

Malwarebytes' Anti-Malware 1.41
Database version: 2916
Windows 5.1.2600 Service Pack 3

10/6/2009 6:38:01 PM
mbam-log-2009-10-06 (18-38-01).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|)
Objects scanned: 54374
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\ComboFix\Combo-Fix.sys (Worm.Agent) -> Quarantined and deleted successfully.

(later did a full scan and found nothing)

Sas found nothing.Sorry I forgot the HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:59 PM, on 10/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q405&bd=presario&pf=desktop&parm1=seconduser
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {B17324EB-1C4E-453F-BAB4-E82D5F3314C2} - (no file)
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Styler\TB\StylerTB.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKLM\..\Run: [00PCTFW] "C:\Program Files\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - ?p=ZRfox000
O8 - Extra context menu item: Add To Compaq Organize... - C:\PROGRA~1\HEWLET~1\COMPAQ~1\bin/module.main/favorites\ie_add_to.html
O8 - Extra context menu item: Add to Video Converter... - C:\Program Files\MP3 Player Utilities 5.10\AVIConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save YouTube Video as MP3 - res://C:\Program Files\Common Files\DVDVideoSoft\Dll\IEContextMenuY.dll/scriptY2MP3.htm
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - (no file) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.systemrequirementslab.com/srl_bin/sysreqlab_srl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127362109437
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149835123078
O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Program Files\PC Tools Firewall Plus\FWService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 8700 bytes1) Put a check mark against the below entries and click "Fix checked" .

Quote

O2 - BHO: (no name) - {B17324EB-1C4E-453F-BAB4-E82D5F3314C2} - (no file)
O8 - Extra context menu item: &Search - ?p=ZRfox000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {3EB3B7E8-1466-405A-B5BC-44513AF85E34} - (no file) (HKCU)

KillAll::

DDS::

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

File::

c:\program files\sqmdata12.sqm

file::

c:\documents and settings\All Users\Application Data\Viewpoint

Hi there

I use Norton internet security

Regularly I get the message: malware found : spyware.ietoolbar.
It is automatically REMOVED from the PC by Norton. Sofar sogood.

But this comes up daily. How can i AVOID it?
MAYBE can I block some internet address in my browser?

My brothers computer has started to screw around [again] and, this time, I'm unable to do anything about it.
I've identified the virus : PMROPN.exe.

Anyways, I've got the logs here. Thanks.


Code: [Select]Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:24:42 PM, on 10/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Safe mode with network support

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\PremierOpinion\pmropn.exe
C:\windows\Explorer.EXE
C:\WINDOWS\system32\wbem\unsecapp.exe
E:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: DriveLetterAccess - {5ca3d70e-1895-11cf-8e15-001234567890} - C:\windows\System32\DLA\DLASHX_W.DLL
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DLA] C:\windows\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - Startup: [emailprotected] = %APPDATA%\Microsoft\Installer\{6B755EC3-C709-4F5C-BC58-BC0D3967B6B6}\_2377D972A0372FCB34E3F7.exe
O4 - Startup: UltraVNC Server.lnk = C:\Program Files\UltraVNC\winvnc.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm378YYHK
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1242976504280
O16 - DPF: {c3f79a2b-b9b4-4a66-b012-3ee46475b072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O18 - Protocol: about - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: cdl - {3DD53D40-7B8B-11D0-B013-00AA0059CE02} - C:\windows\system32\urlmon.dll
O18 - Protocol: dvd - {12D51199-0DB5-46FE-A120-47A3D7D937CC} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: file - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\windows\system32\urlmon.dll
O18 - Protocol: ftp - {79EAC9E3-BAF9-11CE-8C82-00AA004BA90B} - C:\windows\system32\urlmon.dll
O18 - Protocol: gopher - {79EAC9E4-BAF9-11CE-8C82-00AA004BA90B} - C:\WINDOWS\system32\urlmon.dll
O18 - Protocol: http - {79EAC9E2-BAF9-11CE-8C82-00AA004BA90B} - C:\windows\system32\urlmon.dll
O18 - Protocol: https - {79EAC9E5-BAF9-11CE-8C82-00AA004BA90B} - C:\windows\system32\urlmon.dll
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: javascript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: local - {79EAC9E7-BAF9-11CE-8C82-00AA004BA90B} - C:\windows\system32\urlmon.dll
O18 - Protocol: mailto - {3050F3DA-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: mhtml - {05300401-BCBC-11D0-85E3-00C04FD85AB4} - C:\windows\system32\inetcomm.dll
O18 - Protocol: mk - {79EAC9E6-BAF9-11CE-8C82-00AA004BA90B} - C:\windows\system32\urlmon.dll
O18 - Protocol: ms-its - {9D148291-B9C8-11D0-A4CC-0000F80149F6} - C:\WINDOWS\system32\itss.dll
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
O18 - Protocol: res - {3050F3BC-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: sysimage - {76E67A63-06E9-11D2-A840-006008059382} - C:\windows\system32\mshtml.dll
O18 - Protocol: tv - {CBD30858-AF45-11D2-B6D6-00C04FBBDE6E} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: vbscript - {3050F3B2-98B5-11CF-BB82-00AA00BDCE0B} - C:\windows\system32\mshtml.dll
O18 - Protocol: wia - {13F3EA8B-91D7-4F0A-AD76-D2853AC8BECE} - C:\WINDOWS\system32\wiascr.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: premieropinion - C:\Program Files\PremierOpinion\pmls.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\windows\
O23 - Service: Google Update Service (gupdate1ca2c76caf90b44) (gupdate1ca2c76caf90b44) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: My Web Search Service (MyWebSearchService) - MyWebSearch.com - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - PROLIFIC TECHNOLOGY Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\windows\system32\PnkBstrB.exe
O23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\windows\

--
End of file - 7692 bytes
Unable to get SAS to install.

MBAM log:

Code: [Select]Malwarebytes' Anti-Malware 1.41
Database version: 2973
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/17/2009 12:35:02 PM
mbam-log-2009-10-17 (12-35-02).txt

Scan type: Quick Scan
Objects scanned: 95658
Time elapsed: 3 minute(s), 2 second(s)

MEMORY Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 140
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 19
Files Infected: 93

Memory Processes Infected:
C:\Program Files\PremierOpinion\pmropn.exe (Trojan.Agent) -> Unloaded PROCESS successfully.

