Only the best and about:blank trouble

Discussion in 'Malware Help (A Specialist Will Reply)' started by wonderboy456, May 2, 2005.

  1. wonderboy456

    wonderboy456 Private E-2

    I'm having trouble with some malware and I've tried a couple of things but it doesn't seem to be fixed. Here is an Ad-Aware log file from my computer.

    I'd appreciate any help anyone can give me.


    Ad-Aware SE Build 1.05
    Logfile Created on:Monday, May 02, 2005 9:50:22 PM
    Created with Ad-Aware SE Personal, free for private use.
    Using definitions file:SE1R42 28.04.2005
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    References detected during the scan:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    CoolWebSearch(TAC index:10):30 total references
    Possible Browser Hijack attempt(TAC index:3):3 total references
    Tracking Cookie(TAC index:3):12 total references
    VX2(TAC index:10):2 total references
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Definition File:
    =========================
    Definitions File Loaded:
    Reference Number : SE1R42 28.04.2005
    Internal build : 49
    File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
    File size : 466557 Bytes
    Total size : 1403889 Bytes
    Signature data size : 1373297 Bytes
    Reference data size : 30080 Bytes
    Signatures total : 39226
    Fingerprints total : 836
    Fingerprints size : 28245 Bytes
    Target categories : 15
    Target families : 654


    Memory + processor status:
    ==========================
    Number of processors : 2
    Processor architecture : Intel Pentium IV
    Memory available:18 %
    Total physical memory:523244 kb
    Available physical memory:91248 kb
    Total page file size:1277936 kb
    Available on page file:926784 kb
    Total virtual memory:2097024 kb
    Available virtual memory:2047540 kb
    OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

    Ad-Aware SE Settings
    ===========================
    Set : Safe mode (always request confirmation)
    Set : Scan active processes
    Set : Scan registry
    Set : Deep-scan registry
    Set : Scan my IE Favorites for banned URLs
    Set : Scan within archives
    Set : Scan my Hosts file

    Extended Ad-Aware SE Settings
    ===========================
    Set : Unload recognized processes & modules during scan
    Set : Obtain command line of scanned processes
    Set : Scan registry for all users instead of current user only
    Set : During removal, unload Explorer and IE if necessary
    Set : Let Windows remove files in use at next reboot
    Set : Delete quarantined objects after restoring
    Set : Write-protect system files after repair (Hosts file, etc.)
    Set : Include basic Ad-Aware settings in log file
    Set : Include additional Ad-Aware settings in log file
    Set : Include reference summary in log file
    Set : Play sound at scan completion if scan locates critical objects


    5-2-2005 9:50:22 PM - Scan started. (Full System Scan)

    Listing running processes
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    #:1 [smss.exe]
    ModuleName : \SystemRoot\System32\smss.exe
    Command Line : n/a
    ProcessID : 632
    ThreadCreationTime : 5-1-2005 3:29:12 AM
    BasePriority : Normal


    #:2 [csrss.exe]
    ModuleName : \??\C:\WINDOWS\system32\csrss.exe
    Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
    ProcessID : 856
    ThreadCreationTime : 5-1-2005 3:29:15 AM
    BasePriority : Normal


    #:3 [winlogon.exe]
    ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
    Command Line : winlogon.exe
    ProcessID : 880
    ThreadCreationTime : 5-1-2005 3:29:16 AM
    BasePriority : High


    #:4 [services.exe]
    ModuleName : C:\WINDOWS\system32\services.exe
    Command Line : C:\WINDOWS\system32\services.exe
    ProcessID : 924
    ThreadCreationTime : 5-1-2005 3:29:16 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Services and Controller app
    InternalName : services.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : services.exe

    #:5 [lsass.exe]
    ModuleName : C:\WINDOWS\system32\lsass.exe
    Command Line : C:\WINDOWS\system32\lsass.exe
    ProcessID : 936
    ThreadCreationTime : 5-1-2005 3:29:16 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : LSA Shell (Export Version)
    InternalName : lsass.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : lsass.exe

    #:6 [svchost.exe]
    ModuleName : C:\WINDOWS\system32\svchost.exe
    Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
    ProcessID : 1116
    ThreadCreationTime : 5-1-2005 3:29:16 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:7 [svchost.exe]
    ModuleName : C:\WINDOWS\system32\svchost.exe
    Command Line : C:\WINDOWS\system32\svchost -k rpcss
    ProcessID : 1168
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:8 [svchost.exe]
    ModuleName : C:\WINDOWS\System32\svchost.exe
    Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
    ProcessID : 1208
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:9 [svchost.exe]
    ModuleName : C:\WINDOWS\System32\svchost.exe
    Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
    ProcessID : 1264
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:10 [svchost.exe]
    ModuleName : C:\WINDOWS\System32\svchost.exe
    Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
    ProcessID : 1292
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Generic Host Process for Win32 Services
    InternalName : svchost.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : svchost.exe

    #:11 [spoolsv.exe]
    ModuleName : C:\WINDOWS\system32\spoolsv.exe
    Command Line : C:\WINDOWS\system32\spoolsv.exe
    ProcessID : 1340
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Spooler SubSystem App
    InternalName : spoolsv.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : spoolsv.exe

    #:12 [acsd.exe]
    ModuleName : C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    Command Line : C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
    ProcessID : 1436
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal


    #:13 [ccproxy.exe]
    ModuleName : C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    Command Line : "C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"
    ProcessID : 1448
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 2.1.5.1
    ProductVersion : 2.1.5.1
    ProductName : Common Client
    CompanyName : Symantec Corporation
    FileDescription : Common Client Network Proxy Service
    InternalName : ccProxy
    LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    OriginalFilename : ccProxy.exe

    #:14 [ccsetmgr.exe]
    ModuleName : C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    Command Line : "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
    ProcessID : 1488
    ThreadCreationTime : 5-1-2005 3:29:17 AM
    BasePriority : Normal
    FileVersion : 2.1.5.1
    ProductVersion : 2.1.5.1
    ProductName : Common Client
    CompanyName : Symantec Corporation
    FileDescription : Common Client Settings Manager Service
    InternalName : ccSetMgr
    LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    OriginalFilename : ccSetMgr.exe

