I don't know what has my PC plzz HELP!!!

If you cannot get them to complete and have run all other steps of the READ ME, do the following.

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENTto your next message. (Do NOT copy/paste the log into your post).

 

Where you running the two IE sessions?

c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe

Remember that all browsers must be shut down before using HJT. If you were not running them, that would be info you should try to tell us.

 

First go to Add/Remove programs and uninstall if found:
WeatherBug
SpyBouncer
ISTsvc or ISTbar
DeskAd Service or DeskAd

Give this a run: http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Read about the removal tool here:
http://securityresponse.symantec.com/avcenter/venc/data/adware.istbar.html

Questions:
Do you use the following?
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Are you working behind a proxy server? Do you need the below settings for ProxyOverride?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;
*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;
service1.symantec.com;*.nai.com;*.networkassociates.com;*login.yahoo.com;*groups.yahoo.com;*mail.yahoo.com;<local>

Do you really use all these tool bars you have installed?

Do you need the below DeskFlag items installed?
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: Holiday Lights.lnk = C:\Program Files\Tiger Technologies\Holiday Lights\Holiday Lights.exe

Do you know what the below application is?
C:\DOCUME~1\Owner\APPLIC~1\MOVECO~1\Loadtest.exe

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).


Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\DeskAd Service\DeskAdServ.exe
C:\WINDOWS\qdnwma.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\DeskAd Service\DeskAdKeep.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.onlidqhzabcdzhie.com/KoVI1qKipmXSeWiVU2YPtsTwUHe2MzremloWPWxeswU_hlDo4gJR_zNhciORtgmC.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.easywebsearch.nl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - _{965A592F-8EFA-4250-8630-7960230792F1} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - _{855F3B16-6D32-4fe6-8A56-BBB695989046} - (no file)
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O1 - Hosts: 64.12.152.18 search.netscape.com
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~2\SEARCH~1.DLL
O2 - BHO: CCEZTracksPlugin Object - {3023AF97-870E-476A-B30E-3923DF2B84BD} - C:\Program Files\EZTRACKS\eztracks_ieplug.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-A3FA-F161A787AD2D} - (no file)
O2 - BHO: (no name) - {96DA5BEE-4ACC-476C-B3EC-54C6730C4293} - (no file)
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\Program Files\SideFind\sfbho13.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A3FA-F161A787AD2D} - (no file)
O4 - HKLM\..\Run: [DeskAd Service] C:\Program Files\DeskAd Service\DeskAdServ.exe
O4 - HKLM\..\Run: [¢‰¸K0¨4W
}ïÁzî[8C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qdnwma.exe
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰üžiC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qdnwma.exe
O4 - HKLM\..\Run: [¢‰¸K0ÔÁß]§ú"ü‰üžigÝC:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qdnwma.exe
O4 - HKLM\..\Run: [¢‰¸K0Ô@ÔÁß]§ú"ü‰¸K0C:\Program Files\ISTsvc\istsvc.exe] C:\WINDOWS\qdnwma.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [rdeBd] C:\WINDOWS\qdnwma.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [math proxy] C:\DOCUME~1\Owner\APPLIC~1\GLUEMU~1\dent stop free.exe
O8 - Extra context menu item: SirSearch - file://C:\Program Files\PWRSMND1\Cache\SelectedContextSearch.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind13.dll (file missing)
O9 - Extra button: Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra 'Tools' menuitem: &Toolbar Wallpaper - {c23dd370-cb79-11d2-898a-00c04f80a47f} - C:\Program Files\Internet Explorer\Toolbar\toolbar.hta (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/Bridge-c112.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei-2/FunBuddyIconsFWBInitialSetup1.0.0.8-2.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab
O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - http://s7.blingblingcontent.com/toolbarcash/activex/easywebinstaller.ocx
O16 - DPF: {4418DD4D-7265-4C32-BC0A-3FDB3C2DA938} (Protecter Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/protect_regular.cab
O16 - DPF: {4E7BD74F-2B8D-469E-DEFA-EB76B1D5FA7D} - http://www.ez-tracks.com/downloader/cab/special/eztdl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/30818adde376f20b9319/netzip/RdxIE601.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {76D90D08-EAB7-46D8-BF99-87445BF59E72} (SystemInfo Class) - http://getdway.com/dwayready/dpcsysinfo.cab
O16 - DPF: {92F02779-6D88-4958-8AD3-83C12A16ADC7} - file://C:\WINDOWS\system32\SearchBar\zpprf1sh.exe
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://download.netmarble.com/nProtect/npkx/npkxsite.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} (MediaTicketsInstaller Control) - http://www.35mb.com/applet.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://download.netmarble.com/nProtect/nprotect/npx.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {EFB22865-F3BC-4309-ADFA-C8E078A7F762} (SysWebTelecomInt Class) - http://www.sponsoradulto.com/en/SysWebTelecom.cab
O16 - DPF: {F48EAB92-8BCE-4C77-BE98-D10060BD8590} (SpyBouncer.SBDownloader) - http://www.spybouncer.com/downloader/downloader.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\DeskAd Service <--- the whole folder
C:\Program Files\SEARCH~2\SEARCH~1.DLL <--- the whole folder
C:\Program Files\EZTRACKS <--- the whole folder
C:\Program Files\ISTsvc <--- the whole folder
C:\Program Files\Internet Explorer\Toolbar <--- the whole folder
C:\Program Files\AWS <--- the whole folder
C:\Program Files\SideFind <--- the whole folder
C:\Documents and Settings\Owner\APPLIC~1\GLUEMU~1 <--- the whole folder
C:\WINDOWS\qdnwma.exe
C:\WINDOWS\nem220.dll
C:\WINDOWS\systb.dll