Memory Modules Infected:
C:\Program Files\PremierOpinion\pmls.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\PremierOpinion\components\pmxg.dll (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\funwebproducts.datacontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c8cecde3-1ae1-4c4a-ad82-6d5b00212144} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{17de5e5e-bfe3-4e83-8e1f-8755795359ec} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1f52a5fa-a705-4415-b975-88503b291728} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a626cdbd-3d13-4f78-b819-440a28d7e8fc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.datacontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8ca01f0e-987c-49c3-b852-2f1ac4a7094c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1093995a-ba37-41d2-836e-091067c4ad17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{120927bf-1700-43bc-810f-fab92549b390} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{247a115f-06c2-4fb3-967d-2d62d3cf4f0a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e53e2cb-86db-4a4a-8bd9-ffeb7a64df82} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{90449521-d834-4703-bb4e-d3aa44042ff8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{991aac62-b100-47ce-8b75-253965244f69} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{bbabdc90-f3d5-4801-863a-ee6ae529862d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d6ff3684-ad3b-48eb-bbb4-b9e6c5a355c1} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{eb9e5c1c-b1f9-4c2b-be8a-27d6446fdaf8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0f8ecf4f-3646-4c3a-8881-8e138ffcaf70} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b813095c-81c0-4e40-aa14-67520372b987} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9d7be3e-141a-4c85-8cd6-32461f3df2c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cff4ce82-3aa2-451f-9b77-7165605fb835} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historykillerscheduler.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.historyswattercontrolbar.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e47caee0-deea-464a-9326-3f2801535a4d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e1656ed-f60e-4597-b6aa-b6a58e171495} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.htmlmenu.2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.iecookiesmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.killerobjmanager.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{8e6f1830-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2b-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{63d0ed2d-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8e6f1832-9607-4440-8530-13be7c4b1d14} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9571378-68a1-443d-b082-284f960c6d17} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswatterbarbutton.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\funwebproducts.popswattersettingscontrol.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{e79dfbc0-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{72ee7f04-15bd-4845-a005-d6711144d86a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbc9-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e79dfbcb-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{e79dfbca-5697-4fbd-94e5-5b2a9c7c1612} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.chatsessionplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3e720450-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720451-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e720453-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3e720452-b472-4954-b7aa-33069eb53906} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.htmlpanel.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.outlookaddin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{7473d290-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d291-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d293-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d295-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7473d297-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d292-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7473d294-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7473d296-b7bb-4f24-ae82-7e2ce94bb6a9} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearch.pseudotransparentplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.settingsplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mywebsearchtoolbar.toolbarplugin.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{29d67d3c-509a-4544-903f-c8c1b8236554} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e3537fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{938aa51a-996c-4884-98ce-80dd16a5c9da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eaa-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{07b18eac-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6e74766c-4d93-4cc0-96d1-47b8e07ff9ca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{de38c398-b328-4f4c-a3ad-1b5e4ed93477} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e342af55-b78a-4cd0-a2bb-da7f52d9d25f} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{f87d7fb5-9dc5-4c8c-b998-d8dfe02e2978} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e0de227-5ce4-4ea3-ab0c-8b03e1aa76bc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{84da4fdf-a1cf-4195-8688-3e961f505983} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d9fffb27-d62a-4d64-8cec-1ff006528805} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{0d26bc71-a633-4e71-ad31-eadc3a1b6a3a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07b18ea0-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f42228fb-e84e-479e-b922-fbbd096e792c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286} (Adware.PremierOpinion) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\2e1117ed (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\2e1117ed (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\2e1117ed (Rootkit.Rustock) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\premieropinion (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Word\Addins\MyWebSearch.OutlookAddin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyWebSearch bar Uninstall (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\(default) (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) GOOD: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion (Trojan.Agent) -> Delete on reboot.
C:\Program Files\premieropinion\components (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\PremierOpinion (Adware.PremierOpinion) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\f3PSSavr.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\2e1117ed.sys (Rootkit.Rustock) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Local Settings\Temp\7zS3205.tmp\patch.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3HKSTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3REGHK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\FWPBUDDY.PNG (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3HIGHIN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3MEDINT.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\MWSSVC.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D5091 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D5F57 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D62F0.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D65CF.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D6801.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D6A34.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\000D6C57.bin (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search3 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\CM.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\WB.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\chrome.manifest (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\install.rdf (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\pmls.dll (Trojan.Agent) -> Delete on reboot.
C:\Program Files\premieropinion\pmoci.bin (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\pmph.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\pmropn.exe (Trojan.Agent) -> Delete on reboot.
C:\Program Files\premieropinion\pmservice.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\pmxf.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\premieropinion\components\pmxg.dll (Trojan.Agent) -> Delete on reboot.
C:\Documents and Settings\All Users\Start Menu\Programs\PremierOpinion\About PremierOpinion.lnk (Adware.PremierOpinion) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PremierOpinion\Privacy Policy and User License Agreement.lnk (Adware.PremierOpinion) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PremierOpinion\Support.lnk (Adware.PremierOpinion) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\PremierOpinion\Uninstall Instructions.lnk (Adware.PremierOpinion) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Download 100,000 Emoticons!.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\user\Desktop\Sherv.NET - Animated Emoticons, Winks, Display Pics, plus more!.url (Rogue.Link) -> Quarantined and deleted successfully.

If SOMETHING is corrupted in this profile a new ONE will normally fix it. To create a new user profileOk, I TRIED a new profile and it didn't fix anything.I'm out of ideas.

If you don't want to go through the reformat then you might TRY a Startup Repair. Startup Repair: frequently asked questions

On my laptop I am receiving several pop-up boxes when I try to log on that have different title messages but the same error message within the pop-up.
These occur before I choose a user to log on under and then throughout the log on process which never finishes:
services.exe - Bad Image
lsass.exe
bcmwltry.exe
userinit.exe
explorer.exe
verclsid.exe
rundll32.exe
QTTask.exe

The application or DLL C:\WINDOWS\system32\dafonole.dll is not valid Windows image. Please check this against your installation diskette. Eventually it just times out. Can anybody help me with this?
Are you able to log on?

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to block DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.But I can't log on the laptop, I am posting from another one now. Is there anyway to download the file onto my laptop without logging on, the operating system is XP and I have tried safemode but it just locks upNo you have to log in. Instead of safe mode have you tried 'Last known good configuration'

How to start your computer by using the Last Known Good Configuration feature in Windows XPOK I will try that now.I was unable to run the dds file, far too many pop-ups that never seemed to end and no log files were ever generated. It did get to the spash screen that explained about dds but that was it, so I tried an hijackthis and it worked so I am including the log file here.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:38 PM, on 10/15/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Safe mode

Running PROCESSES:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
E:\PC Repairs\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061206
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061206
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=5061206
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [DLCICATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCItime.dll,[emailprotected]
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [6423934b] rundll32.exe "C:\WINDOWS\system32\whiviakn.dll",b
O4 - HKLM\..\Run: [wizoguruba] Rundll32.exe "C:\WINDOWS\system32\pasagami.dll",s
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Dell Network Assistant.lnk = ?
O8 - Extra context MENU item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL hefpex.dll gygrhi.dll pqgugu.dll axcatz.dll uolvqo.dll ctyvfq.dll cgtcdz.dll,C:\WINDOWS\system32\dafanole.dll,C:\WINDOWS\system32\telopezo.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: dlci_device - - C:\WINDOWS\system32\dlcicoms.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 5664 bytes

I don't know if there is anything else I can try, I will see if I can run any of the programs suggested in the forum for malware/viruses. Maybe I can download them now as the lock ups don't seem to be as bad.If you already have ComboFix be sure to delete it and download a new copy.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is IMPORTANT that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Have done so with REGARDS to Avira. I hope SOMEONE else can help me with my other problem. As I said, the slow down seems to start only be after I open the internet and start to browse but when it does, it effectively SLOWS down the whole netbook, not just the internet browser. http://www.avg.com/gb-en/download-tools


go to above to complete the removal of avg

sorry i cannot help you with the above , harryOK, if no one has an idea as to what may help this problem, I guess I will just reinstall windows. I just hated to something time consuming if I could fix it another way.


Edit: Oct. 19, 2009: Done so and COMPUTER RUNS just fine now. This can be closed.

actually i asked the reply FRM the remaining people.Not for you Mr.Allan.If u think wrong i m sorry.
Even i am logging from DIFFERENT user i am GETTING the same problem.I want to know exactly WHATS the problem its bcoz of a virus or any hardware problem.

The BSOD I get is 0x0000007f
Beginning dump of Physical Memory

There are no other clues. When we get finished here I will check at the XP forum.That error could be a lot of things. I don't think it's malware though. See here. http://support.microsoft.com/kb/137539

I can't remember if we asked. Do you have your install CD?

Try this also. Not sure if it works in Safe Mode but try anyway.

• Click on Start > Run and type sfc /scannow then press Enter (note the space between scf and /scannow)
  • Let this run undisturbed until the window with the blue progress bar goes away

WGA Data-->
Validation Status: Invalid Product Key
Validation Code: 8

It may not be compatible with 64 bit so didn't actually INSTALL. http://www.viewpoint.com/technologies/viewpoint-media-player.shtml#system-requirements

DELETE An Uninstall Entry

• Start HijackThis
  
• Click on the OPEN the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Highlight the entry you want to remove.
• Click Delete this entry

Yesterday I saw the yellow shield in the bottom corner telling me updates for Windows were available. So, before bed I clicked install updates and shut down. After it became apparent something was wrong I searched for solutions and finally USED Malwarebytes' AntiMalware-which seemed to fix everything. But, I'm on here because there's still a red shield in the corner of my screen that I don't think should be there. When I move my mouse over the shield it reads "Windows security alerts." Other then that being there everything seems to be WORKING great. These are my logs:


Comments, help.