    #:15 [navapsvc.exe]
    ModuleName : C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    Command Line : "C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe"
    ProcessID : 1528
    ThreadCreationTime : 5-1-2005 3:29:18 AM
    BasePriority : Normal
    FileVersion : 10.00.13
    ProductVersion : 10.00.13
    ProductName : Norton AntiVirus
    CompanyName : Symantec Corporation
    FileDescription : Norton AntiVirus Auto-Protect Service
    InternalName : NAVAPSVC
    LegalCopyright : Norton AntiVirus 2004 for Windows 98/ME/2000/XP Copyright (c) 2003 Symantec Corporation. All rights reserved.
    OriginalFilename : NAVAPSVC.EXE

    #:16 [sndsrvc.exe]
    ModuleName : C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    Command Line : "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"
    ProcessID : 1660
    ThreadCreationTime : 5-1-2005 3:29:18 AM
    BasePriority : Normal
    FileVersion : 5.4.4.17
    ProductVersion : 5.4
    ProductName : Symantec Security Drivers
    CompanyName : Symantec Corporation
    FileDescription : Network Driver Service
    InternalName : SndSrvc
    LegalCopyright : Copyright 2002, 2003, 2004 Symantec Corporation
    OriginalFilename : SndSrvc.exe

    #:17 [wdfmgr.exe]
    ModuleName : C:\WINDOWS\System32\wdfmgr.exe
    Command Line : C:\WINDOWS\System32\wdfmgr.exe
    ProcessID : 1748
    ThreadCreationTime : 5-1-2005 3:29:18 AM
    BasePriority : Normal
    FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
    ProductVersion : 5.2.3790.1230
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows User Mode Driver Manager
    InternalName : WdfMgr
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : WdfMgr.exe

    #:18 [wanmpsvc.exe]
    ModuleName : C:\WINDOWS\wanmpsvc.exe
    Command Line : "C:\WINDOWS\wanmpsvc.exe"
    ProcessID : 1788
    ThreadCreationTime : 5-1-2005 3:29:19 AM
    BasePriority : Normal
    FileVersion : 7, 0, 0, 2
    ProductVersion : 7, 0, 0, 2
    ProductName : America Online
    CompanyName : America Online, Inc.
    FileDescription : Wan Miniport (ATW) Service
    InternalName : WanMPSvc
    LegalCopyright : Copyright © 2001 America Online, Inc.
    OriginalFilename : WanMPSvc.exe

    #:19 [wlservice.exe]
    ModuleName : C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    Command Line : "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe" "WUSB54Gv2.exe"
    ProcessID : 1828
    ThreadCreationTime : 5-1-2005 3:29:19 AM
    BasePriority : Normal
    FileVersion : 1, 0, 0, 4
    ProductVersion : 1, 0, 0, 4
    ProductName : GEMTEKS WLService
    CompanyName : GEMTEKS
    FileDescription : WLService
    InternalName : WLService
    LegalCopyright : Copyright c 2003
    OriginalFilename : WLService.exe

    #:20 [wusb54gv2.exe]
    ModuleName : C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv2.exe
    Command Line : WUSB54Gv2.exe
    ProcessID : 1864
    ThreadCreationTime : 5-1-2005 3:29:19 AM
    BasePriority : High
    FileVersion : 4.5.4.3
    ProductVersion : 4.5.4.3
    ProductName : Version 2.0
    CompanyName : Cisco Linksys Corporation
    FileDescription : Wireless Network Monitor
    InternalName : XP/2K/ME/98
    Comments : Client Team

    #:21 [ccevtmgr.exe]
    ModuleName : C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    Command Line : "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    ProcessID : 1896
    ThreadCreationTime : 5-1-2005 3:29:19 AM
    BasePriority : Normal
    FileVersion : 2.1.5.1
    ProductVersion : 2.1.5.1
    ProductName : Common Client
    CompanyName : Symantec Corporation
    FileDescription : Common Client Event Manager Service
    InternalName : ccEvtMgr
    LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    OriginalFilename : ccEvtMgr.exe

    #:22 [explorer.exe]
    ModuleName : C:\WINDOWS\Explorer.EXE
    Command Line : C:\WINDOWS\Explorer.EXE
    ProcessID : 672
    ThreadCreationTime : 5-1-2005 3:29:24 AM
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Explorer
    InternalName : explorer
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : EXPLORER.EXE

    #:23 [alg.exe]
    ModuleName : C:\WINDOWS\System32\alg.exe
    Command Line : C:\WINDOWS\System32\alg.exe
    ProcessID : 712
    ThreadCreationTime : 5-1-2005 3:29:24 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Application Layer Gateway Service
    InternalName : ALG.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : ALG.exe

    #:24 [wscntfy.exe]
    ModuleName : C:\WINDOWS\system32\wscntfy.exe
    Command Line : C:\WINDOWS\system32\wscntfy.exe
    ProcessID : 988
    ThreadCreationTime : 5-1-2005 3:29:26 AM
    BasePriority : Normal
    FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 5.1.2600.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Windows Security Center Notification App
    InternalName : wscntfy.exe
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : wscntfy.exe

    #:25 [jusched.exe]
    ModuleName : C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    Command Line : "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
    ProcessID : 3604
    ThreadCreationTime : 5-1-2005 3:29:59 AM
    BasePriority : Normal


    #:26 [dvdlauncher.exe]
    ModuleName : C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    Command Line : "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    ProcessID : 3616
    ThreadCreationTime : 5-1-2005 3:29:59 AM
    BasePriority : Normal
    FileVersion : 3.00.0000
    ProductVersion : 3.00.0000
    ProductName : Cyberlink PowerCinema 3.0
    CompanyName : CyberLink Corp.
    FileDescription : CyberLink PowerCinema Resident Program
    InternalName : CyberLink PowerCinema Resident Program
    LegalCopyright : Copyright (c) 2003 CyberLink Corp.
    OriginalFilename : DVDLauncher.EXE

    #:27 [intelmem.exe]
    ModuleName : C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    Command Line : "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
    ProcessID : 3660
    ThreadCreationTime : 5-1-2005 3:29:59 AM
    BasePriority : Normal
    FileVersion : 0, 1, 0, 10
    ProductVersion : 0, 1, 0, 10
    ProductName : Intel Modem Event Monitor Application
    CompanyName : Intel Corporation
    FileDescription : Modem Event Monitor Application
    InternalName : Modem Event Monitor
    LegalCopyright : Copyright (C) 2003
    OriginalFilename : IntelMEM.exe

