Trojan horse Downloader.Agent.BF and Winshow.AN

Want2BSaint · Jun 27, 2004

Hello,

I was trying to decipher the directions on isaac987's messages, but I'm getting a little overwhelmed. I have these trojans, that my AVG keeps picking up.

I have a Windows XP professional, version 2002, service pak 1 my computer is AMDAthlon [TM] XP 1700+, with 1.46 GHz and 224 MB of RAM. I have a cable Modem. I have a free download of AVG and Norton System Work's 2003 edition. Both have been updated regularly, including today. AVG keeps picking up on these two Trojan horses. I can run the AVG and it clears them, until I go to open my IE browser, than the same trojans show up again and again. All in C:\WINDOWS\"...whatever".exe, and some in C:\WINDOWS\system32\"...whatever".exe, with differant names.

I have run AVG, Norton SW, Ad-Aware, Spybot S&D, and have cleaned things up consistantly, until I reboot and as soon as anything connects to the internet, i.e. my AIM, the virus warnings come up. I run AVG, they are cleared, I open my browser, they're back. Ironically, If I run my AVG WHILE I'm on the internet, it will clear the viruses, and then don't come up again, unless I close my browser, and then re-open, then they automatcally start popping up again. My homepage has been hijacked and sometimes re-routes to MSN (which I never have used before) and then when I try to reset it, it goes back to nothing. The web address that shows up in my browser is "res://ozwiw.dll/index.html" with a "cannot access" page.

As I tried to read through isaac987's notes, I tried to run what he suggested with the Ad-Aware and Spybot in safe mode (I can run Norton in safe mode, but not the AVG. It won't open up). But again, when I rebooted, the same virus warnings from AVG appear. Could you PLEASE help? I'm not real computer literate, but I can follow step by steps fairly well... I am attaching my HighJackThis report, if you wouldn't mind having a look at it as well.... Thank you SOOO Much!

Logfile of HijackThis v1.97.7
Scan saved at 10:31:08 PM, on 6/26/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
C:\WINDOWS\system32\atldr.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spider.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Emiley\My Documents\HijackThis File\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=141
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FCB8770E-2441-C956-E35E-C9C4850ADE15} - C:\WINDOWS\system32\ieuq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iestart] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [mfcru32.exe] C:\WINDOWS\mfcru32.exe
O4 - HKLM\..\RunOnce: [mfcgp.exe] C:\WINDOWS\mfcgp.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\2.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Debt Solutions - http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker - http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com - http://213.159.118.226/tools.php?qq=Party+Poker.com
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.6638657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Major Attitude · Jun 27, 2004

Try a Trojan Removal tool from our antivirus section. Also, close all running programs before posting your log to be sure that it is smaller. You have a ton of unneded programs running.

Want2BSaint · Jun 27, 2004

Okay,
I looked on your anti-virus page and was wondering what the differance was between the anti-virus, the spy-ware removal, and the trojan removals were? There didn't seem to be any specific trojan removals that were free?... I have already run the Ad-Aware and the SpyBot S&D.

Here is what my computer is doing now. As soon as the computer is booted up, the warnings for these two viruses start popping up from AVG. I can run AVG and get rid of them, and for now, I can even open and close my browser with out having the warning pop ups reacure like they were doing yesterday. However, if I shut down the computer and reboot, they come right back. The homepage of my browser seems to be fixed, though. The following is a HJT log that I made this morning AFTER I ran the AVG.

Thanks for the help.

Logfile of HijackThis v1.97.7
Scan saved at 11:12:33 AM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
C:\WINDOWS\system32\atldr.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Emiley\My Documents\HijackThis File\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sb/*http://www.yahoo.com/search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=141
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FCB8770E-2441-C956-E35E-C9C4850ADE15} - C:\WINDOWS\system32\ieuq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iestart] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [iekn32.exe] C:\WINDOWS\iekn32.exe
O4 - HKLM\..\RunOnce: [d3ac32.exe] C:\WINDOWS\d3ac32.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\2.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Debt Solutions - http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker - http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com - http://213.159.118.226/tools.php?qq=Party+Poker.com
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.6638657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Want2BSaint · Jun 27, 2004

I'm really sorry, but I've screwed up here, somewhere... The warning pop ups are back, anytime I open my browser. Here is my HJT log prior to my running AVG. I'm going to run it now, and wait for your reply... Thanks, again.