An update-the yellow shield with an exclamation mark has appeared again asking me to click here to install updates.

[Saving space, attachment deleted by admin]Just double click on the shield, open Security Center, disable the alerts.Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
Code: [Select]C:\Documents and Settings\sharyn\Application Data\MSA\msctrlp.exe2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

----------

Download DDS from |HERE| or |HERE| or |HERE| and save it to your desktop.

Vista users right click on dds and select Run as administrator (you will receive a UAC prompt, please allow it)

* XP users Double click on dds to run it.
* If your antivirus or firewall try to BLOCK DDS then please allow it to run.
* When finished DDS will open two (2) logs.

1) DDS.txt
2) Attach.txt

* Save both logs to your desktop.
* Please copy and paste the entire contents of both logs in your next reply.

Note: DDS will instruct you to post the Attach.txt log as an attachment.
Please just post it as you would any other log by copy and pasting it into the reply.
Copy and paste will not work! And, I cannot type the line in the box either. So, I tried using the browse feature to find the path(?) or line to the file to scan. I could not find the exact path. Using browse I get to C:\Documents and Settings\sharyn\Application Data\MSA ( I was able to copy and paste this), but after MSA there are only download.list and update.list. I could not find msctrlp.exe(again copy and pasted here). I also had to change folder options to show hidden files to see the Application Data folder. I don't understand why I cannot type or paste into this box but I can use the browse feature.

I just tried using seach entering msctrlp.exe(again I could copy and paste) and no results.OK just continue on with DSS please. I'm 99.9% certain that msctrlp.exe is a malicious file so we will take care of it shortly.OK. Info posted.

[Saving space, attachment deleted by admin]Go to Add or Remove Programs and uninstall:

• Java 2 Runtime Environment, SE v1.4.2_03
• Java(TM) SE Runtime Environment 6 Update 1
• Viewpoint Media Player

• Start HijackThis
  
• Click on the Open the Misc Tools section
  
• Click on the Open Uninstall Manager button.
  
• Highlight the entry you want to remove.
• Click Delete this entry

Hi.

I have finished running the ESET Scanner.

When I started it I selected "Scan Archives" only. I DEselected "Remove Threats".

I ran the scan on my C drive only.

I have not tested the external drives that were connected when Norton
issued its warning.

The final screen gave this information :

Scanned files : 196757
Infected files : 0
Cleaned files : 0
Total scan time : 02:20:41
Scan Status : Finished

The program gave me the opportunity to "Uninstall application on close"
- I agreed and consequently can't access a full log file.

Do I need to run the scan again to get any extra information that
this text file might have contained ?

Thank you again - very much - for your help.You can download it again and scan all your drives but this time leave "Remove Threats" checked.Hi

I have started the ESET Online Scan again - this time
with my external drives attached. The program NEVER asked
me to choose from a list of drives to examine.

Will it automatically look at ALL of the drives ?

Is it O.K. for me to still have Avira active?Quote

Will it automatically look at ALL of the drives ?

Is it O.K. for me to still have Avira active?

Lots of problems...

Let's start with one obvious one. I believe I have a virus. I would normally just run Norton Antivirus, but that's not available to me at the moment, and I'm not having luck with online scans.

One odd thing is that my Internet Explorer (6.0) has been renamed Intemap memphisrnet explorer. Other info is that I'm running Win98.

Anyone know what this is?smirks......do you have any idea which virus you might have .......go to
http://securityresponse.symantec.com/

there a number of removal tools there to use.......
It might also be a good idea to D/L .....Zone Alarm (free fireawll) ....you MAY then be able to catch the virus attempting to send out its bugs to other computers
http://www.zonelabs.com/store/content/home.jsp
let us know how you make out.

dl65 On my 11TH attempt, I finally managed to run Norton's online virus scanner all the way without my computer crashing. Only one trojan, W32.HLLW.Chemsvy, from a file I downloaded the other day...after the onset of my computer problems. From what I've read, it's pretty benign, so I doubt it was the source of my problems.

I guess I'll have to look at software and hardware issues now.

Thanks for your help smirks.....did you manage to get rid of the trojan?
Download and run trojan remover.....it works great , but is an evaluation copy ...only good for 30 days .
http://www.simplysup.com/tremover/download.html
Does your p/c shutdown on fairly regular time frames....
because you have virus in there as well that causing that , unless you have software conficts which are causing this.

let us know ,

dl65 Oh, getting rid of that particular trojan was easy. It's just a matter of deleting the infected files. I'll KEEP that program in mind though.

I think my pc problems are unrelated to the virus. I've been having SEVERAL weird Windows problems...my quick launch toobar will disappear, or I'll start getting messages that my pc is low on resources when I'm not running a lot of programs. And for some reason, installing the new Windows update makes Explorer crash. Maybe I have a corrupted windows file or two.

Bleh.

get rid of ie 6 it the root of your problems if you have not got a zombie/worm download EITHER firefox or avant browser..forget ie6 and try shredder to keep the spys at bay>http://www.spywareinfo.com/~merijn/downloads.html and keep it on your desktop for more use if needed?Thanks for your reply. I uninstalled and reinstalled IE6. This seems to have gotten rid of the problem. (For now...) I downloaded CWShredder and everything looks okay. I was negative for trojans or worms on the online scan above and Norton AV.

ok i cant connect to the internet and i got this message when i try to start up explorer, somethign msg.121.cpy.dll, so i looked on the internet and tried to fix it it says its sometihng from spyware or something well i dont understand how to fix it so can SOMEONE here PLEASE tell me how to do it, thank you so muchHi NoHate,try running Ad-Aware to detect this,also try PANDA software's free ONLINE scan.This seems to catch most Trojans & viruses.thanks, but i'v got it already.www.trojanscan.com try Spy-Sweeper
http://download.com.com/3001-8022-10267571.htmlnohate....this may be a stupid question ......but if you can't connect ....how are you able to post here ....are you using another computer ?

Please let us know
dl65 oh well if i unistall then install the internet (that STUFF on the disk) it will work untill i restart the computer, but i fixed this whole tihng a while ago.Well i would look for a good trojan remover or a ANTIVIRUS like Nortan or go on a site like they said above. Hope it goes away

help me ....Are all the utility programs you listed up to date with the latest updates ......for example are you running Ad-Aware Ver 6 build 181 .....Go to Symantec site... http://www.symantec.com/index.htm go to the Download part and select security check ......run both
Security scan and VIRUS scan.....Then I would D/l Zone Alarm ( the free version)
http://www.zonelabs.com/store/content/company/products/znalm/freeDownload.jsp?lid=zadb_zadown

When you setup Zone Alarm ........you POPUPS will probably ask for permission to access the internet ...answer no ......
After doing the scans I would do a search using the search function in Win XP . ( but first go into the control panel ......folder options and tick " show hidden files" and untick " hide hidden operating system files ") Search all files and folders for whatever the search bar is your trying to get rid of and delete it . One more thing .....go up to the "View" button up top on your explorer and click on it ...select toolbars and see it its shows up there ....if it does make sur its not ticked

let us know how you make out ,

dl65 didnt helpmy temp internet files get deleted everyother dayand i have deleted my cookieshelp me....Is the manipulatingtheicesurface.com still showing up as your browser or is it just the pop ups.
Can you right click on the popup and see if theres any info . There has to be some referance to those things somewhere on your puter. I havent been to that site...
did you get attached by simply going to the home page or did you click on something.
let me know because I would like to see where its coming from .
When you search for it ....what perameters are you using?

DL 65
help me .....If this is a site you frequent often and dont want the pop ups ......use a pop up blocker. .........
Am I missing something ?

let me know.....

dl65 ive never visited this site i never heard of it till i got these pop-ups one day and i dont want a pop-up blocker i need something that'll remove the program

Hi,

ONE computer in the office has downloaded an evil tool called "searchbar".

This happened a few weeks ago. All it has done is changed the home page of IE, and given SPYBOT some FITS. The computer is an old piece of junk running on a Pentium 1 @ 300mhz making installing things like firewalls impossible. OS is Windows 98.

Spybot finds files and "fixes" them but never gets rid of the "searchbar".