    #:28 [pcmservice.exe]
    ModuleName : C:\Program Files\Dell\Media Experience\PCMService.exe
    Command Line : "C:\Program Files\Dell\Media Experience\PCMService.exe"
    ProcessID : 3672
    ThreadCreationTime : 5-1-2005 3:29:59 AM
    BasePriority : Normal
    FileVersion : 1.0.1611
    ProductVersion : 1.0.1611
    ProductName : PCM2Launcher Application
    CompanyName : CyberLink Corp.
    FileDescription : PowerCinema Resident Program for Dell
    InternalName : PowerCinema Resident Program for Dell
    LegalCopyright : Copyright c 2003 CyberLink Corp.
    OriginalFilename : PCM2Launcher.EXE

    #:29 [tfswctrl.exe]
    ModuleName : C:\WINDOWS\system32\dla\tfswctrl.exe
    Command Line : "C:\WINDOWS\system32\dla\tfswctrl.exe"
    ProcessID : 3700
    ThreadCreationTime : 5-1-2005 3:29:59 AM
    BasePriority : Normal
    FileVersion : 1.04.07b
    CompanyName : Sonic Solutions
    FileDescription : Drive Letter Access Component
    LegalCopyright : Copyright © 2004 Sonic Solutions

    #:30 [realplay.exe]
    ModuleName : C:\Program Files\Real\RealPlayer\RealPlay.exe
    Command Line : "C:\Program Files\Real\RealPlayer\RealPlay.exe" SYSTEMBOOTHIDEPLAYER
    ProcessID : 3908
    ThreadCreationTime : 5-1-2005 3:30:01 AM
    BasePriority : Normal
    FileVersion : 6.0.9.584
    ProductVersion : 6.0.9.584
    ProductName : RealPlayer (32-bit)
    CompanyName : RealNetworks, Inc.
    FileDescription : RealPlayer
    InternalName : REALPLAY
    LegalCopyright : Copyright © RealNetworks, Inc. 1995-2000
    LegalTrademarks : RealAudio(tm) is a trademark of RealNetworks, Inc.
    OriginalFilename : REALPLAY.EXE

    #:31 [ccapp.exe]
    ModuleName : C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    Command Line : "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    ProcessID : 3984
    ThreadCreationTime : 5-1-2005 3:30:02 AM
    BasePriority : Normal
    FileVersion : 2.1.5.1
    ProductVersion : 2.1.5.1
    ProductName : Common Client
    CompanyName : Symantec Corporation
    FileDescription : Common Client User Session
    InternalName : ccApp
    LegalCopyright : Copyright (c) 2000-2003 Symantec Corporation. All rights reserved.
    OriginalFilename : ccApp.exe

    #:32 [mm_tray.exe]
    ModuleName : C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
    Command Line : "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe"
    ProcessID : 4076
    ThreadCreationTime : 5-1-2005 3:30:02 AM
    BasePriority : Normal
    FileVersion : 10.00.3058
    ProductVersion : 10.00.3058
    ProductName : Musicmatch Jukebox
    CompanyName : Musicmatch, Inc.
    FileDescription : mm_tray
    InternalName : mm_tray
    LegalCopyright : Copyright © Musicmatch 1998-2004
    LegalTrademarks :
    OriginalFilename : mm_tray.exe

    #:33 [infomyca.exe]
    ModuleName : C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe
    Command Line : "C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\InfoMyCa.exe."
    ProcessID : 1416
    ThreadCreationTime : 5-1-2005 3:30:02 AM
    BasePriority : Normal
    FileVersion : 1, 0, 0, 3
    ProductVersion : 1, 0, 0, 3
    FileDescription : Set / Get WPA data to / from system
    InternalName : InfoMyCa
    LegalCopyright : Copyright c 2004
    OriginalFilename : InfoMyCa.exe

    #:34 [d3qm32.exe]
    ModuleName : C:\WINDOWS\d3qm32.exe
    Command Line : "C:\WINDOWS\d3qm32.exe"
    ProcessID : 1924
    ThreadCreationTime : 5-1-2005 3:30:03 AM
    BasePriority : Normal


    #:35 [ppcontrol.exe]
    ModuleName : C:\PROGRA~1\PESTPA~1\PPControl.exe
    Command Line : "C:\PROGRA~1\PESTPA~1\PPControl.exe"
    ProcessID : 2060
    ThreadCreationTime : 5-1-2005 3:30:03 AM
    BasePriority : Normal
    FileVersion : 4, 4, 4, 73
    ProductVersion : 4.4
    ProductName : PestPatrol
    CompanyName : Computer Associates International
    FileDescription : PestPatrol tray application
    InternalName : ppcontrol
    LegalCopyright : Copyright (C) 2004 Computer Associates International
    OriginalFilename : ppcontrol.exe

    #:36 [ppmemcheck.exe]
    ModuleName : C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
    Command Line : "C:\PROGRA~1\PESTPA~1\PPMemCheck.exe"
    ProcessID : 448
    ThreadCreationTime : 5-1-2005 3:30:03 AM
    BasePriority : Normal


    #:37 [mmdiag.exe]
    ModuleName : C:\PROGRA~1\MUSICM~1\MUSICM~2\MMDiag.exe
    Command Line : MMDiag.exe
    ProcessID : 2076
    ThreadCreationTime : 5-1-2005 3:30:03 AM
    BasePriority : Normal
    FileVersion : 10.00.3058
    ProductVersion : 10.00.3058
    ProductName : Musicmatch Jukebox
    CompanyName : Musicmatch, Inc.
    FileDescription : Logging and tracing manager
    InternalName : MMTraceExe
    LegalCopyright : Copyright © Musicmatch 1998-2004
    LegalTrademarks :
    OriginalFilename : MMTraceExe.EXE

    #:38 [cookiepatrol.exe]
    ModuleName : C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
    Command Line : "C:\PROGRA~1\PESTPA~1\CookiePatrol.exe"
    ProcessID : 2168
    ThreadCreationTime : 5-1-2005 3:30:04 AM
    BasePriority : Normal
    FileVersion : 4, 4, 4, 82
    ProductVersion : 4, 4, 4, 0
    ProductName : PestPatrol
    CompanyName : Computer Associates International
    FileDescription : CookiePatrol Application
    InternalName : CookiePatrol
    LegalCopyright : Copyright (C) 2005 Computer Associates International, Inc.
    OriginalFilename : CookiePatrol.exe

    #:39 [mim.exe]
    ModuleName : C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe
    Command Line : "C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mim.exe" -Embedding
    ProcessID : 2268
    ThreadCreationTime : 5-1-2005 3:30:04 AM
    BasePriority : Normal
    FileVersion : 10.00.3058
    ProductVersion : 10.00.3058
    ProductName : Musicmatch Jukebox
    CompanyName : Musicmatch, Inc.
    FileDescription : mim
    InternalName : mim
    LegalCopyright : Copyright © Musicmatch 1998-2004
    LegalTrademarks :
    OriginalFilename : mim.exe