Logfile of HijackThis v1.97.7
Scan saved at 12:09:36 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
C:\WINDOWS\system32\atldr.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Emiley\My Documents\HijackThis File\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozwiw.dll/sp.html#21259
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozwiw.dll/index.html#21259
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ozwiw.dll/index.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ozwiw.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ozwiw.dll/index.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ozwiw.dll/sp.html#21259
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FCB8770E-2441-C956-E35E-C9C4850ADE15} - C:\WINDOWS\system32\ieuq32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iestart] C:\Program Files\Windows Media Player\wmplayer.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKLM\..\RunOnce: [iekn32.exe] C:\WINDOWS\iekn32.exe
O4 - HKLM\..\RunOnce: [d3ac32.exe] C:\WINDOWS\d3ac32.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\2.bin\MWSOEMON.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWay\bar\2.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZSzeb001
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Debt Solutions - http://213.159.118.226/tools.php?qq=Debt+Solutions
O8 - Extra context menu item: Party Poker - http://213.159.118.226/tools.php?qq=Party+Poker
O8 - Extra context menu item: Party Poker.com - http://213.159.118.226/tools.php?qq=Party+Poker.com
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Party Poker.com (HKLM)
O9 - Extra 'Tools' menuitem: Party Poker (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Debt Solutions (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.6638657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Want2BSaint · Jun 28, 2004

Okay,

Can someone PLEASE helpme?!! I have STILL been unable to get rid of this thing. I have done the HJT log, and went through it with the directions that were left by "Major Grumpy" and then I found a Trojan Horse remover that I ran and it still comes up the same. Downloader.Agent.BF and Downloader.Winshow.AN warnings from AVG. I can clear them with the AVG but they reappear when I close and reopen my browser, or when I reboot the computer, or sometimes when I switch from page to page on the internet.. I AM SO FRUSTRATED!!! Will someone PLEASE look at my HJT log and tell me if there is anything I missed? and, oh, BTW, My homepage has been hijacked and redirected to MSN.com, again....

Thanks again!

Logfile of HijackThis v1.97.7
Scan saved at 11:00:39 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\atldr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Emiley\My Documents\HijackThis File\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mjynq.dll/sp.html#21259
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8E0C3EB6-1569-6F50-9A73-3C96164869C2} - C:\WINDOWS\iehf32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.6638657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

chaslang · Jun 28, 2004

You have the Only the Best hijacker. Stop what ever you have been doing your only making it worse. See my instructions in some of the other threads and see if you can follow (substitute in your files though) . I cannot do it right now (gotta get some sleep). The items you need to look at and compare to other threads are:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mjynq.dll/sp.html#21259

O2 - BHO: (no name) - {8E0C3EB6-1569-6F50-9A73-3C96164869C2} - C:\WINDOWS\iehf32.dll
O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe

Previous log also had:
O4 - HKLM\..\RunOnce: [iekn32.exe] C:\WINDOWS\iekn32.exe
O4 - HKLM\..\RunOnce: [d3ac32.exe] C:\WINDOWS\d3ac32.exe

Here are some threads with the example procedures:
http://www.majorgeeks.com/vb/showthread.php?t=35815
http://www.majorgeeks.com/vb/showthread.php?t=35808

Want2BSaint · Jun 28, 2004

Okay, thanks, I'm going to follow these other instructions as best I can. One thing...

The lines you listed were ones I had put question marks by, because I wasn't sure. the line:

O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe

ALSO shows up here at the begining section:

C:\WINDOWS\system32\atldr.exe

Does that mean anything? And ALSO, the TWO "Run once" entries

O4 - HKLM\..\RunOnce: [iekn32.exe] C:\WINDOWS\iekn32.exe
O4 - HKLM\..\RunOnce: [d3ac32.exe] C:\WINDOWS\d3ac32.exe

are, this morning, THREE entries, with differant names....

I will do the other that you suggested and get back. Thank you.

Want2BSaint · Jun 28, 2004

I'M GOING TO SCREAM!!!!! I can't even get past #5 of your instructions!! I put in the "Run bar" "notC:\WINDOWS\mjynq.dll" according to my HJTlog, and it says that it cannot find this file.... Now what?...
Thanks again....

chaslang · Jun 28, 2004

Want2BSaint said:

I'M GOING TO SCREAM!!!!! I can't even get past #5 of your instructions!! I put in the "Run bar" "notC:\WINDOWS\mjynq.dll" according to my HJTlog, and it says that it cannot find this file.... Now what?...
Thanks again....
Click to expand...

You were supposed to put in "notepad C:\WINDOWS\mjynq.dll" (without the quotes).