Does anyone have any "Free" ideas? (Besides throwing the old thing out the window and GETTING a new one)

Thanks in advance.
wizardmaster.....the search bar thing must be going around right now .......try this Trojan remover go to
http://www.simplysup.com/tremover/download.html
Its a full working evaluation prog ( 30 days ) give it a try.

laso give this a try if the above doesnt help ..
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html this sounds like whats happening on your p/c


Let us know

dl65
.............. this happened to me too. Go to one of the site he says and it should help.The first link's program didn't do anything. I don't think it's a trojan...but I'm not an expert so I'll just keep my mouth shut.

I APPRICATE the help, I'll try the second one tomorrow. I'm late for a meeting so I can't do it today. errr I hate this "searchbar"

if you run across any other ideas please let me know them.

thanks,

wmeither download shredder>http://www.spywareinfo.com/~merijn/downloads.html or spysweeper from webroot.com and this if you wish>http://www.wilderssecurity.net/bhblaster.html[glb]shredder[/glb] did it! Appreciate it!

Thanks,

[glb][glb]wm[/glb][/glb]

its the sasser WORM its a product of the m$blaster worm TRY this >http://vil.nai.com/vil/stinger/ more info here>http://www.microsoft.com/security/incident/sasser.aspHi .....GO to http://securityresponse.symantec.com/avcenter/tools.list.html this tool will get rid of the Sasser........you may have to use another computer to get this tool as yours will keep shutting down......Download it to a disk and the install it in your computer.....It works ....I had to do that for a friend YESTERDAY ..

DL65

please help me?!!? I have this AIM virus and what it does is that it pops up a away message saying that

OMFG LOOK http://pics99.blogsite.org/friends.scr !!!!!

or something similiar like that. The away message pops up like every one MINUTE so its REALLY really annoying. It all started when I went to that website and when a download window came up, I clicked open. I'm not 100% sure but i think when the download was completed, MS-DOS window came up for a second. So im guessing that now that thing I downloaded is running on my computer. I TRIED to shut off that program but going to Task Manager and clicking End Task, but it didnt let me. It didnt even let me open the Task Manager window. When I go to Task Manager, it would STAY on for a second or not even and go off, without giving me any chance to shut off any program.

PLEASE HELP ME THIS IS SO ANNOYING!Please Read This First - Viruses & Spyware

Install the programs recommended to scan for viruses, trojans and spyware.

OK, got big trouble w/ menu's and homepages that I had nothing to do with getting on my computer. Can anyone look at a hijackthis log and tell me what the problem(s) are? I can't seem to get the file on this post, so if someone could tell me how, or give me an email ADDRESS and I will send it to them. Thank you very much for your time!

Ruben LourencoCopy and paste the results.

Rather than having us look at your log, run a program such as

Adaware SE

Or Spybot Search & Destroy

They can do more for you than we can by looking at your log.Tried to copy and paste the results, but it was too long and would not post. could I put the file in the post somehow? Also, have run spybot and these menu bars keep coming up!
Again, thank you very much for your time!Copy half of the log, post it, then copy the other half and create another post.

As for REMOVING Internet Explorer Toolbars/Plugins

I recommend Advanced Uninstaller Pro 2004

It can do more than uninstall Internet Explorer Toolsbars/Plugins

Quote

This easy-to-use Windows application uninstaller makes your computer run more efficiently by removing software and files that were left behind after you uninstalled software that you no longer use. In addition, the program performs a number of cleanup activities, making your computer more secure

hey guys. I am having a PROBLEM with a virus of some sort. My comp is randomly rebooting, sometimes i'm online and sometimes it's just on the desktop with the screen saver on. Aslo it randomly freezes to a blank white screen with vertical lines. When it does this I have to reboot it and then it works fine for a little while. I've tried updating all the windows 2000 updates and everything and running Norton. When I did that Norton said I had a worm in msegri32.exe. I don't know if that's a FILE or what but I tried deleting it and it supposedly did, however I found it again when i was searching for it. I don't know how else to get it to stop. Do any of you techies have any ideas? I have the installation disk but if I reintall it will I lose all the other stuff on Windows? Thanx

Chelsea Please Read This First - Viruses & Spyware

Does Norton not allow you to remove the file? If it does not, I suggest you boot into safemode and scan from there.

Look at the programs recommended in the sticky. They may be useful to you.

You might has the virus called MSBlaster and its a little hard to remove goto microsoft.com and do a search for 'msblast' and they wiull give you a step by step walkthough of how to remove it. if that does not work, you might have a boot sector virus with you can use a WIN98 bootup disk, and run without cd-rom support and type: fdisk /mbr - which will remove your master boot record of any kind of startup issues. if you are still having the problem, (if you are running winxp, win2k) goto start > run and type 'regedit' and goto Local Machine > SOFTWARE > microsoft > Windows> Run. and see if you see anyhting unusual that runs during startup.http://support.microsoft.com/default.aspx?scid=kb;en-us;190136 reboot pc and keep tapping the f8 and chose last good config.....do you have firewall on you system...and run this >http://vil.nai.com/vil/stinger/Ok I found out that it's a Randex H worm. I follwed the instructions and downloaded IDEs and some other thing and booted it in safe mode and diid the comand prompt to scan and remove it. The thing is-- it removed the file but it was still on my comp. maybe through the registry? So now I still have this thing on my comp and there are lots of files and even folders that it has created that it won't let me delete. It either says access denied, or that it's in use. So I'm gonna try what you suggested merlin. I don't have a firewall but I did go through andmake passwords for everything. OH, and can anyone tell me what a patch is and how you know it's up to date? Thanx guys Passwords are not the same as a firewall. They are not nearly as effective. Passwords are to keep people from your system that use your keyboard. Firewalls are there for people and programs that try to connect your computer.

Here is an article I suggest you read:

How Firewalls Work

Once you have done so, I suggest you obtain a firewall to prevent the worm from connecting the net.you can get avg antivirus free on the net and this will remove or QUARINTINE the trojan , it has also caught 2 for me when i have been online it is a very good freeware pakage there is also free updates as well.

my computer is being used to spam email to other people. Please help!Please Read This First - Viruses & Spyware

Install:

• Adware remover
  
• Virus scanner
  
• Firewall
  

Can anyone tell me what this is? mcsmss.exe?WEB.......are you certain about .... mcsmss.exe ?
Could you have typed it wrong?

let us know
dl65No, thats what was trying to access the internet. At first I thought it was msn, nut know it was not. Any idea?wardbo......I cant find anything on mcsmss.exe. how did you pick it up ....did your firewall catch it ? Have you tried doing a search of your pc for anything with that description ?
If it was your firewall that caught it is there a log file .....there may be additional info in it .

hope this helps ...let us know

dl65 I finally solved it. It was a backdoor Trojan that I somehow got. I think I got it when I was downloading or using ICQ. I knew I should not use it!ICQ does not come with Trojans or viruses. Not even Spyware.

You either DOWNLOADED it from a questionable source or you accepted a file sent by another user who you could not trust. (Even if you could, he/she should install a (better) virus sanner). In both cases you shouldn't hold ICQ RESPONSIBLE for your mistakes.I use AVG for my virus protection. Can you suggest a better one. I thought it was ICQ because it was the only program that I have down loaded. I also have a trojan in a system volume folder that I cannot get into. I have tried to get into it through safe mode but it will not allow me. AVG does not seem to clean this one out!WEB.......perhaps if you go to control panel / folder options /click VIEW and scroll down until you get to show hidden folder put a tick there ....move down to show hidden system folders ( not recomended ) tick there ...click APPLY and ok ....now you should be able to see those folders and get into them .
When your done change thing back to as they were .

Hope this helps

dl65 Quote

I use AVG for my virus protection. Can you suggest a better one. I thought it was ICQ because it was the only program that I have down loaded. I also have a trojan in a system volume folder that I cannot get into. I have tried to get into it through safe mode but it will not allow me. AVG does not seem to clean this one out!