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again.


Now run Ccleaner that you installed while running the READ ME FIRST.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

What TheOldThug was saying is that you are the kind user we commonly refer to as a spyware collector because you have so much of it in your system. You really need to be more careful where you are surfing and what you are downloading. And read the license agreements and privacy policies before accepting any of the software.

Does you Symantec software include a firewall? If not, you MUST get one. If it does, you should make sure you have configured it properly and that you are not allowing any malware applications access to and from your system.

 

Viewpoint is junk installed by AOL without asking you. 99% of people do not know they even have it or what it is for. Go to Add/Remove programs and uninstall (if found):
Viewpoint or Viewpoint Manager or Viewpoint Toolbar or Viewpoint Media Player

Also while there and since you said you do not use them, uninstall (if found)(note: it is not necessary to uninstall these, they are not bad. But if you don't use them they are just wasting system resources and cluttering up your system):
MSN Toolbar
AOL Toolbar
ICQToolbar

Since your probably do not use a ProxyServer, we will have HJT fix that R1 line (further down in this message).

You MUST remember to exit your browser before running HJT. IE was still running:
C:\Program Files\Internet Explorer\iexplore.exe

Not exiting your browser can make it difficult to impossible to repair certain problems.

You do not need to uninstall Holiday Lights! But you do not really have to load it at Startup. You can just run it when desired from Start -> All Programs

Did you have a problem ending this process last time: C:\WINDOWS\qdnwma.exe
Was there a problem fixing this line:
O4 - HKLM\..\Run: [ns2dGXc] C:\WINDOWS\qdnwma.exe

They are still in your log.

Did you do the Reset Web Settings step last time?

Is the below your expected Start Page:
http://my.msn.com/?page=2

 

Make sure you see my post below! We posted at the same time.

 

Make sure you have system restore disabled (per the tutorial).
Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\qdnwma.exe


After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.fqwsqkqesrqeggqivtwnjml.net/KoVI1qKipmXSeWiVU2YPtsTwUHe2MzremloWPWxeswXsVmm8uyRJyTNhciORtgmC.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 64.136.29.30;64.136.21.30;64.136.29.34;searchap.untd.com;127.0.0.1;localhost;*windowsupdate.microsoft.com;*windowsupdate.com;
*wustat.windows.com;*.pogo.com;*test-speed.com;liveupdate.symantecliveupdate.com;liveupdate.symantec.com;
service1.symantec.com;*.nai.com;*.networkassociates.com;*login.yahoo.com;*groups.yahoo.com;*mail.yahoo.com;<local>
O2 - BHO: (no name) - {4DDC6C24-8D18-2852-A87F-441419F90005} - C:\DOCUME~1\Owner\APPLIC~1\MOVECO~1\Loadtest.exe
O2 - BHO: (no name) - {5C171F4F-67F7-25A7-AA24-4703104E234D} - C:\DOCUME~1\Owner\APPLIC~1\MOVECO~1\Loadtest.exe
O4 - HKLM\..\Run: [ns2dGXc] C:\WINDOWS\qdnwma.exe


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete:

C:\WINDOWS\qdnwma.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Make sure you tell me if you could not find or could not delete this file.