    #:40 [psfree.exe]
    ModuleName : C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    Command Line : "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    ProcessID : 2552
    ThreadCreationTime : 5-1-2005 3:30:06 AM
    BasePriority : Normal
    FileVersion : 3, 1, 0, 1010
    ProductVersion : 1, 0, 0, 1
    ProductName : Pop-Up Stopper Free Edition
    CompanyName : Panicware, Inc.
    FileDescription : Pop-Up Stopper Free Edition
    InternalName : Pop-Up Stopper Free Edition
    LegalCopyright : Copyright (C) 2002-2003
    OriginalFilename : PSFree.exe

    #:41 [iezi32.exe]
    ModuleName : C:\WINDOWS\system32\iezi32.exe
    Command Line : "C:\WINDOWS\system32\iezi32.exe" /r
    ProcessID : 3840
    ThreadCreationTime : 5-1-2005 3:32:12 AM
    BasePriority : Normal


    VX2 Object Recognized!
    Type : Process
    Data : iezi32.exe
    Category : Malware
    Comment : (CSI MATCH)
    Object : C:\WINDOWS\system32\


    Warning! VX2 Object found in memory(C:\WINDOWS\system32\iezi32.exe)

    "C:\WINDOWS\system32\iezi32.exe"Process terminated successfully
    "C:\WINDOWS\system32\iezi32.exe"Process terminated successfully

    #:42 [iexplore.exe]
    ModuleName : C:\Program Files\Internet Explorer\iexplore.exe
    Command Line : "C:\Program Files\Internet Explorer\iexplore.exe"
    ProcessID : 2016
    ThreadCreationTime : 5-3-2005 12:40:37 AM
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Internet Explorer
    InternalName : iexplore
    LegalCopyright : © Microsoft Corporation. All rights reserved.
    OriginalFilename : IEXPLORE.EXE

    #:43 [msimn.exe]
    ModuleName : C:\Program Files\Outlook Express\MSIMN.EXE
    Command Line : "C:\Program Files\Outlook Express\MSIMN.EXE"
    ProcessID : 3176
    ThreadCreationTime : 5-3-2005 1:52:55 AM
    BasePriority : Normal
    FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion : 6.00.2900.2180
    ProductName : Microsoft® Windows® Operating System
    CompanyName : Microsoft Corporation
    FileDescription : Outlook Express
    InternalName : MSIMN
    LegalCopyright : © 2004 Microsoft Corporation. All rights reserved.
    OriginalFilename : MSIMN.EXE

    #:44 [ad-aware.exe]
    ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
    Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
    ProcessID : 2500
    ThreadCreationTime : 5-3-2005 2:50:07 AM
    BasePriority : Normal
    FileVersion : 6.2.0.206
    ProductVersion : VI.Second Edition
    ProductName : Lavasoft Ad-Aware SE
    CompanyName : Lavasoft Sweden
    FileDescription : Ad-Aware SE Core application
    InternalName : Ad-Aware.exe
    LegalCopyright : Copyright © Lavasoft Sweden
    OriginalFilename : Ad-Aware.exe
    Comments : All Rights Reserved

    Memory scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 1
    Objects found so far: 1


    Started registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{3e90618a-b905-9b60-b551-77abbea8bced}

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CLASSES_ROOT
    Object : clsid\{676575dd-4d46-911d-8037-9b10d6ee8bb5}

    Registry Scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 2
    Objects found so far: 3


    Started deep registry scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    Deep registry scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 3


    Started Tracking Cookie scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@ads.pointroll[1].txt
    Category : Data Miner
    Comment : Hits:7
    Value : Cookie:wayne@ads.pointroll.com/
    Expires : 12-31-2009 7:00:00 PM
    LastSync : Hits:7
    UseCount : 0
    Hits : 7

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@doubleclick[2].txt
    Category : Data Miner
    Comment : Hits:4
    Value : Cookie:wayne@doubleclick.net/
    Expires : 5-1-2008 9:34:58 PM
    LastSync : Hits:4
    UseCount : 0
    Hits : 4

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@atdmt[1].txt
    Category : Data Miner
    Comment : Hits:2
    Value : Cookie:wayne@atdmt.com/
    Expires : 4-30-2010 7:00:00 PM
    LastSync : Hits:2
    UseCount : 0
    Hits : 2

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@questionmarket[1].txt
    Category : Data Miner
    Comment : Hits:1
    Value : Cookie:wayne@questionmarket.com/
    Expires : 6-23-2006 6:58:54 AM
    LastSync : Hits:1
    UseCount : 0
    Hits : 1

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@tribalfusion[1].txt
    Category : Data Miner
    Comment : Hits:5
    Value : Cookie:wayne@tribalfusion.com/
    Expires : 12-31-2037 7:00:00 PM
    LastSync : Hits:5
    UseCount : 0
    Hits : 5

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@2o7[1].txt
    Category : Data Miner
    Comment : Hits:1
    Value : Cookie:wayne@2o7.net/
    Expires : 5-1-2010 2:39:06 PM
    LastSync : Hits:1
    UseCount : 0
    Hits : 1

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@hitbox[2].txt
    Category : Data Miner
    Comment : Hits:4
    Value : Cookie:wayne@hitbox.com/
    Expires : 5-2-2006 2:29:38 PM
    LastSync : Hits:4
    UseCount : 0
    Hits : 4

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@ehg-dig.hitbox[1].txt
    Category : Data Miner
    Comment : Hits:60
    Value : Cookie:wayne@ehg-dig.hitbox.com/
    Expires : 5-2-2006 2:29:38 PM
    LastSync : Hits:60
    UseCount : 0
    Hits : 60

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@advertising[2].txt
    Category : Data Miner
    Comment : Hits:2
    Value : Cookie:wayne@advertising.com/
    Expires : 5-1-2010 2:34:20 PM
    LastSync : Hits:2
    UseCount : 0
    Hits : 2

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@bluestreak[1].txt
    Category : Data Miner
    Comment : Hits:1
    Value : Cookie:wayne@bluestreak.com/
    Expires : 4-30-2015 5:35:46 PM
    LastSync : Hits:1
    UseCount : 0
    Hits : 1

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@mediaplex[1].txt
    Category : Data Miner
    Comment : Hits:1
    Value : Cookie:wayne@mediaplex.com/
    Expires : 6-21-2009 7:00:00 PM
    LastSync : Hits:1
    UseCount : 0
    Hits : 1