Been having TROUBLE lately with pop-up ..have run ad-aware and am STILL getting them.. I have HEARD that the GOOGLE tool bar is good for getting rid of these. Has anyone every used it and if so does it seem to help? Thanks alot!Use Firefox as a BROWSER rather than Internet Explorer:

Mozilla Firefox

google toolbar is good. MSN Tool bar also works. Also Popup stopper from Panicwaremy favorite is this one>http://www.secretmaker.com/

I ran an online scan on Trend Micro and it FOUND a virus called the WORM_NACHI.DAM and the file was svchost located in the C:/Windows/System32/drivers. then i got another one only in the system32 folder. i checked properties of both and the one dat is not infected had a description of Generic Host Process for WIN32 Services, while the one infected had Unknown. should i got ahead and DELETE this? it does look suspicious being the only .exe file i got in the drivers folder.Delete or rename it and RERUN the virus scan.

Quote

gpcii....The last entry 017....... with the two ip addresses ....can you check and see if they belong to your server , because when I googled them they dont APPEAR to be valid ....

However, why not contact your ISP and ask them what you can do about the filter?

Help? Can anyone answer this? I'm running WINDOWS XP with both SP 1 and SP2. When Iboot up my computer a messageg COMES up that Nortons 2002 states that since I don't TCp/IP settings it won't scan my E mail. I have both the "Internet PROTOCOL tcp/IP and Microsoft TCP/IP ver 6 selected on the system. Also since I'm on cable they tell me I automatically have a TCP/IP setting through their modem. In the past Nortons used to scan both incoming and outgoing messages. What do I need to change?Before installing service packs you should uninstall your antivirus software. Try uninstalling Norton and reinstalling it. My wife had a similar problem and that cured it.

What virus scanners do you use?

I am currently using Kaspersky Anti-Virus personal. Before that I was using Kaspersky Anti-Virus 5.0 and Norton 2003.

So far, I like Kaspersky Anti-Virus Personal best. It is very small and easy to use.

Norton for myself. If I install antivirus protection on anyone elses machine for free, I use AVG from GrisoftAVG Free Raptor.....I use Norton 2004 on my machines and have never had a problem.........If I have to load a anti virus on a machine I'm servicing for a friend who doesn't have one I will load AVG.........

cheers
dl65 NAV04 and Common Sense.anti-vir personal edition ....free...Is there no registered AVG?Raptor......Yes there are registered VERSIONS........
http://www.grisoft.com/us/us_index.php

cheers
dl65 Why does everyone seem to use the free version?I guess not everyone likes to steal software.most software starts off being free till it GETS popular and then the cash barons come into play...or someone BUYS them out....like ROXIO go back ....>is now norton go back..its best to not have all you eggs in one basket....anti-virus+stinger+ shredder +spysweeper and a twist to this post who is writing them....is it an anti-virus....software...empire...no viruses.. no bussiness..makes you wonder ...?i my SELF use nortonI my self as opposed to I somebody else?Quote

and a twist to this post who is writing them....is it an anti-virus....software...empire...no viruses.. no bussiness..makes you wonder ...?

Said 173 things wrong. I'm afraid if I click to fix, I will wipe out my MACHINE. Was clean about 2 weeks ago. Is this virus? AVG doesn't pick up anything. This is only small part of listing from Spybot.

Congratulations!: No immediate threats were found. ()
Windows Registry: C:\WINDOWS\Downloaded Program Files\googlenav.dll (Missing shared DLL, nothing done)
googlenav.dll
Windows Registry: C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe (Missing shared DLL, nothing done)
WinCinemaMgr.exe
Windows Registry: c:\WINDOWS\System32\msxml3a.dll (Missing shared DLL, nothing done)
msxml3a.dll
Windows Registry: logos.exe (Wrong app path, nothing done)
Windows Registry: Rrbaby.exe (Wrong app path, nothing done)
C:\Program Files\The Learning Company\Reader Rabbit Kindergarten\Rrbaby.exe
Windows Registry: SoundMAX (Wrong app path, nothing done)
C:\Program Files\Analog Devices\SoundMAX\SoundMAX
Windows Registry: SPANISH.EXE (Wrong app path, nothing done)
F:\SPANISH.EXE
Windows Registry: winnt32.exe (Wrong app path, nothing done)
Windows Registry: yourapp.Exe (Wrong app path, nothing done)
C:\Program Files\Kodak\Camera Connection Software\yourapp.Exe
Windows Registry: table30.exe (Wrong app path, nothing done)
Windows Registry: SoundMAX WDM Driver (Wrong app path, nothing done)
C:\Program Files\Analog Devices\SoundMAX WDM Driver\SoundMAX WDM Driver
Windows Registry: setup.exe (Wrong app path, nothing done)
Windows Registry: ORUN32.EXE (Wrong app path, nothing done)
C:\WINDOWS\ORUN32.EXE
Windows Registry: install.exe (Wrong app path, nothing done)
Windows Registry: cmmgr32.exe (Wrong app path, nothing done)
C:\WINDOWS\System32\cmmgr32.exe
Windows Registry: DImageViewer.exe (Wrong app path, nothing done)
C:\Program Files\DiMAGE Image Viewer Utility\DImageViewer.exe
Windows Registry: arcsoft.exe (Wrong app path, nothing done)
C:\Program Files\ArcSoft\PhotoImpression\arcsoft.exe
Windows Registry: 3dtf.exe (Wrong app path, nothing done)
C:\Program Files\hp\Photo Manager\3dtf.exe
Adobe ACROBAT Reader 5: Last selected preference panel (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\PrefsDialog\aLastPrefsPanel
Adobe Acrobat Reader 5: Recent file #1 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c1
Adobe Acrobat Reader 5: Recent file #2 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c2
Adobe Acrobat Reader 5: Recent file #3 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c3
Adobe Acrobat Reader 5: Recent file #4 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c4
Adobe Acrobat Reader 5: Recent file #5 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c5
Adobe Acrobat Reader 5: Recent file #6 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c6
Adobe Acrobat Reader 5: Recent file #7 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c7
Adobe Acrobat Reader 5: Recent file #8 (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1449542653-877864702-1017937101-1003\Software\Adobe\Acrobat Reader\5.0\AVGeneral\cRecentFiles\c8
Common Dialogs: History ( (284 files)) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRUIt says no problems found. Is there something you need help with?QUOTE

Congratulations!: No immediate threats were found. ()

• Anti-virus
  
• Firewall
  
• Spyware scanner
  

wtoolsa and wsup have my windows 98 inoperable
in safe mode no icons even show up or the START button
scan reg didn't help
if yo have ideas with the C:/ please explain how to GET there in easy terms i'm pullin my HAIR out
Sounds like you may need to repair some of the system files, which is quite easy in Win9X.
Boot from the boot floppy. Once you get to the DOS PROMPT, type
sys c:
this will overwrite the basic system files.
When it's done, REBOOT into safe mode and run Ad-aware and Spybot.Does this work for XP?

Ive run Adaware, Spysweep, Spybot S&D and windows washer yet my comp still randomly reebots and my internet explore home page is still bein changed to a website called "about:blank" how do i make my COMPUTER not suckThe random rebooting of your computer is not necessarily a software problem. First though, I would ensure your virus definitions are up-to-date and I would run a full system scan. Also, make sure that ALL of your drivers are good.

If that doesn't work, CHECK the fan on your processor. If you touch it and burn your finger, you need a new fan and that should fix the problem. I have also seen BAD RAM and hard drives cause the problem. Hope that helpsJanet.........What anti virus are you running and is it current and complete with all the latest updates ?.
Also ....the fact that your home page is being changed,
suggests that you may have have a hijacker present.
So ......D/l CW Shedder .........Ver 1.59.1
http://www.majorgeeks.com/download4086.html ...
when your hompage is changed to " about blank" run Shedder and it should change it back and TELL you what changed it .