Before doing that double check with HijaakThis to make sure that is still your DLL filename.

Want2BSaint · Jun 28, 2004

I DIDN'T put in the quote marks.... And I JUST did a scan before I started with direction #1. I will try it again....

chaslang · Jun 28, 2004

But you said you did this "notC:\WINDOWS\mjynq.dll"

Notice you said "not" you did not say "notepad" and there was no space between notepad and the filename.

Want2BSaint · Jun 28, 2004

My apologies... the "AVG Warning" pop up appeared as I was typing... I put in notepad...etc... just as you instructed. Here is my HJT log that i JUST did, and I tried to do your instructions again step by step, but I can't get past #5. I put in -- notepad C:\WINDOWS\system32\mjyng.dll -- and I get the message: "Cannot find C:\WINDOWS\mjynq.dll file. Do you want to create a new file?" and I respond "no" and here I am again... could it be that I shouldn't put a space between the "notepad" and "C"? I didn't try that. Thanks...

Logfile of HijackThis v1.97.7
Scan saved at 11:00:53 AM, on 6/28/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\atldr.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Emiley\My Documents\HijackThis File\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mjynq.dll/sp.html#21259
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {8E0C3EB6-1569-6F50-9A73-3C96164869C2} - C:\WINDOWS\iehf32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [atldr.exe] C:\WINDOWS\system32\atldr.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.6638657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Want2BSaint · Jun 28, 2004

I have tried every way I know how to follow your steps, and I can't get past #5 without the same message

"Cannot find C:\WINDOWS\mjynq.dll file. Do you want to create a new file?"

But when I look at the HJT log, it is STILL there. So I am back to square one... Should I try and skip to #6?

Should I go to the HJT log and check it and the other's you told me to look at, off?

Can you sence my frustration?....

Thanks for the help

chaslang · Jun 28, 2004

No do not create the file and do not do anything else with HijaakThis yet.
Please make sure you setup Win XP search options by doing the following: Click Start, Search, All files and folders, select More advance options, make sure the Seach system folders, Search hidden files and folders, and Search subfolders options are selected.

Then click back, select All files and folders again and enter: mjynq.dll

See if it shows up anywhere on your PC. All check c:\windows, c:\windows\system, and c:\windows\system32 for any files with the .DAT extension but look for ones that are similar to how the problem as shown in EXE and DLL files. That is, look only in those three directories and look for 3 to 5 character long filenames with .dat extension or 3 to 5 character long filenames+32 with .dat extension, also sort the Windows Explorer by modification date to find the more recent items.

Example filenames:
mjynq.dat
iekn32.dat
d3ac32.dat

Also, please do the following:
1) go here and download Registrar lite and install it: http://www.resplendence.com/reglite
2) Run it, copy and paste this line to reglite's address bar:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
3) Click the "go" tab
4) Find: "Appinit_Dlls" value on the right side panel.
5) DoubleClick, copy and post what you find in the two fields shown below into your next post:
-Size:
-Value:

Want2BSaint · Jun 28, 2004

If I did the searches correctly, they came up a big "0". nothing. nada. I put the differant file names in the top search bar: c:\windows, c:\windows\system, and c:\windows\system32, and then put the file names "mjynq.dll" and "mjynq.dat" in the second bar with each of the ones you suggested then hit search. Nothing found...

Here is what I found after I downloaded and ran the registrar thing you sent:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Size: 3
Value: 15

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Size: 4
Decimal: 10000
Hexadecimal: 00002710
Binary: 00000000000000000010011100010000

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Size: 4
Value: yes

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Size: 1
Value: (it was blank...)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Size: 3
Value: 90

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Size: 4
Decimal: 10000
Hexadecimal: 00002710
Binary: 00000000000000000010011100010000

Hope that was what you were looking for....

Want2BSaint · Jun 29, 2004

I think it's getting worse...

I was able to run AVG and stop the warning pop ups, as long as i didn't shut down the computer... When I reboot they come back. But now they are back with a vengence, and when I run AVG, there are now 5 viruses that AVG says it can't get rid of....

C:\WINDOWS\NTAV.EXE
C:\WINDOWS\IPDY32.EXE
C:\WINDOWS\MSST32.EXE
C:\WINDOWS\NTAV.EXE
C:\WINDOWS\N_CYBRYP.DAT

And that was the last scan I ran AFTER I updated.... I'm afraid I'm gonna have to wipe everything out.... Is there any chance I can fix this?