Now run Ccleaner that you installed while running the READ ME FIRST.


Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That's what some malware does. And that is why I asked? I was suspecting from some items seen in your log that malware was running IE in the background without your knowledge.

 

We are getting there but now one of your problems has come back. Have you been surfing anywhere else or downloading from anywhere else?


Run this again: http://securityresponse.symantec.com/avcenter/FxIstbar.exe

Let me know if it finds and fixes anything and then post a new HJT log.

 

Make sure your firewall is blocking: istsvc.exe

 

Your firewall should never be off unless you are physically disconnected from the internet.

 

Did you decide earlier not to uninstall AOL Toolbar?

 

There is something left over from the AOL Toolbar. We can fix it with HJT. I just wanted to be sure.

Did you run FxIstbar.exe

 

Just have HJT fix the below line:

O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML

Then remove the following folder (you may have to reboot to do that)
C:\Program Files\AOL Toolbar


Make sure you follow up the symantec scan and fixing the above with a new HJT log.

I'll be back later gotta run for awhile.

 

You're welcome. Hmmm! We have some new stuff popping up.

Where did this ProxyServer entry come from? Do you use a ProxyServer with your ISP?
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5400

And also where did the below two O17 lines now come from? I thought you were saying you do not use AOL? That IP address is for AOL and the proxy setting above may be from them to. Did you run something from AOL since my last message? It sure looks like it.
O17 - HKLM\System\CCS\Services\Tcpip\..\{29B1BE57-A3EE-4F17-96F9-3DAC46F8E350}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{29B1BE57-A3EE-4F17-96F9-3DAC46F8E350}: NameServer = 205.188.146.145


Make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\Program Files\ISTsvc\istsvc.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\ISTsvc <--- the whole folder

Now run Ccleaner!

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

It does not say Verizon. It says Version!

You are hiding protected operating systems files. We asked you not to do that.

 

Yes! That's better. Did Norton indicate a folder where it found the files?

 

Only the first one needs to be fixed. The second one is not a problem. It is in a HijackThis backup log from something we already removed.

So fix the first one and do the other things I gave. Time for me to get some sleep.

Good night!

 

You log is clean! You should now check out the below thread and make sure the equivalent of all the steps has been done:

How to Protect yourself from malware!

That's to bad about your husbands job changing but at least he has one! So where are you moving to?

 

Do not select Express install! Use Custom install and select all items except SP2.

California is nice (without the earthquakes, mudslides, or forest fires )

 

Norton/Symantec makes some good software. The biggest problem many of us have with it is that it is getting so bloated and uses up so much of a systems resources making some PCs run rather slowly. If you are happy with it and pay to keep it updated, stick with it. Make sure you stay udated.

How is everything working now?

 

I'm not sure I follow you. What are you running? Are you talking about running Internet Explorer and looking at a toolbar? Or are you talking about the Taskbar at the bottom of your screen where runing applications showup. I think you meant the later. If so just for future reference it is called the Taskbar not a toolbar.

Do you see the actual name of the web page when you hold your mouse cursor over the items, or do you just see black? I'm not sure what you mean by a large empty black space.

 

I'm not sure why! It could be something you have installed or some other setting. You still have a load of toolbars, buttons, and extra menus items loading (the O8 and O9 section of you HJT log). Also, you have a load of 016 active x items loading. I'm not sure what all of there effects may be since I don't and personally would not load all that stuff.

Your log was clean and I doubt this has anything to do with malware. If it really bothers you, try booting in safe mode and see if it happens there. If not, try booting in normal mode and kill all unnecessary processes and see if it goes away.

You may want to check over in the Software Forum to see if this sounds familiar to anyone.