If you do in fact have a hijacker ......then you will have to REMOVE it using Hijackthis......
http://www.majorgeeks.com/download3155.html ....
Now if you want to know what the hijack this log is all about goto .......... http://computercops.biz/HijackThis.html
http://computercops.biz/CLSID.html
http://computercops.biz/StartupList.html
Here's more info on the hijacker .....
http://www.richardthelionhearted.com/?url=merijn.richardthelionhearted.com

Let us know how you make out .

dl65

when ever i disconnect from the internet something happens to my dial up. when i go to connect again later my user name has changed with like an IP ADDRESS at the end and the phone number i use to dial to my ISP has change to this huge string of numbers. i have done spyware checks and run ANTIVIRUS scans but i can't find ANYTHING. its really pissing me off.
please can anyone help?!?!save your username and password...delete your dial up connection and MAKE a NEW one and see if it does it again? and what operating system is this happening to?

My computer has deep deep issues, it all started when my internet was FROZE to one page. I call the computer company and they basically told me to run a system recovery. I did and that did not fix the problem. It deleted everything that it intended to do, but now everytime i try to do anything i get error MESSAGES like not accessible to desktop and stuff like that. I TRIED to buy and antivirus program thinking that would do the trick but the computer says (yes it talks) that i NEED 11megabytes to load the software. I try to do that and that doesn't happen. I cant even reload my isp through the cd rom this whole thing is frustrating i am hoping somewhere someone could help me. Let me know please thank you very muchSeems to me like you're better off formatting your HDD. Take proper precautions before connection to the internet and install an Adware SCANNER, Virus scanner and a Firewall.

How Stuff Works - How Computer Viruses Work

How Stuff Works - How Firewalls Work

How Stuff Works - How Internet Cookies Work

can anyone tell me what this PROGRAM is...You probably MEAN lsass.exe, correct?

Lsass.exe is a FILE that can be infected by the Sasser worm.

What You Should KNOW About the Sasser Worm

I was getting a LOT of spyware so i downloaded spybot and ad-aware now sometimes when i try to sign on the internet i get redirected to www.404ads.net... (more there) I was wondering if anyone KNOW how to stop that.Adaware SE should offer you the OPTION to lock your BROWSER and PREVENT hijacks.

Computer appears to boot up normally - goes all the way thru to "loading personal settings" - then nothing.
All I SEE is the background - no desktop icons - no task bars - nothing. I am SURE it is a virus - trojan - etc. However, I can't run a virus scan - or can I? I tried to run in Safe Mode and got the same result - no desktop. Help me please.Try Safe mode Last known good configuration.I donot quite UNDERSTAND how you are certain that it is a virus, yet you failed to prevent the problem from happening?

I suggest you format. But before you do that, read up on Internet security.

Fresh start, more knowledge, better security.

How Stuff Works - Internet ChannelThanks for education - I is stupid. I guess I should have said I ASSUME it is a virus. I have many security measures in place - but apparently - something got by. Could I be the first VICTIM?
Sorry - your reply smacks of sarcasim and is not appreciated.
Now - try to answer the question - unless you can't (which I suspect is the case).Nothing ever gets by here.

Quote

Now - try to answer the question - unless you can't (which I suspect is the case).

Here is a super tip - Just sort your windows system32 and drivers directory according to DATE and the most recent files are on top. simply delete the files of the last four or five DAYS and you will be surprised how all the problems vanish try this safemode only....it may help people in the fight against trojans/worms/spyware etc..AH, yes, I allready see the hordes of clueless people who delete the wrong files and ask us why we'd post such tips.you would have thought by now people the own pc have the sense by now to know what to do with it if they>?DONOT YOUR USE THOSE UPDATES silly ??...some system that is keeps needing them WHY ??the question is the system is that good why do you need updates /program/fault/bad scripting/the list could be endless nice scam...but that would be then end of all fixit forums....bring on longhorn after all winxp does keep me GOING ...thou i do have a super-nap care off m$oft > that the average person needs nine.30 mins of sleep but wixp keep me awake ..wondering if it may be like the operating systems that msoft ..marking department have tried to sell the user an infalable system wake up people ...are you being conned is the question i would like to run a poll on this issue ..you can keep winxp i will stick with winme...its weird that bill gates dumped it ...the best system besides win98se...maybe is was to good !as has for the last poster it may help them concerned.... I agree with Merlin on XP; its a total suck out. Have you ever heard of Paladium or DRM or Microsofts secure computing initiative? SP2 was just the beginning. Longhorn will be the back breaker. You won't be able to run any software that has not been "approved" to run on your machine. But don't take my word for, do your own research.There are safer ways to remove redundant files..I'm agreeing with Raptor here. Methinks BEGINNERS would be a little better off with a couple of virtual dishcloths (anti-virus, anti-spyware etc) than the "pour industrial strength bleach all over everything - that'll kill all the germs" tactic.

merlin, Windows ME is four years old now (at least). It's not weird that Microsoft quit supporting it - it's good business sense.

And boys, if you're so worried about all this Palladium malarky, there are hundred's of Linux distro's avaliable for free on the internet...

Ok, it looks like my AntiVirus software has a mind of its own! The LiveUpdate just completed there with no problems. Weird or what

Thanks for the help guys, i'll be BACK if it happens again Perhaps it is due to another program you have installed that is causing Norton to behave strangly.Quote

Perhaps it is due to another program you have installed that is causing Norton to behave strangly.

Hi. I was wondering if someone could maybe give me some ADVICE, or help about a problem that my computer seems to have.

This morning, I turned on my computer, and everything was fine for about an hour, but then there was this problem that seemed to happen. Whenever I visited a site, I WOULD get pop-up after pop-up, and even when I went to my homepage, I got numerous pop-ups.

Then, my computer got really slow, and keep disconnecting from the internet. Another problem, is that my computer kept freezing up, and I've had to restart it numerous times.

The first thing that came to my mind, is that maybe my computer has a virus?

I use to have Norton Antivirus, but it doesn't scan anymore... I do have "maintenance wizard"...

If anyone has any idea what the problem with my computer is, I would appreciate any help. My email ADDRESS is [emailprotected]

Thanks.moviefan81.......What do you mean you used to have Norton Antivirus...but it doesn't scan any more......?

Certainly sounds as if your pc is infected with who knows what ......
You must install and scan with Anti Virus ( one that works) and also I would suggest Ad-Aware and Spybot .

I would also D/L and run stinger ...just to do a quick check for a few nasties. http://vil.nai.com/vil/stinger/

Then I would got to ..... http://www.symantec.com/index.htm scroll down to downloads......then select security check ........now do the scan for viruses.

Do yourself a favour and get a good anti-virus. You can D/l Norton AV .........free for 90 days ......

let us know
dl65 Trend Micro - Free Online Virus Scan

Install a decent virus scanner, but first use this.

Scan for Spyware as well.Thank you for the advice.

Norton antivirus use to scan my computer every friday, but it stopped scanning my computer. I click on "Norton antivirus", but it doesn't do anything. Maybe I need to install Norton antivirus again.

I installed "spy sweeper" and it found some "spyware" and "adware" on my computer. My computer is a bit faster today, and I'm having no problems with pop-ups, but it still disconnects from the internet every now and then.

Once again, thank you for the advice. I'll keep you updated on how things go. Hopefully those links you provided will help fix my computer.

Thanks.moviefan81......Have you checked Norton to be sure the "Auto Protect" feature is still ENABLED? Some viruses will disable that feature ....... Have you D/L and ran stinger ? Is your Norton up to date with the latest virus definitions and is your subscription still valid .......

let us know

dl65 My computer has been running great the past two days. after scanning my computer with "Spy sweeper"... it seemed to fix my computer right up. It's running fast, and it's not disconnecting from the internet like it was last week.

I'd like to thank everyone who helped me. I really appreciate all the help, and I know if I need some computer help, I'll come to this site for the help.

Thanks again everyone.I suggest you use a browser such as Mozilla Firefox and configure it STRICTLY so that not even tracking cookies get through.

Also run your spyware scanners on a regular basis. Same goes for virus scanners.

Just installed Nortaon AV Scan 2004...
How can I turn off the scan on my Word files? Every time I go to open a file, I have to wait for it to scan first.
What a pain? Is this necessary???

Thanks.wonderer.....I'm not so sure thats a great idea.....but if you must ...open Norton and CLICK on options...then click miscellaneous.....and REMOVE the tick from ....enable office plugin.
I think that will do it .

dl65 Thanks for your reply.
So, you don't think we should take it off?