Thanks. I think I'm shutting down for the night....

chaslang · Jun 29, 2004

For the Registrar Lite request, I was only looking for info on AppInit_DLLs (if it was present). Based on your info, it would appear that you did not see AppInit_DLLs. It should have look like an image I posted on Page 2 of the following thread on 6-15-04, 14:04

http://www.majorgeeks.com/vb/showthread.php?t=34786&page=2&pp=20

chaslang · Jun 29, 2004

Trying giving the lastest version of Ad-aware a run (make sure you have the correct reference file). See this link, it implies that it fixes this problem. Run it and please let us know the results ASAP.
http://www.majorgeeks.com/vb/showthread.php?t=35917

If it does not work (tell us) then try the new HSremove tool:

http://www.majorgeeks.com/download4284.html

Let us know if it works if Ad-aware has not already fixed it.

Want2BSaint · Jun 29, 2004

YIPPEE!!! The Ad-Aware, after update, and running in safe mode, seems to have cured the problem! But here is my latest HJT log. Should I go through and clean it up per the HJT How to? I want to make sure that I get the garbage out for good...

Thanks again! Things are FINALLY looking up!

Want2BSaint · Jun 29, 2004

Oops... forgot the log...

Logfile of HijackThis v1.97.7
Scan saved at 9:01:27 AM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Emiley\My Documents\HijackThis File\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=141
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mjynq.dll/sp.html#21259
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {77B4D17F-8699-0626-B36D-5DEB57115F3F} - C:\WINDOWS\system32\msqx32.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38090.6638657407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash5r42.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

seahag035 · Jun 29, 2004

I am having same troubles with both of those plus another computer with Dialer8.U. Ditto on the AVG, Spybot, and AdAware. I got Hijak this but find it a little confusing although it did help to some extent. I got SpySweeper from Webroot and it has prevented the hijacker from stealing my homepage, repeatedly, as well as the same stuff Spybot did, I think it's a better program unless someone tells me otherwise

Still having the browser troubles, my hair is almost gone, I'm fried on this crap!

Want2BSaint · Jun 29, 2004

Did you try doing the Ad-Aware as I was instructed?... It seems to have solved my problem. I went back and fixed the R1's I didn't recognize on the Hijack This Log, as well.

This is what worked for me... yesterdays post at 21:34 :

>>>"Trying giving the lastest version of Ad-aware a run (make sure you have the correct reference file). See this link, it implies that it fixes this problem. Run it and please let us know the results ASAP.
http://www.majorgeeks.com/vb/showthread.php?t=35917

If it does not work (tell us) then try the new HSremove tool:

http://www.majorgeeks.com/download4284.html

Let us know if it works if Ad-aware has not already fixed it."<<<

I DID NOT have to do the second suggestion, as the first seems to have worked. Check the link that was left and give it a try...

chaslang · Jun 29, 2004

Want2B,

Are you sure you are running ok? Have you tried going to a few websites, do some searches at other websites etc? I still see remnants of the hijacker in your log. For example these lines:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\mjynq.dll/sp.html#21259
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\mjynq.dll/sp.html#21259
O2 - BHO: (no name) - {77B4D17F-8699-0626-B36D-5DEB57115F3F} - C:\WINDOWS\system32\msqx32.dll

Also you have (not related to the hijacker) a task which was dropped onto your PC when you ran the free “hidden pornography” scanner from PuritySCAN.com. You should have HijaakThis fix the next line and the delete that file after booting in safe mode:

O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe

See the following link and scroll down to wintsvcc for more info:
http://www.answersthatwork.com/Tasklist_pages/tasklist_w.htm

Want2BSaint · Jun 30, 2004

Okay, Well, I already fixed the three R1's, but must have missed the 02 - BHO...

The

O4 - HKCU\..\Run: [WCPC] C:\WINDOWS\System32\wintsvcc.exe

was on that list that you had referred to on the HJT tutorial, and there was a red question mark next to it, and I wasn't sure what that meant, and apparently, with everything else, I forgot to ask...

Now, should I ALSO follow the removal directions on the link you posted re: the "wintsvcc.exe"? or just get rid of it with the HJT in Safe Mode? Also, how do I delete a file? You said to delete the file after I reboot into safe mode?

Now, as a side, my husband SWEARS that he has never downloaded a free PURITYScan.com remover (which is likely, as he doesn't like to mess to much with the computer, other than surfing, and OBVIOUSLY it's not always wholesome... I digress...). Anyway, I was wondering if there was any other place this wintsvcc.exe would have come from?... Not that it matters, I guess....