    Tracking Cookie Object Recognized!
    Type : IECache Entry
    Data : wayne@servedby.advertising[1].txt
    Category : Data Miner
    Comment : Hits:2
    Value : Cookie:wayne@servedby.advertising.com/
    Expires : 6-1-2005 2:35:18 PM
    LastSync : Hits:2
    UseCount : 0
    Hits : 2

    Tracking cookie scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 12
    Objects found so far: 15



    Deep scanning and examining files (C:)
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    CoolWebSearch Object Recognized!
    Type : File
    Data : hmpxl.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : msvze.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : pzuge.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    CoolWebSearch Object Recognized!
    Type : File
    Data : akgtr.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM32\



    CoolWebSearch Object Recognized!
    Type : File
    Data : brmbx.log
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM32\



    CoolWebSearch Object Recognized!
    Type : File
    Data : dxdxi.log
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM32\



    CoolWebSearch Object Recognized!
    Type : File
    Data : eqdbt.dat
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM32\



    CoolWebSearch Object Recognized!
    Type : File
    Data : qidkx.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\SYSTEM32\



    CoolWebSearch Object Recognized!
    Type : File
    Data : vibyx.txt
    Category : Malware
    Comment :
    Object : C:\WINDOWS\



    Disk Scan Result for C:\
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 0
    Objects found so far: 24

    Possible Browser Hijack attempt Object Recognized!
    Type : File
    Data : Only sex website.url
    Category : Misc
    Comment : Problematic URL discovered: http://www.onlysex.ws/
    Object : C:\Documents and Settings\Wayne\Favorites\



    Possible Browser Hijack attempt Object Recognized!
    Type : File
    Data : Search the web.url
    Category : Misc
    Comment : Problematic URL discovered: http://www.lookfor.cc/
    Object : C:\Documents and Settings\Wayne\Favorites\



    Possible Browser Hijack attempt Object Recognized!
    Type : File
    Data : Seven days of free porn.url
    Category : Misc
    Comment : Problematic URL discovered: http://www.7days.ws/
    Object : C:\Documents and Settings\Wayne\Favorites\




    Performing conditional scans...
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

    VX2 Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\toolbar\webbrowser
    Value : {0E5CBF21-D15F-11D0-8301-00AA005B4383}

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\urlsearchhooks

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\urlsearchhooks
    Value : {C590343E-22C4-112E-50B4-EE7FEE41BC70}

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\hsa
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\se
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : Regkey
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw
    Value : DisplayName

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\windows\currentversion\uninstall\sw
    Value : UninstallString

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Search Bar

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\search
    Value : SearchAssistant

    CoolWebSearch Object Recognized!
    Type : RegValue
    Data :
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft
    Value : set

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : no
    Category : Malware
    Comment :
    Rootkey : HKEY_CURRENT_USER
    Object : software\microsoft\internet explorer\main
    Value : Use Search Asst
    Data : no

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : no
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : Use Search Asst
    Data : no

    CoolWebSearch Object Recognized!
    Type : RegData
    Data : about:blank
    Category : Malware
    Comment :
    Rootkey : HKEY_LOCAL_MACHINE
    Object : software\microsoft\internet explorer\main
    Value : Start Page
    Data : about:blank

    CoolWebSearch Object Recognized!
    Type : Folder
    Category : Malware
    Comment :
    Object : C:\Documents and Settings\Wayne\local settings\temporary internet files\msft\images-sprem

    CoolWebSearch Object Recognized!
    Type : File
    Data : up.gif
    Category : Malware
    Comment :
    Object : C:\Documents and Settings\Wayne\local settings\temporary internet files\msft\images-sprem\



    Conditional scan result:
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    New critical objects: 20
    Objects found so far: 47

    10:03:28 PM Scan Complete

    Summary Of This Scan
    »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
    Total scanning time:00:13:06.454
    Objects scanned:146804
    Objects identified:47
    Objects ignored:0
    New critical objects:47
     
    wonderboy456, May 2, 2005
    #1
  2. Gottaminit419?

    Gottaminit419? Private E-2

    remember to only post log files when requested.--that said try downloading Hijack This --unzip it--run it --remove the bad ones--problem solved
    Had the EXACT same problem last week and it even showed up 2 or 3 times upon reboot but HT caught it and killed it. This little bugger will try and reinstall when you go online so be preped w/ that firewall.


    I run : norton sys works (AV)-- tiny personal firewall- Hijack this(upon boot)-norton crash guard-

    thts worked for me for a long time

    Hopethathelped :)
     
    Gottaminit419?, May 3, 2005
    #2
  3. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please do not ask people to post HijackThis logs. We have procedures that must be followed prior to that. And any one asking some one to post a HijackThis log must be qualified to read them and to provide the proper fixes. Telling some one to
    is not very useful. and if you know anything about these hijackers you would know that will not work. It is just not that simple. HijackThis does not catch anything! The person reading the log has to determine good from bad. Then you must determine how to fix the problem. There are approximately 166 forms of CWS problems and possibly 40 or so forms of about:blank and HSA hijackers. They can require a variety of different procedures to fix.
     
    chaslang, May 3, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Wonderboy456,

    Please do not post any logs (including Ad-Aware) unless requested and then they should always be posted as attachments. Please follow the steps below.

    - Run ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus RemovalMake sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.
    Download and install Microsoft® Windows AntiSpyware and make sure you get the updates but do not run a scan yet.

    Now reboot into safe mode with no network support, make sure you have no browsers opened and then run a full scan with MS Antispyware and let it fix what it finds.

    Now reboot into normal mode.



    After doing ALL of the above you still have a problem:

    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, May 3, 2005
    #4
  5. Gottaminit419?