What is the risk on Word files? I don't use it much...just copy and paste text from the INTERNET onto Wordpad first and then Word. (to clean up format, etc.)It may scan for harmful macros. Macros should be disabeled from within Word, but ADDITIONAL security doesn't HURT.

hey all,

Nothing's really WRONG with my computer, but I'd like to keep it that way and I was looking at my task manager and i NOTICED a STRANGE EXECUTABLE...BAsfIpM.exe...so I was just wondering if anyone knew what it is/does and if it's ok

thanks!Perchance, is your computer a Dell?

That is a driver for some SORT of card or chip from BASF. A visit to BASF web site might shed more light on the subject.

How can I find out if someone who I share a computer with has installed any programs that might be tracking my computer USAGE or GAINING access to my EMAILS or using any other method to gain access to my privacy?http://www.keylogger.net/or buy an external hard drive...Thanks for responding Merlin_2. I hope my question was clear. I am not LOOKING for a way to spy on someone else. What I want to do is find out if any programs such as Keylogger have been installed on my PC. I understand these type programs are deliberately hidden on a computer and can even be set up to secretly email my computer activities to someone. How can I check my computer to see if any such program has been installed? Thanks, Shad.i take it you are logged in as a user...download spysweeper from www.webroot.com...it should scan the pc for all programs which maybe tracking you..like radmin..keyloggers..etc..tojans /worms..and there is this>http://www.tooto.com/keyloggerkiller/ i post the keylogger to fight FIRE with fire if you get my drift Please Read This First - Viruses & Spyware

Install the programs recommended.

How Stuff Works - Security Channel

How Stuff Works - Internet Channel

Read the articles related to what you wish to know.

I have NORTON 2004 and AVG antivirus program INSTALLED in my computer having windows XP. I want to ask whether there will be any problem or conflict having both softwares.You should never have more than one virus scanner installed.

It may cause conflicts. even it does not, you will still use more memory than you have to, resulting in poorer PERFORMANCE.

I ran a virus scan with AVG 6.0 and this is a LIST of all that was found. I have tried to remove them with AVG and it says they can't be removed. I don't have a clue on how to get rid of them. I have tried to search the help sites with no luck. I have not found these virus names on any site. If someone knows how I can remove them please let me know. Thanks!!

Results of Complete Test, date and time 9/28/2004 1:01:40 :

Testing C:\ volume LOCAL DISK serial 3938-1B06
C:\_RESTORE\TEMP\A0043201.0 Downloader.Alchemic.A
C:\_RESTORE\TEMP\A0043208.0 Downloader.Agent.2.AA
C:\_RESTORE\TEMP\A0044523.0 Downloader.Istbar.4.AD
C:\_RESTORE\TEMP\A0044526.0 Downloader.Alchemic.A
C:\_RESTORE\TEMP\A0044527.0 Downloader.Agent.AS
C:\_RESTORE\TEMP\A0044528.0 Downloader.Istbar.4.H
C:\_RESTORE\TEMP\A0044868.0 Downloader.Dyfica.2.AB
C:\_RESTORE\TEMP\A0044871.0 Downloader.Dyfica.2.AB
C:\_RESTORE\TEMP\A0044874.CPY Downloader.Istbar.4.AM
C:\_RESTORE\TEMP\A0049167.0 Downloader.Dyfica.2.AA
C:\_RESTORE\TEMP\A0049168.0 Downloader.Agent.2.AA
C:\_RESTORE\TEMP\A0049169.0 Downloader.Dyfica.2.AC
C:\_RESTORE\TEMP\A0051764.0 Downloader.Dyfica.2.AK
C:\_RESTORE\TEMP\A0051765.0 Downloader.Dyfica.2.AE
C:\_RESTORE\TEMP\A0051766.0 Downloader.Dyfica.2.AE
C:\WINDOWS\TEMP\HPOTDD000.log Cannot open; not checked!

Test finished, duration 00:10:20.7 s
12197 objects tested, 15 found infectedtandkand3a....I do not believe the items you listed are viruses ....but rather spyware , malware , adware and possibly page hijackers. ( pests )

ISTbar is an IE toolbar, homepage- and search-hijacker provided by Integrated Search Technologies/CDT Inc.

I would suggest D/L Ad-Aware SE and Spybot and then
watch them run......lol
Have you not looked for them in the path which your AV gave you.......because thats where they are .
Have you noticed anything else odd about the way your pc is running ?
You failed to mention what operating system you have .

let us know
dl65

My OS is Windows ME. I check and install updates on a regular basis. I also run Ad-aware SE and Spybot. Both of those scans show the computer as clean. I have tried to search for the files and can't find them on the computer. They are gone or I am not looking in the right place. I have not experienced any problems with my computer, it seems to be operating normal. Should I run Hijackthis? tandkand3a......

TROJ_ALCHEMIC.A ......trojan
This memory RESIDENT Trojan is capable of downloading and installing additional applications without first notifying the user. The downloaded file may be updates to other adware programs.

It may act as a Browser Helper Object (BHO), which is ABLE to monitor all Web sites visited. It may also display popup advertisements.

It runs on Windows 95, 98, ME, NT, 2000, and XP.

Dyfica.2.AB ....... another trojan
Agent.2.AA ....... another trojan
Istbar.4.AD ........ yet another trojan

Try this:
Remove Trojan horse Downloader.Istbar.4.H this way:
*Close all programs.
*Turn off System Restore
*Run AVG Complete Scan
*Turn on System Restore.
If you can't find Trojan horse Downloader.Istbar.4.G, AVG may have moved it to the Virus Vault. Check the Virus Vault.

Disabling System Restore on Windows ME
In Windows Millenium there is System Restore. Windows ME creates backup copies of the essential system files so they can be restored if they get corrupted. Sometimes this makes the disinfection difficult since the backup files can get infected. In those cases Windows will copy the infected file in the place of the clean one.

This feature can be disabled with the following steps

1. Right-click on the My Computer icon and select Properties
2. In the System Properties windows select the Performance tab
3. Click on File System... button
4. In the Filesystem Properties window select the Troubleshooting tab
5. Check the Disable System Restore checkbox
6. Click Apply button
7. Close the windows using the Close button
8. Click Yes when prompted for reboot

The System Restore feature can be enabled again with the same steps. At step 5. you have to uncheck the Disable System Restore checkbox.

If this doesnt get rid of the trojans......then run hijackthis ....but I dont think you should have to.

let us know how you make out

dl65


I checked the Virus Vault and it is empty. I ran AVG again and tried to remove the 15 files and they could not be removed. The system restore function is turned off. I did run Hijackthis but it will not let me post the log on here. It says that the message is to large. Both Ad-aware and spybot shows the system clean. Any ideas on how to post the log or other solutions.Run AVG in Safe mode.tandkand3a........If you post your log in 2 PIECES rather than one you should be able to post it ok.
And it looks like your trojans are residing in your restore files........have you looked there ?

let us know
dl65 I have run AVG in Safe Mode and the results are the same. Here is part of the Hijackthis log.
Logfile of HijackThis v1.97.7
Scan saved at 11:07:48 PM, on 9/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\TPWRTRAY.EXE
C:\WINDOWS\SYSTEM\TFNCKY.EXE
C:\WINDOWS\SYSTEM\TOSHIBSU.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\NETGEAR\WG511\UTILITY\WG511WLU.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOTDD01.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\WINPATROL.EXE
C:\PROGRAM FILES\RAM\RAMBOOSTER.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\WINDOWS\DESKTOP\PC HEALTH\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://centralkansas.cox.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.netzero.net/s/search?r=minisearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Program Files\Common Files\Microsoft Shared\Stationery\Blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://members.cox.net/mycrosmith/
R3 - URLSearchHook: (no name) - _{37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - (no file)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL
O2 - BHO: (no name) - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.2.1P.DLL
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\PROGRAM FILES\NETZERO\TOOLBAR.DLL
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN0\YCOMP5_3_12_0.DLL

Here is the second part of the log.