So, reboot in safe, run HJT and check those things? correct? Incidently, after a day of bliss and not having any pop ups, this evening, they once again appeared... So I guess I'm not out of the woods yet. I will try the Ad-Aware thing again, first, as I did before, and then the other on HJT. and THEN maybe?

Thanks, again.

chaslang · Jun 30, 2004

You can try the quick method I gave you on trying to remove this PurityScan stuff but according to the link I gave you, it may just come back. You will have to see after reboot. You can then try to work thru the info at that link (It probably is not necessary to have that program they mention "The Ultimate Troubleshooter.)

If you popups are back, download the latest HijaakThis just released: http://www.majorgeeks.com/download3155.html

and post a new log. Don't forget to shut all other programs down (including things in your system tray) before running HijaakThis.

You need to get a firewall and a spyware blocker on your PC. Check this info out:

How to protect yourself and things to have (copied from Xflat)
Anti Virus
http://majorgeeks.com/download1968.html Avast
http://majorgeeks.com/download886.html AVG
The top two hands down. Beat the heck out of Norton or McAfee (garbage)
Only run ONE AV!!!!!

Firewall
Don't care if your on dial up or High Speed....you must have a firewall
http://majorgeeks.com/download738.html Kerio
http://majorgeeks.com/download3356.html Sygate
Temp File/Cookies/index.dat cleaner
http://majorgeeks.com/download4191.html
Let em follow themselves around

SpyWare Prevention (Notice I did not say scanner...yet)
http://majorgeeks.com/download2859.html SpyWare Blaster...
http://majorgeeks.com/download3045.html SpyWare Guard.....

SpyWare Scanners/Removers
http://majorgeeks.com/download2471.html SpyBot ( I don't activate the TeaTimer)
http://majorgeeks.com/download506.html AdAware

Want2BSaint · Jun 30, 2004

I DON't HAVE A FIREWALL?? News to me.... Okay, well, I was just going to send my latest HJT log, but I will update the HJT and scan again, before I do that...

Thanks

Want2BSaint · Jun 30, 2004

sorry...

Also, I already have the free AVG on my computer. Should I disable the norton system works, or get rid of it all together?
And as for the Firewalls, Spyware prevention and Spyware scanners, should I pick one from each that you suggested?

I think that's all now...

chaslang · Jun 30, 2004

Well you do have one as part of WinXP but I believe it is not enabled by default. The ones recommended are probably better though.

Want2BSaint · Jun 30, 2004

Here's the new HJT log

Thanks

Logfile of HijackThis v1.98.0
Scan saved at 10:21:26 PM, on 6/29/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\INCRED~1\bin\ImApp.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spauthserv.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/flash/index.cfm?division=141
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [Rosary Reminder] C:\PROGRA~1\VIRTUA~1\reminder.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\dllcache\services.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Emiley"
O4 - HKCU\..\Run: [IM] C:\Program Files\RRIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [logon.exe] c:\windows\system32\logon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Startup: PowerReg Scheduler.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://www.otxresearch.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/en/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab

Want2BSaint · Jun 30, 2004

Besides fixing:

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=

and

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Anything else I missed?

Also, should I download all 3 of the firewalls listed? Is that what you meant by "let 'em follow themselves around"?

And then the Spyware Prevention: one or both?

Scanners/Removers: one or both?

Thanks, again!

chaslang · Jun 30, 2004

Want2BSaint said:

Besides fixing:

R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=

and

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Anything else I missed?

Also, should I download all 3 of the firewalls listed? Is that what you meant by "let 'em follow themselves around"?

And then the Spyware Prevention: one or both?

Scanners/Removers: one or both?

Thanks, again!
Click to expand...

Too tired to look at log right now.

Only download one firewall. Sygate is free. (by the way there is a free version of ZoneAlarm here too). There were only two firewalls listed the other line is for Temp File/Cookies/index.dat cleaner. I forgot to put it in bold. The file name is appropriately called CrapCleaner.

The spyware prevention tools listed work together. And as far as scanners, always use more than one. Keep at a minimum Ad-aware and SpyBot S&D on your PC.

Want2BSaint · Jun 30, 2004

Latest Glitch...

I ran the HJT again this morning and have been trying to fix :

F0 - system.ini: Shell=

But it just reappears on re-scanning....

AND I don't know what this is and if I need to do anything with it:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

I have put on the security stuff you reccommended: the CCleaner, Sygate, SpywareBlaster and SpywareGuard, as well as already having the Spybot and AdAware.