    Gottaminit419? Private E-2

    Please chasling do not jump one me ,I did not ask him to post a log file and you are correct there are alot more problems than that. If the guy did not have the time to properly research hijack this then i do not feel that walking him thru it would help him (Please read my posts entirley before making judgments)

    Just trying to help was not aware i was in your kingdom(LOL) :)
     
    Gottaminit419?, May 3, 2005
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I understand that you were trying to help but statements like:
    will not be helpful to 99% of all people coming here for help. And it is not as easy as just having HijackThis fix entries. For most of these hijackers that will do nothing more than make it mutate and spread. While there are some very mild forms of these hijackers that are easy to remove, most are not.
     
    chaslang, May 3, 2005
    #6
  7. wonderboy456

    wonderboy456 Private E-2

    I went through Chaslang's before you ask for support steps twice. The first time I wasn't able to do it in Safe Mode for some reason the programs wouldn't run correctly so I started in Normal Mode. The first online scan that he wanted me to do Trend Micro Online Scan, in Safe Mode and Normal Mode it would crash my Internet Explorer and not work so I moved on to the next online scan and that worked fine. All steps worked great in removing some spyware except kill2 me never found anything and spybot would way that there was an error at the end of scanning but it removed something. A note once I start using Ad-Aware to scan I've disconnected from the Internet totally, pulled the plug. I go through HSRemove and restart. I replug in the interenet HSRemove says everything should be o.k. you can change your interent home page. I change the home page double check that I have the right versions of spyware removers and plug-ins click my home button and about:blank comes up and only the best pop comes up.

    I go through the whole procedure again this time I've figured out safe mode and get it to work correctly with the programs. Go through everything internet unplugged do scanning some bugs found not as many as first time. Get to HSRemove everything looks great, reboot, replugin the internet, at this time I start to think its my Internet Explorer so I delete shortcuts and startup menu links. I open Internet Explorer and change my home settings this time I didn't go back to check if about:blank would come up but in the first minute on the internet I start to get only the best pop ups.

    I forgot to mention earlier after the first time going through I installed Zone Alarm firewall.

    This is where I'm at I just wanted to update and see if there were any more angles to pursue.

    I'm going to look at Chaslang's second part of his orginal post that if the scans don't work here is another thing to try.

    Thanks

    Wayne
     
    wonderboy456, May 5, 2005
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You do not need to keep running thru the READ ME FIRST. Just complete what I requested in message number 4 in this thread. That is, properly follow the steps for posting your HijackThis log so we can take care of your problems. If you have a true form of the HSA or about:blank hijacker the tools you are running will not fix it by themselves. Manual procedures along with use of some of those tools is needed.
     
    chaslang, May 5, 2005
    #8
  9. wonderboy456

    wonderboy456 Private E-2

    Thank you for your help in looking at my computer, I appreciate it.

    Here is my Hijack this file.
     

    Attached Files:

    wonderboy456, May 5, 2005
    #9
  10. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please download this file: SpSeHjfix109

    Unzip it to your desktop or to a folder.

    Boot into Safe Mode

    Start SpSeHjfix, click on " Desinfecton starten" (the other button means close) then it will reboot and finish the cleaning (save the log).

    Run SpSeHjfix one more time (save the log again).

    Reboot in Normal mode open and then close one Internet Explorer browser session.

    Run HijackThis again and post a new log. Also post the logs from SpSeHjfix, the log should be on your desktop or the same folder as SpSeHjfix.
     
    chaslang, May 6, 2005
    #10
  11. wonderboy456

    wonderboy456 Private E-2

    Here are the new logs. The SPSEHJFIX said it didn't find anything. It was interesting, after running that SPS fix then rebooting when I tried to open Internet Explorer I received a message that Interenet Explorer had encountered a problem with apipl32.dll file an add on and needed to close. So I closed and reopened Internet Explorer and I didn't get that error again. Also the first time that I rebooted into safe mode it asked if I wanted to really reboot because someone was connected to my computer. I'm not networked to any other computers here.

    Sorry if I'm rambling didn't know if any of this is important.

    Thanks for your help.
     

    Attached Files:

    wonderboy456, May 6, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Make sure you have both about:Buster and HSremove downloaded from the READ ME FIRST. And make sure you have UPDATED the database for about:buster. I believe it is up to number 26.

    You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

    Okay, unplug your internet connection and exit browsers now!!!!

    We need to stop and disable the service indicated below. You should have already done this during the execution of the READ ME FIRST in step 2.
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msvs32.exe" /s (file missing)

    Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
    On the page that opens, scroll down to Remote Procedure Call (RPC) Helper ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.
    Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

    Remote Procedure Call (RPC) Helper

    If that does not work try entering the short name: 11Fßä#·ºÄÖ`I
    You will need to cut and paste the short name since the characters are not easily typed.

    Now exit HijackThis.

    Now restart HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
    C:\WINDOWS\system32\msvs32.exe
    C:\WINDOWS\ipgk32.exe

    After killing all the above processes, click "Back".
    Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now (DO NOT OPEN ANOTHER BROWSER UNTIL AFTER POWER DOWN AND POWER UP, see below):
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rzceq.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
    R3 - Default URLSearchHook is missing
    O2 - BHO: (no name) - {E3BCCA55-75E7-6990-81F7-0372DB33198A} - C:\WINDOWS\system32\mfcjq32.dll
    O4 - HKLM\..\Run: [ipgk32.exe] C:\WINDOWS\ipgk32.exe
    O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
    O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msvs32.exe" /s (file missing)


    Then exit HJT after clicking FIX

    Run Windows Explorer and look for and try to delete (sort the listing in windows explorer by Modification dates and look for possibly other similarly name files from the same date - let me know if you find others):
    C:\WINDOWS\rzceq.dll
    C:\WINDOWS\system32\mfcjq32.dll
    C:\WINDOWS\ipgk32.exe
    C:\WINDOWS\system32\msvs32.exe

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. If you cannot find or delete them, note which ones and continue (tell me the results when you come back here).

    - Run about:Buster and save the log to ab1.log (make sure you let it do the second scan).

    - NOW PULL THE POWER PLUG TO YOUR PC! Yes, you read that correctly. This is very important! I do not want you to power down the normal way.

    - After that wait a minute or two and then power up into safe mode (still with no internet connection available and do not open any browsers). Only run what I request.

    - Now use the same procedure as above to try to delete any files that would not delete in the above step. Note any that still do not delete and continue.

    - Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    - Run HSremove and then run about:Buster again and save the log to ab2.log (let it do second scan)!

    - Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice.
     
    chaslang, May 6, 2005
    #12
  13. wonderboy456

    wonderboy456 Private E-2

    Here are the new log files.

    Something interesting that happened is that when I went to check on the disable restore I unplugged the internet and a page from Internet Explorer tried to open and connect but it wasn't obviously able to since I had disconnected from the Internet already.

    When you asked me to remove the Remote Procedure Call Helper iot couldn't find it I had to use the shorter name but there was another step that once I had typed that in it wanted to know if it should delete it. I figured that's what we were going for so I deleted it, and then was able to move on to exiting Hijack This.