O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Tpwrtray] TPWRTRAY.EXE
O4 - HKLM\..\Run: [TFncky] TFncky.exe
O4 - HKLM\..\Run: [TOSHIBSU] TOSHIBSU.EXE
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\SYSTEM\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRAM FILES\BILLP STUDIOS\WINPATROL\winpatrol.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.e4me.com/start.html
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37893.3547569444
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O16 - DPF: DigiChat Applet - http://albany.digi-net.com/DigiChat/DigiClasses/Client_IE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553542500} - http://active.macromedia.com/flash2/cabs/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/pcpowerscan.cab

forget ad-aware spy-bot try this one its beat bother of them>http://www.webroot.com spysweeper... and do you use kazza or aol..or if you really get fed up re-install winme....locate the c:\windows\options\cab folder next to the scanreg icon ....is the famous icon called setup click this will re-install winme..without losing any files and disable system restore its not needed...and dont use ie6 either...Thanks Merlin_2 your advice worked. I did re-install Windows and everything is working great now. Thanks to EVERYONE who helped me. This is a great forum!!

Hey everyone. My internet explorer was working fine today. THen all of a sudden, I cant close the windows. i have to go to END task and do it and even when i go tehre it sais i have to do end now for it to close. also, when i go online my cpu usage jumps to 100%. im pretty sure its not my internet and my cpu is new its been running well for about 3 months. I can close other windows that arn't online EASILY. i think its a virus but im not sure. please help me. thanksoh yeah EVERYTHING else runs fine. i can play games and go on aim but the only problem is using internet explorer. it just wont let me close its BROWSERS and my cpu usage jumps like crazy. i ran spyware and adware programs. it detected a few but ive always had them and i dind't have problems like these. i would also delte them every DAY but today i only found about 10 of them so i dleted themScan for viruses and trojans as well.

don't know how, but have a program called system soap running on my pc. no MATTER what i do i cannot remove it. are you familiar with this program, and if so how do i remove it?
Scan for viruses, TROJANS and spyware.

When and how did you obtain this particulair program?Maybe it is telling you that you need a system shower..... XDJust don't DROP that soap.put it on a rope, XDI suddenly got the vision of a prison RAP song....... blehThis page might be useful.r barnett.......system soap is a cleaner......
http://www.systemsoap.com/
this MAY help you get rid of it....
http://www.kephyr.com/spywarescanner/library/systemsoappro/index.phtml

http://www.spyany.com/program/article_adw_rm_System_Soap.html

Hope this helps you get rid of it ....doesnt sound like its something you want on your pc.

dl65

Hi Guys,

can ANYONE HELP me,I need to READ or with the help of registry i need to find out away to get all details of entire computer from registry so that i can find out what applications are running on the computer and then take a back up and RESTORE them,Please help me

thanks in advancevishnu....Perhaps you could provide a little more info as to what the ISSUE is and which operating system your using .

dl65

i have a little problem with spyware/adware sort of speak...... noticed it when my homepage turned into somthing else... i change it and it changes back... i run hijack this and remove what i knew whasnt supposed to be there, and i re-scan it comes back... i goto my Registry edit and remove the items that where there that wernt supposed to be... and the appear right back.. i run trojanhunter.. none found.. same with norton.. i run adware (lavasoft) and it finds 31 PROBLEMS, i remove and quarentine.... re-scan .... they come right back... (even after reboot) i run spyware S&D... finds CoolWWWSearch or somthing and a couple others... it removes them... and guess what They KEEP comming BACK! its like a fly that lands on the same spot everytime you shoo it away.. i wouldnt be posting this unless i was absolutly shure i couldnt handle it myself... so i need some suggestions here...

thanks... :-/I had this one too. I struggled with it for hours but no luck. Eventually I found the utility CWshredder. This is what you need to clean up your system. Available here http://www.softpedia.com/public/cat/10/17/10-17-150.shtmli did the cws shredder also... forgot to say that in my first post... i used it and it said it cleaned but they keep comming backHmmm, maybe a new varient. I can only suggest using system restore (if you are using xp?) to restore the registry back to a point before it was infected. Or...and this is DANGEROUS, edit the registry by hand to delete any references to the files reported by adaware. I know you said you have done this, but the trick is to reboot into safe mode only so that the *censored* thing doesn't autostart and begin repairing itself before you have gotten every trace of it. Good luck!its a clean install.... 1 day old. not shure where i got it first of all... but ill try the safe mode issue, only because i know reg keysshield....www.coolSearch is one bad one to get rid of....
I would suggest running hijackthis again and posting the log here so we can have a look at it......I believe you may have missed something......DO NOT, I REPEAT.....Don't....use your system restore. CW SHedder will identify it and reset your homepage .....but until; you clean it out , will keep coming back.


dl65
i ran safe mode and cws shredder and hijack this and removed those adware.... they came [emailprotected]#! its so irritating.... heres me hijack this in next post:Logfile of HijackThis v1.97.7
Scan saved at 9:34:10 AM, on 10/12/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\System32\Ati2evxx.exe
D:\Program Files\Sygate\SPF\smc.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\Ati2evxx.exe
D:\WINNT\Explorer.EXE
D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
D:\Program Files\ICQLite\ICQLite.exe
D:\WINNT\System\MSMSGSVC.exe
D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
D:\WINNT\system32\wuauclt.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]inder.cc/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated)
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - D:\WINNT\dpe.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MSMsgSvc] D:\WINNT\System\MSMSGSVC.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: MemTurbo.lnk = D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/?
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38270.6357175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave FLASH Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cabi removed the following:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated)




and they just keep commming back onHave you tried running all these programs in safe mode?shield....Ok here's what I would like you to do....
1 open hijackthis...and click info....now make sure that in Configuration / main there is a tick in box 2,3,4,5 and no tick in box 1.
2 In the boxes for the URLs...... enter http://www.msn.com
do this for all four.....
3 now click the back button.
4 now click Scan button

now I want you to mark for removal all the entries I have put in red


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.com%[emailprotected]/hp/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://homepage.com%[emailprotected]/search/ (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = http://homepage.com%[emailprotected]/search/ (obfuscated) R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O2 - BHO: (no name) - {834261E1-DD97-4177-853B-C907E5D5BD6E} - D:\WINNT\dpe.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - D:\Program Files\ICQToolbar\toolbaru.dll
O4 - HKLM\..\Run: [ATIPTA] D:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SmcService] D:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -minimize
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [MSMsgSvc] D:\WINNT\System\MSMSGSVC.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] D:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Startup: MemTurbo.lnk = D:\Program Files\Silicon Prairie Software\MemTurbo\memturbo.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://D:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O9 - Extra button: ICQ 4 (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O13 - DefaultPrefix: http://%65%68%74%74%70%2E%63%63/?
O13 - WWW Prefix: http://%65%68%74%74%70%2E%63%63/? O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38270.63 57175926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

when you have ticked the ones in red.....click the fix checked button......

I would do all of the above in the safe mode .
This should clear it .....It wouldn't hurt to scan again now with Ad-Aware and if you have it Spybot.
Do you have any kind of a registry cleaner ? ie ......system mechanic pro 5 or registry first aid .
If you have run them as well.

Then reboot back up normally and see how things are .

let us know how it goes

dl65


dl65.... i love you... it worked all clean no spyware/adware/nothing..... wanna go out for dinner? LOL thank's bud. shield.....Glad to hear your pest free......hijackthis does a great job ......the key to using it is to research each entry in the log it generates.......

cheers,

dl65 so do you wanna go for dinner or not shield.......So what did you have in mind?

Burger King or McDonalds.......lol

dl65

my daughter has a dell inspiron LAPTOP RUNNING windows xp pro. she mentioned that when she reviewed her task manager process list, there was a process running called "catch.exe". i've looked everywhere and can't find a reference to it as spyware or virus...just a reference to an old DOS 6.2 college biology program. anyone ever hear of it? my daughter has symantech 9.x and ad-aware. thanks!huxster....you QUITE correct....it is Dos SIMULATION program.....
http://www.aquanet.com/Resources/fish/topics/FS_1B_97.HTM
If its something you DONT require , use any more or don't want .......why not simlpy delete it .

let us know

dl65