I had another AVG warning for the "downloader.Agent.BF", when I first got to my computer this morning, and ran AVG, but it came up with nothing. So I'm not sure what that was about. I haven't had any more warning pop ups, though, since, and I have shut down and rebooted several times... Any ideas?

chaslang · Jun 30, 2004

Leave those new lines in HijaakThis alone. They are both okay the way they are. If other information appeared on those lines, there could be trouble.

Does thie "AVG warning for the "downloader.Agent.BF" point to any particular files? There could be remnants of this hijacker remaining in your c:\windows and c:\windows\system32 folders.

Also try setting up Ad-aware for a full scan and see if it helps. Here's how:
http://www.lavahelp.com/howto/fullscan/index.html

Want2BSaint · Jun 30, 2004

The Warnings pop up only occassionally. And the file name is usually differant. But the name is always "Downloader.Agent.BF" .

The last one came up about an hour ago:

"C:\System Volume Information\_restore{35924BA3-7AC7-493C-9F35-96FB2565B373}\RP\A0002787.EXE
And I ran AVG, and it came up with nothing infecting my computer at this time....

i will try the AdAware again, as you suggest, and let you know what happens...

Want2BSaint · Jun 30, 2004

AdAware, set up for Full Scan came up with 16 new objects. Wait and see what happens, now?

chaslang · Jun 30, 2004

Want2BSaint said:

AdAware, set up for Full Scan came up with 16 new objects. Wait and see what happens, now?
Click to expand...

Was it successful at fixing/removing them?

chaslang · Jun 30, 2004

Want2BSaint said:

The Warnings pop up only occassionally. And the file name is usually differant. But the name is always "Downloader.Agent.BF" .

The last one came up about an hour ago:

"C:\System Volume Information\_restore{35924BA3-7AC7-493C-9F35-96FB2565B373}\RP\A0002787.EXE
And I ran AVG, and it came up with nothing infecting my computer at this time....

i will try the AdAware again, as you suggest, and let you know what happens...
Click to expand...

The A0002787.EXE is from system restore. I though we had disable that along time ago. If not, the only way to get rid of this one is to disable system restore and reboot. You can re-enable system restore later when everything is cleaned up. Then create a new restore point.

Want2BSaint · Jul 1, 2004

uuuuuuuuuuuhhhhhhhhhhh................... Okay, now I feel REALLY dumb.... I DID disable the system restore a LONG time ago, but not really understanding what it was or used for, AFTER I tried what ever it was that I did, and it didn't seem to work, I went back and unchecked it again, so as not to "mess" anything up... It's an "issue" I have with putting things back the way I found them... Okay, so, I checked it back again. So far, no pop ups today... I'll keep you posted...

Thanks, again!

chaslang · Jul 1, 2004

Want2BSaint said:

uuuuuuuuuuuhhhhhhhhhhh................... Okay, now I feel REALLY dumb.... I DID disable the system restore a LONG time ago, but not really understanding what it was or used for, AFTER I tried what ever it was that I did, and it didn't seem to work, I went back and unchecked it again, so as not to "mess" anything up... It's an "issue" I have with putting things back the way I found them... Okay, so, I checked it back again. So far, no pop ups today... I'll keep you posted...

Thanks, again!
Click to expand...

No problem! After you are sure you have everything all cleaned up and things look like they are working smoothly be sure to enable system restore again.

Want2BSaint · Jul 2, 2004

Okay, we have gone at least 24 hours without any warning pop-ups. Is that long enough? should i enable the system restore, again, now?

Thank you, again, for all your help!

chaslang · Jul 2, 2004

Want2BSaint said:

Okay, we have gone at least 24 hours without any warning pop-ups. Is that long enough? should i enable the system restore, again, now?

Thank you, again, for all your help!
Click to expand...

Sounds okay to me! As long as you have done at least 1 or 2 power down reboots (yes power down. Not just reboot) during that time frame. If you have not done a power down and then a reboot, do so. If it is still okay, enable System Restore.

Also Create a Manual System restore point. See this: http://www.microsoft.com/windowsxp/using/helpandsupport/getstarted/ballew_03may19.mspx

And your welcome!!

Log in or Sign up

Trojan horse Downloader.Agent.BF and Winshow.AN

Want2BSaint Private E-2

Major Attitude Co-Owner MajorGeeks.Com Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

seahag035 Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Want2BSaint Private E-2

chaslang MajorGeeks Admin - Master Malware Expert Staff Member

Useful Searches