    In running Windows Explorer there was only one of the files you had written on there but there are at least 10-20 files that have a name or something just as bizarre as apibg32.dll. Here's a few more examples ntjh32.dll, d30b32.dll, and so on. In the .exe files there are once again between 10-15 files that read sysh32.exe, altor32.exe, wineg32.exe and so on. The interesting thing about a lot of both of these kinds of files is that they have zero K so it would seem they were insignificant. The modification dates for the files were all over the place obviously I seemed to start having trouble a coouple of weeks ago and a lot of the files are in that time period.

    So I go through all the steps the way you spelled out I go into Internet Explorer for the first time and literally 2 seconds after the home page opens which wasn't correct, I put in www.majorgeeks.com as my home page and Google comes up. Literally though 2 seconds after opening the home page about the best pop comes up. I shut it down open it again and about:blank is my home page. Pop ups don't happen until about 2 minutes into looking around on Yahoo.

    So this is where I'm at here are the new log files.

    Thank you for your help its been an enlightening experience so far, I hope we get rid of this somehow.

    Wayne
     

    Attached Files:

    wonderboy456, May 6, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The reason for the problem coming back is because you did not locate, stop and disable the service I requested.

    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msvs32.exe

    You must find this service in the list and stop and disable it. DO NOT disable anything else. It must say Remote Procedure Call (RPC) Helper or 11Fßä#·ºÄÖ`I exactly word for word. If you disable Remote Procedure Call (RPC) or Remote Procedure Call (RPC) Locator, you could make big problems for yourself.

    Go look for the proper service now and stop and disable it. It is there. It shows in your HijackThis log and the process is running. Report back after doing that and post a new HJT log.
     
    chaslang, May 6, 2005
    #14
  15. wonderboy456

    wonderboy456 Private E-2

    That file is deleted. Here is the HJT log.

    Thanks.
     

    Attached Files:

    wonderboy456, May 7, 2005
    #15
  16. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HJT logs must be from normal boot mode! Please repost.
     
    chaslang, May 7, 2005
    #16
  17. wonderboy456

    wonderboy456 Private E-2

    Sorry about that. Here is the post in normal mode.

    Thank you.
     

    Attached Files:

    wonderboy456, May 8, 2005
    #17
  18. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You MUST remember to exit ALL browsers ( C:\Program Files\Internet Explorer\iexplore.exe ) before using HijackThis. This problem cannot be fixed if a browser is running.

    But note, you still did not stop and disable the service:
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msvs32.exe

    Also note it changed it's name to Network Security Service
     
    chaslang, May 8, 2005
    #18
  19. wonderboy456

    wonderboy456 Private E-2

    Hello again,

    I've followed the steps you laid out in post number 12 four times this evening alone and every time I reestablish a connection to the Internet those corrupt lines comes back. It's interesting because I keep making my default www.majorgeeks.com and the first time every time I get back on the internet it takes me to Google and then an about the best pop up comes up.

    That 023 line in the Hijack log will not stay stopped and like you said earlier I saw the name of it change 3 times out of four times.

    Here are my new logs. Sorry I can't be more help.

    Thank you for your help though I know this is probably testing your patience.
     

    Attached Files:

    wonderboy456, May 9, 2005
    #19
  20. hiramholt

    hiramholt Private E-2

    Didn't know how to properly do this, but I'm trying to remove oinadserve and thought you could help. I followed earlier instructions about downloading and running HijackThis and could use some help.
     
    hiramholt, May 9, 2005
    #20
  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Please read and run the sticky thread steps and please post in your own thread.
     
    chaslang, May 9, 2005
    #21
  22. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Have you been doing the steps while physically unplugged (actually unplug the cable) from the internet?

    You need to print or save these instructions locally because after this reading this sentence you will need to physically unplug your connection from your cable, ADSL, or dial-up modem to your PC and then you MUST exit all browsers and DO NOT run any again until requested.

    Okay, unplug your internet connection and exit browsers now!!!!

    Click Start, and then click Run. (The Run dialog box appears.)
    Type, or copy and paste, the following text:
    regsvr32 /u C:\WINDOWS\apith.dll
    then click OK. If a dialog box confirming this action appears, click OK.

    End this process using HijackThis's Process Manager: C:\WINDOWS\ipgk32.exe

    And then use the same steps as previous to stop and disable the below service
    O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\apprm.exe

    Then have HJT fix the below (make sure NO BROWSERS ARE RUNNING):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\xtyuo.dll/sp.html#10001
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {64C0A8DE-DF46-C97F-4EF2-6F7743228B03} - C:\WINDOWS\apith.dll
    O4 - HKLM\..\Run: [ipgk32.exe] C:\WINDOWS\ipgk32.exe

    Immediately pull the power plug to your PC and wait a minute. Then power backup in safe mode and delete the below (tell me which you find and do not find and which delete and do not delete):
    C:\WINDOWS\system32\xtyuo.dll
    C:\WINDOWS\apith.dll
    C:\WINDOWS\ipgk32.exe
    C:\WINDOWS\apprm.exe

    - Empty your Recycle Bin and delete all files in the c:\windows\prefetch folder. In fact as an additional measure do the following, run Ccleaner that you installed while running the READ ME FIRST.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    - Run HSremove and then run about:Buster again and save the log to ab.log (let it do second scan)!

    - Immediately after about:buster completes, reboot in normal mode. (you do not need to pull the powser plug here. Just reboot.)

    - Plug your cable to the internet back in now.

    - Open and close a couple of IE sessions and then with IE closed get a new HJT log.

    - Now come back here and post both about:Buster logs and the new HJT log. And tell me what happened during the procedure.

    Let me know anything else that you notice.
     
    chaslang, May 9, 2005
    #22
  23. wonderboy456

    wonderboy456 Private E-2

    Yes I've been physically unplugged from the Internet. I have wireless Internet but I've been unplugging the ethernet cable that goes to my wireless hub. There should be no signal coming through.

    The other interesting thing is that when I go through to delete 023 line in Hijack this's delete NT service the only thing it recognizes is the numbers and funky letters in the parenthasese, it doesn't recognize the Network Security Service (NSS).

    I really just wanted to let you know that I was physically disabling from the Internet.

    I'll try your latest suggestions as soon as I can.

    Thanks.
     
    wonderboy456, May 9, 2005
    #23
  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    That's typical and that is why I added that step.


    One other important note. Anytime you post a log for me to look at, do not power down or reboot your PC after posting the log. If you do, the problems could mutate and spread making any suggested fixes useless.
     
    chaslang, May 9, 2005
    #24
  25. wonderboy456

    wonderboy456 Private E-2

    I started the way you said to by finding out if regsvr32 /u C:\WINDOWS\apith.dll appears as an action and it did. The file that ended with jpgk32.exe was able to be killed. Just so you know I unplugged from my internet this time by unplugging the ethernet cable from the back of the computer not at my hub. When I go to disable the Network Security Service the first time I hit stop, then disable, then apply, then o.k. After I go to HJT it says that the Network Security Service is still running so I go through the procedure for a second time. I hit stop, then disable, then apply, then o.k. I go to HJT and delete the NT service, this time it lets me. I go to the fix section and find everything that you said and fix everything works but it does give me a warning box saying to make sure to be off Interent or browsers but I'm not running anything and am unplugged from the internet so I hit o.k.

    I found 3 out of the 4 files I was supposed to find in the windows and system32 files. The one I didn't find was jpgk32.exe. Everything is running smoothly nothing different happening so I'm at the rebooting point in normal mode and once I do this as soon as it comes back up this red shield down in my taskbar comes up and says that my computer may be at risk and if I click the balloon this will fix the problem. Now this isn't the first time that this shield has come up by I just wonder if this could potentially be something that has something attatched to it so that if I do press or close that balloon then it triggers something. I don't want it in my taskbar anyway so I would love to know how to delete it.

    I open IE and I've reset everything to come up as majorgeeks.com and Google starts up no pop ups this time so I shut it and open it again and about:blank is my home page.

    So here are the new log files.

    Thanks.
     

    Attached Files:

    wonderboy456, May 9, 2005
    #25
  26. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You need to make sure you read the steps properly or you will never get this fixed. It was not jpgk32.exe . The file name was ipgk32.exe and it is still there but others have mutated. Your problem items are now:

    C:\WINDOWS\appnc32.exe
    C:\WINDOWS\ipgk32.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\gfybs.dll/sp.html#10001
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {14A8A5FE-B57D-0B1C-6508-01E9615DFBD7} - C:\WINDOWS\addwb.dll
    O4 - HKLM\..\Run: [ipgk32.exe] C:\WINDOWS\ipgk32.exe
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appnc32.exe

    We have fixed probably on the order of 1000 of these but it ncessary to follow the steps exactly and you must make sure you locate any other similar named problem files. See if you can use the above info to redo the procedure. If not, I will write it up for you once again. If you fail to get it cleaned this time, I will have to insist that you run the long Generic Procedure
     
    chaslang, May 10, 2005
    #26
  27. wonderboy456

    wonderboy456 Private E-2

    The one thing that I wanted to say is that I understand that it was probably frustrating that I made a mistake the last time in finding the correct .exe file and I understand that you've helped 1000 people with this similar problem, the only thing is that I'm a novice at fixing my computer and you were getting into some areas that I have NEVER been in before. So as a result of your very stern posting last time I followed the steps again and this time I tried to find and delete EXACTLY everything you wanted and I also deleted anything that looked similar. Now here's an interesting question, if your helping someone who has never been his windows folder or his windows system 32 folder then how would I know what to delete that would be similar, because now I've deleted 2 files that I need to run a couple of programs, but they looked like something that I should delete. So as perfect as your directions were and needed to be followed to the letter there is a flaw in how you present some of it.

    Even though I'm a little upset that I've deleted things that I shouldn't have it appears that I have deleted what was causing the problem and would like to say thanks for the help in defining where the problem was and directing me to it. I've ran IE a couple of times and there have been no pop-ups and majorgeeks.com comes up as my home page.

    So thank you for your time and help once again.

    I know you probably won't want to help but if I deleted a OLEPRO32.DLL for IntelMem.exe and something for Real Play.exe called MSFW32.dll and MSVFW32.dll where would I go to get these items?
     

    Attached Files:

    wonderboy456, May 10, 2005
    #27
  28. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I understand that it is frustrating and difficult for you to understand this stuff. And I'm sorry you deleted files you needed but the key was in my previous message # 12 which I'll highlight below.
    I know I did not use those exact words in the last message. It gets difficult to have to keep repeating things over and over.

    If you had followed the steps in message #12 properly we would have been fixed at that point. Yes I understand it is difficult for you. It is not easy from my end either. All I can do is provide instructions and hope that they are followed properly without skipping anything or changing anything. I never know what is really being done and quite often when things do not work that I know should work, it is frustrating for me too.
     
    Last edited: May 11, 2005
    chaslang, May 11, 2005
    #28
  29. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    chaslang, May 11, 2005
    #29
  30. wonderboy456

    wonderboy456 Private E-2

    Thanks for posting back.

    The trouble I was having was that the modification dates seemed to be all over the place not one specific day so that all of a sudden I could see a pattern and delete everything so instead I went with similar type of file name, and that's where I got into trouble.

    The other interesting thing that happened was that after I reset my web settings I had forgotten to connect back to the internet so the first time I had opened my web page it defaulted to google.com again but since I wasn't connected it told me that the page couldn't be found so then I went to my web settings again and was able to change it to majorgeeks.com then everything has been going smoothly from there.

    I found the two files I needed for now, the olepro32.dll and the msvfw32.dll but when I first restarted it gave me the other msfw32.dll file but I haven't seen it again so I'm probably good. We'll see what other programs go haywire but nothing so far.

    Thanks for the help and hopefully we won't have to go through this again...........EVER.
     
    wonderboy456, May 11, 2005
    #30
  31. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You're welcome! Happy to see you got your files back. While no one can guarantee that any particular steps will absolutely protect you from problems like this, the steps in the below link will help to minimize problems. You already have the antivirus and firewall. Make sure you check the rest of the steps including using FireFox. While FireFox is not perfect either, it is not prone to many of the problems like about:blank and HSA hijacks that IE has. You will not be able to use Firefox exclusively because some sites (like Microsoft) will require IE, but you will be able to use it on most. I think you will also like the iterface and may notice that it is faster than IE. So complete the steps in the below link:

    How to Protect yourself from malware!
     
    chaslang, May 11, 2005
    #31
  32. wonderboy456

    wonderboy456 Private E-2

    I've lost my KERNEL32.dll from my last deletions and it seems to messing with my games and certain video.

    Is this where I should get answers to this or should I start a new thread somewhere else.
     
    wonderboy456, May 15, 2005
    #32
  33. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You should be able to get a copy of kernel32.dll from
    c:\windows\system32\dllcache

    Or from your c:\i386 or c:\windows\i386 folders if you have them.
     
    chaslang, May 15, 2005
    #33

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds