Post by: jen3ca on January 23, 2006, 10:49:19 PM
Logfile of HijackThis v1.99.1
Scan saved at 10:40:32 PM, on 1/4/80
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSOEMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu (http://\"http://server224.smartbotpro.net/7search/?new-hkcu\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm (http://\"http://server224.smartbotpro.net/7search/?new-hklm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm (http://\"http://default-homepage-network.com/start.cgi?new-hklm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YS2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\BAR\1.BIN\MWSOEMON.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZCxdm491YYCA (http://\"http://bar.mywebsearch.com/menusearch.html?p=ZCxdm491YYCA\")
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwe...tup1.0.0.15.cab (http://\"http://ak.imgfarm.com/images/nocache/funwebproducts/ei/CursorManiaFWBInitialSetup1.0.0.15.cab\")
Post by: guestolo on January 23, 2006, 10:52:37 PM
Open Hijackthis>>Open Misc tools section>>Open Uninstall manager
Click the SAVE LIST button
Save this list too your desktop then copy and paste back here the whole contents
Post by: jen3ca on January 24, 2006, 08:41:37 PM
ArcSoft PhotoStudio 2000
Big Fish Games Toolbar
Caere Scan Manager 5.1
Corel WordPerfect Suite 8
DH
D-helper Web Driver
Fish Tycoon (remove only)
HijackThis 1.99.1
Internet Explorer Q891781
Koala Lumpur: Journey to the Edge
Kurzweil 3000 v.6
Macromedia Flash Player 8
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft VGX Q833989
MSN Messenger 7.0
Outlook Express Q837009
Power Scan
QuickTime for Windows (16-bit)
Select CashBack
SideFind
Spybot - Search & Destroy 1.3
The BullsEye Network
TSA
Uninstall 180search Assistant
Win-dh
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q890175 Update
Windows Messaging Update 1
WinZip Self-Extractor
YourSiteBar
There is the uninstall list. this was a school computer by the way
Post by: guestolo on January 24, 2006, 09:03:25 PM
Can you do the following please
Access your add/remove programs via control panel
Remove all the following if you can
D-helper Web Driver
Power Scan
Select CashBack
SideFind
The BullsEye Network
TSA
Uninstall 180search Assistant
Win-dh
YourSiteBar
Also remove DH if you don't recognize it
Reboot the computer afterwards
Back in Windows
Download and Install Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the check for updates now link and Connect to download the latest updates
Don't run a scan yet
==Download CWShredder.exe (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\") and save to your desktop, don't run yet
Please print these instructions or save them too a notepad file on the desktop
Close all browser windows, including this one
Double click on CWShredder.exe to open it>>Click "I Agree"
Then click the FIX button
Let it run a scan and fix what it finds
Exit after
Open Ad-Aware
Click START
Click the radio button to "Smart system scan" then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button
RESTART your computer to finish the cleaning process
Back in windows
The version of Spybot you have is outdated
Please access your add/remove programs and remove
Spybot - Search & Destroy 1.3
Reboot the computer if prompted
Back in Windows
Download and Install Spybot 1.4 from
HERE (http://\"http://www.download.com/3000-2144-10122137.html?part=104443&subj=dlpage&tag=button\")
or HERE (http://\"http://www.safer-networking.org/en/download/index.html\")
After installation--Click the UPDATE button on the left
SEARCH FOR UPDATES on the right
Check all boxes and then download all updates
After update is complete
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Click the "Search & Destroy" button on the left
"Check for Problems"---When the Scan is complete
FIX all selected promblems in RED
RESTART the computer to finish any cleaning process
Come back here and post a fresh hijackthis log
Post by: jen3ca on January 24, 2006, 11:07:06 PM
I am now working on my laptop because i was doing what
you just asked me to do but while i was uninstalling the things
you asked me to uninstall the computer asked me
to restart it so i did and when i got to the desktop sll
i can see is the background picture and a box telling me
explorer has performed an illegal operation and will be shut down
under details it says "explorer caused an invalid page fault in
module explorer.exe at 0617:00401f31." when i click on close
the box goes away but nothinge else happens. It says this everytime
the I restart the computer
Post by: guestolo on January 24, 2006, 11:42:12 PM
Most likely due to the malware on the computer
No AV or anti-spyware software will do this
I would like to try something
Reboot the computer
After the single post beep start tapping the F8 key on your keyboard
to bring you to the startup menu
At the startup menu select "Command Prompt Only"
Hit Enter on the keyboard
At the C> prompt type this in exactly
scanreg /restore
notice the single space after the g>>>Just before the /
Hit Enter on the keyboard
Select a date just before this happened
Allow the computer to reboot back to normal after
If that get's Explorer.exe running again come back here and post a fresh hijackthis log
Which program was it that you last uninstalled, that asked you too reboot?
Post by: jen3ca on January 25, 2006, 04:06:51 PM
after the beep it doesnt do anything and i can't get it to go to the start up menu
Post by: jen3ca on January 25, 2006, 05:27:29 PM
away. I will get a high jack this log for you of that computer in a bit
Post by: jen3ca on January 25, 2006, 07:04:21 PM
Logfile of HijackThis v1.99.1
Scan saved at 6:23:18 PM, on 1/4/80
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu (http://\"http://server224.smartbotpro.net/7search/?new-hkcu\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm (http://\"http://server224.smartbotpro.net/7search/?new-hklm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm (http://\"http://default-homepage-network.com/start.cgi?new-hklm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.5 makethemcry.com
O1 - Hosts: 127.0.0.5 loudcash.com
O1 - Hosts: 127.0.0.5 iframestat.com
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 hqcash.com
O1 - Hosts: 127.0.0.5 verybigcash.com
O1 - Hosts: 127.0.0.5 makethemcry.com
O1 - Hosts: 127.0.0.5 moviepartnership.com
O1 - Hosts: 127.0.0.5 callmachine.com
O1 - Hosts: 127.0.0.5 regcash.com
O1 - Hosts: 127.0.0.5 toolbarpartner.com
O1 - Hosts: 127.0.0.5 klikrevenue.com
O1 - Hosts: 127.0.0.5 p2dll.com
O1 - Hosts: 127.0.0.5 t73.com
O1 - Hosts: 127.0.0.5 www.makethemcry.com
O1 - Hosts: 127.0.0.5 www.loudcash.com
O1 - Hosts: 127.0.0.5 www.iframestat.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.hqcash.com
O1 - Hosts: 127.0.0.5 www.verybigcash.com
O1 - Hosts: 127.0.0.5 www.makethemcry.com
O1 - Hosts: 127.0.0.5 www.moviepartnership.com
O1 - Hosts: 127.0.0.5 www.callmachine.com
O1 - Hosts: 127.0.0.5 www.regcash.com
O1 - Hosts: 127.0.0.5 www.toolbarpartner.com
O1 - Hosts: 127.0.0.5 www.klikrevenue.com
O1 - Hosts: 127.0.0.5 www.p2dll.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YS2.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
The last thing i deleted before my computer messed up last night was the TSA
Post by: guestolo on January 25, 2006, 10:49:55 PM
If you can transfer the following programs from one computer to the next
Download Hoster.zip (http://\"http://www.funkytoad.com/download/hoster.zip\")
Save it too transfer too the infected computer
==Download CWShredder.exe (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\")
Save it and Transfer it too the infected computer
Locate the Hoster folder , open it and double click on Hoster.exe
Click on Restore Original Hosts
In the confirmation window, click on OK.
Run CWShredder and run the FIX please
Reboot the computer when it's done
Are you back online?
If so post back here, still more work to do
If not, please do the following
Run the fix supplied at THIS LINK (http://\"http://www.bu.edu/pcsc/internetaccess/winsock2fix.html\")
Make sure you follow the instructions
Post back a fresh hijackthis log afterwards
Post by: jen3ca on January 25, 2006, 10:50:38 PM
i deleted it
Post by: guestolo on January 25, 2006, 10:54:43 PM
Make sure you transfer the programs from one computer and save it too the other
Remember to transfer by copying them and pasting them to the infected computer
You don't want to run them from a CD, Floppy or USB drive
Post by: jen3ca on January 26, 2006, 12:57:49 AM
Logfile of HijackThis v1.99.1
Scan saved at 12:48:41 AM, on 1/4/80
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
the computer connects to the internet but the internet pages say this page cannot be displayed
Post by: guestolo on January 26, 2006, 01:45:30 AM
Scanregw.exe
Hit OK
Let it create a backup
Make sure you go back to Add/remove programs and try removing
I assume you ended with trying to remove TSA
Did you uninstall these entries?
Uninstall 180search Assistant
Win-dh
YourSiteBar
If not
First uninstall
Uninstall 180search Assistant and then reboot the computer
Does that get you back online?
Hold off on this part:
Download LSPFix.exe (http://\"http://\")
and save it too the desktop of the infected computer
Open LSPFix and let me know what you see on the KEEP side
Also, let me know what you see on the REMOVE side
Post by: jen3ca on January 26, 2006, 01:37:17 PM
the link to the thing you wanted me to download will not work.
I will not be back online for a couple days
Post by: guestolo on January 27, 2006, 12:23:44 AM
http://www.cexx.org/lspfix.htm (http://\"http://www.cexx.org/lspfix.htm\")
Besides those 2 entries in add/remove programs, everything else is uninstalled?
Post by: jen3ca on January 27, 2006, 11:57:30 AM
Post by: guestolo on January 28, 2006, 01:06:26 AM
Run the fix supplied at THIS LINK (http://\"http://www.bu.edu/pcsc/internetaccess/winsock2fix.html\")
Make sure you follow the instructions EXACTLY as posted
Post by: jen3ca on January 28, 2006, 08:13:15 PM
Post by: jen3ca on January 29, 2006, 12:39:30 AM
Scan saved at 12:36:18 AM, on 1/4/80
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu (http://\"http://server224.smartbotpro.net/7search/?new-hkcu\")
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm (http://\"http://server224.smartbotpro.net/7search/?new-hklm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm (http://\"http://default-homepage-network.com/start.cgi?new-hklm\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: BAHelper Class - {A3FDD654-A057-4971-9844-4ED8E67DBBB8} - C:\PROGRAM FILES\SIDEFIND\SFBHO.DLL
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\SYSTEM\MSBE.DLL (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\YS2.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\PROGRAM FILES\SIDEFIND\SIDEFIND.DLL (file missing)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
i got the computer to connect to the internet and veiw the web pages so here is an updated high jack this log and i am going to be downloading and installing spybot search and destroy and adawre se personal like you asked.
Post by: jen3ca on January 29, 2006, 02:26:04 AM
here is anouther fresh highjackthis log
Logfile of HijackThis v1.99.1
Scan saved at 2:18:36 AM, on 1/4/80
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
here is also anouther highjackthis uninstall list as well
Logfile of HijackThis v1.99.1
Scan saved at 2:18:36 AM, on 1/4/80
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ (http://\"http://www.google.ca/\")
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
Post by: guestolo on January 29, 2006, 11:53:35 AM
Nice to see you got this computer back online
Do a "System scan only" with Hijackthis and put a check next to these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Reboot the computer
Back in Windows
One part of your log reads this
Scan saved at 2:18:36 AM, on 1/4/80
The date is always the same
Are you able to set the clock on this computer to the right date and time?
I would still run Spybot 1.4
In addition
Use Internet Explorer and Run the online Panda ActiveScan (http://\"http://www.pandasoftware.com/products/activescan?NRMODE=Published&NRORIGINALURL=%2factivescan.htm&NRNODEGUID=%7b3B202047-35D4-4DA2-B310-B1DBEC2971F2%7d&NRCACHEHINT=Guest\")
* Once you are on the Panda site click the Scan your PC button.
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.
When the scan is complete
click See Report, then click Save Report and save it to your Desktop.
Post back this report along with a fresh hijackthis log
Post by: jen3ca on February 07, 2006, 07:20:42 PM
sorry it has taken me so long to respond to your last post
my computer will no longer let me view webpages again. all i
did was restart the computer and since then i havnt been able to
veiw internet pages the modem is working again for now.
i get the message the web page could not be displayed
dns error or cannot find server
i was not able to do a panda scan on my computer because the computer stopped working
again.
thanks for all your help
Post by: guestolo on February 08, 2006, 10:04:10 AM
But I do notice you have ICS enabled on the computer
Are you sharing a connection or is this comp. on it's own dedicated line
Maybe this setting was enabled from the school?
Geesh, I'm not much help with dialup
But take a look at this link please
http://www.dewassoc.com/support/networking/ics_4.htm (http://\"http://www.dewassoc.com/support/networking/ics_4.htm\")
an updated hijackthis log would be nice to see
I wish you would of ran that scan at Panda's
or we should get an AV on this system
Post by: jen3ca on February 08, 2006, 12:45:10 PM
the computer home i got the internet working im not sure if i disabled the internet connection sharing before or after it stopped working. so here is what im going to do:
im going to setup the internet connection sharing again by following the instructions
if that works then ill let you know and post a fresh high jack this log. if it doesnt work ill let you know to and post a high jack this log
if it does work i will immediatly do a panda scan
thanks
Jen
Post by: jen3ca on February 08, 2006, 03:25:47 PM
what do i do now?
im so sick of computers
Post by: guestolo on February 08, 2006, 10:10:51 PM
Also, do you need ICS enabled or can you uninstall it if you have a dedicated line for it
You are on dialup aren't you?
Post by: jen3ca on February 09, 2006, 12:05:54 AM
The ATRT data you are trying to
access resides on a network
drive. Please make sure that the
drive containing ATRT data is
mapped to the drive 'H'. The mapped
drive letter can be changed if
necessary. Please refer to the
Site/Network Supplement or
contact your network administrator.
here is the high jack this log you wanted:
Logfile of HijackThis v1.99.1
Scan saved at 11:43:33 PM, on 2/8/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\AQFHSN.EXE
C:\WINDOWS\SYSTEM\JSCVMD.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [D0u9] C:\DSKPDR.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\AQFHSN.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\JSCVMD.exe
O4 - HKLM\..\Run: [f3087ngt] C:\WINDOWS\SYSTEM\f3087ngt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKCU\..\Run: [QKOR] C:\PROGRAM FILES\COMMON FILES\QKOR\QKORM.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
Post by: guestolo on February 09, 2006, 12:07:16 AM
Run updated scans with Ad-Aware and Spybot
Reboot the computer in between
Can you do the following once again
Open Hijackthis>>Open Misc tools section>>Open Uninstall List
Click the SAVE list button
Post this list back here please
Why does your log make it appear you did run a scan at Panda's
What's going on Jen3ca?
Do you have a report from Panda's
You have entries in your hijackthis log show that possibly the infections hijack your connection
This is probably the reason for your loss of Internet
Post by: jen3ca on February 09, 2006, 01:39:00 AM
my computer now has a boot sequence error and it wont go to windows
i dont know how i got infected again
this computer is driving me crazzy
i started a scan on the panda website then i had to go work so cancelled the scan and turned the computer thinking id be able to get back online again. when i got back i couldnt get back online so i attempted to get a scan log from panda but was unsuccesful
my computer now has a boot sequence error and it wont go to windows
i dont know how i got infected again
this computer is driving me crazzy
i cannot update any of the programs because it says it cannot connect to (or find) the server
Post by: jen3ca on February 09, 2006, 07:29:24 PM
good news, there is no more boot sequence error i have no idea how i fixed it but my computer will turn on now and go into windows
i still need your help with the rest of the computer
what should i do next?
Post by: guestolo on February 09, 2006, 08:43:20 PM
Click the SAVE list button
Post this list back here please
Are you connected to the Internet now?
Post by: jen3ca on February 09, 2006, 11:08:12 PM
here is the uninstall list you wanted
Ad-Aware SE Personal
Adobe Acrobat 5.0
ArcSoft PhotoStudio 2000
Caere Scan Manager 5.1
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
Conexant HCF V.90/56K Modem
Corel WordPerfect Suite 8
HijackThis 1.99.1
Internet Explorer Q891781
Kurzweil 3000 v.6
LiveAdvisor (Symantec Corporation)
LiveUpdate
Macromedia Flash Player 8
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft VGX Q833989
Mozilla Firefox (1.5)
Norton AntiVirus 2000
Outlook Express Q837009
Panda ActiveScan
Select CashBack
Spybot - Search & Destroy 1.4
Win-dh
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q890175 Update
Windows Messaging Update 1
WinZip
Post by: guestolo on February 09, 2006, 11:53:01 PM
Can you download and save the removal tool from Symantec's
FixBargainBuddy.exe (http://\"http://www.symantec.com/avcenter/venc/data/adware.bargainbuddy.html\")
It's a small download, if you don't have internet connection
It's small enough to fit on a floppy
Transfer it too the computer with no connection, don't run it from the floppy
Run FixBargainbuddy.exe, let it finish it's scan
Reboot the computer
Back in Windows
Can you do the following please
Open Hijackthis>>Open Misc tools section>>Open Process manager
Highlight and kill these processes if running
C:\WINDOWS\SYSTEM\AQFHSN.EXE
C:\WINDOWS\SYSTEM\JSCVMD.EXE
Afterwards, click BACK under 'Other Stuff'
Do a "SCAN" with Hijackthis and put a check next to these entries:
O4 - HKLM\..\Run: [D0u9] C:\DSKPDR.EXE
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\SYSTEM\AQFHSN.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\SYSTEM\JSCVMD.exe
O4 - HKLM\..\Run: [f3087ngt] C:\WINDOWS\SYSTEM\f3087ngt.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [msxct] msxct.exe
O4 - HKLM\..\Run: [IST Service] \ISTsvc\istsvc.exe
O4 - HKCU\..\Run: [QKOR] C:\PROGRAM FILES\COMMON FILES\QKOR\QKORM.EXE
After you have ticked the above entry, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis
Access your add/remove programs via control panel and remove the following
Win-dh
Select CashBack
Run FixBargainbuddy.exe again
Reboot the computer
Back in windows
Locate the Hoster folder , open it and double click on Hoster.exe
Click on Restore Original Hosts
In the confirmation window, click on OK.
Find and send the next files or folders to the recycle bin
FILES
C:\DSKPDR.EXE
C:\WINDOWS\SYSTEM\AQFHSN.exe
C:\WINDOWS\SYSTEM\JSCVMD.exe
C:\WINDOWS\SYSTEM\f3087ngt.exe
FOLDERS
c:\program files\180solutions
C:\Program Files\BullsEye Network
C:\Program Files\ISTsvc
C:\PROGRAM FILES\COMMON FILES\QKOR
Post back a fresh hijackthis log afterwards
Post by: jen3ca on February 10, 2006, 01:21:18 PM
Logfile of HijackThis v1.99.1
Scan saved at 12:52:56 PM, on 2/10/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\IRMON.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ (http://\"http://www.yahoo.com/\")
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Norton eMail Protect] C:\PROGRAM FILES\NORTON ANTIVIRUS\POProxy.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
Post by: jen3ca on February 10, 2006, 03:14:40 PM
but i can connect to the internet
Post by: guestolo on February 11, 2006, 03:02:47 PM
Can you try the following and see if it helps
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
Paste to the empty notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg
Save this file on the desktop of the computer that won't display web pages
Ensure to save REGEDIT4 and below in the code box
Code: [Select]
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search]
"SearchAssistant"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"
"CustomizeSearch"="http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
[HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="Search Bar"="http://search.msn.com/intl/searchpane/en-au/prov2.htm"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchUrl]
""="http://home.microsoft.com/access/autosearch.asp?p=%s"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\main]
"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
"Search Bar"="http://search.msn.com/spbasic.htm"
"Use Custom Search URL"= dword:00000000
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix]
@="http://"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes]
"ftp"="ftp://"
"gopher"="gopher://"
"home"="http://"
"mosaic"="http://"
"www"="http://" Delete the contents of your temp folders, use CCleaner, don't clean the registry, just temp directories
go to start>>run>>type in the following commands and click OK after each
regsvr32 softpub.dll
regsvr32 wintrust.dll
regsvr32 initpki.dll
regsvr32 dssenh.dll
regsvr32 rsaenh.dll
regsvr32 gpkcsp.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
regsvr32 cryptdlg.dll
Double click on fix.reg and allow to add/merge to the registry
Reboot the computer
Back in Windows
Don't open the browser yet
Instead
Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Post by: jen3ca on February 12, 2006, 11:32:49 PM
the following said Load Library ("slbcsp.dll") failed. GetLastError returns 0x00000485
regsvr32 dssenh.dll
regsvr32 sccbase.dll
regsvr32 slbcsp.dll
Post by: guestolo on February 12, 2006, 11:36:36 PM
Quote
Is this happening with both IE and Firefox?
Did you do the rest of what I posted????
You can try and repair IE
Go into the Add/remove programs
Find Internet explorer
Highlight it and click uninstall, follow the prompts to run the Repair
Reboot the computer afterwards
Post by: jen3ca on February 13, 2006, 12:36:24 PM
yes i did the rest of the post as well im going to try and repair internet explorer now
Post by: jen3ca on February 13, 2006, 05:15:48 PM
now what?
Post by: guestolo on February 13, 2006, 05:43:31 PM
Quote
it didnt workSince I'm not a mind reader, I'll have to ask some questions to see if you at least tried again on your own to see if you can get this machine to view web pages
now what?
I'll try to put in as much effort as you give back
How did you get the computer to view web pages earlier?
Have you checked in your dialup connections properties to see
If you are set to use a proxy or not, it may be trying to force it
I linked you to a few tools earlier, Winsock2 fix and LSP fix, have you tried them again?
Close down all browser windows, disconnect from the Net
Run Winsock2>>ONLY from the Desktop
Double click on the w2fix file on your Desktop and follow the on-screen instructions. You will be prompted to reboot your computer twice before the fix is complete.
You recently installed a very old version of Norton's
You could try uninstalling it from Add/Remove programs completely and see if this resolves your problem
We'll get you a more up to date AV if you can get this computer online
You could also try removing ICS
Reinstall only if needed
http://www.homenethelp.com/web/faq/sharing-ics.asp (http://\"http://www.homenethelp.com/web/faq/sharing-ics.asp\")
Keep me informed, I need more than a Yup or Nope
I would like to see a New hijackthis log and a new Uninstall list from hijackthis
Post by: jen3ca on February 15, 2006, 02:05:25 AM
i got back online by uninstalling the ics then uninstalled and then reinstalled the modem
after that i ran the winsock2fix and now my computer is back online anyway here is the highjack this log
and the unistall list that you wanted.
Logfile of HijackThis v1.99.1
Scan saved at 2:01:01 AM, on 2/15/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IrMon] IrMon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab (http://\"http://chat.msn.com/controls/msnchat45.cab\")
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab (http://\"http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab\")
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab (http://\"http://acs.pandasoftware.com/activescan/as5free/asinst.cab\")
Ad-Aware SE Personal
Adobe Acrobat 5.0
ArcSoft PhotoStudio 2000
Caere Scan Manager 5.1
Canon CanoCraft CS-P 3.8
Canon ScanGear Toolbox CS 2.2
CCleaner (remove only)
Conexant HCF V.90/56K Modem
Corel WordPerfect Suite 8
HijackThis 1.99.1
Internet Explorer Q891781
Kurzweil 3000 v.6
LiveAdvisor (Symantec Corporation)
LiveUpdate
Macromedia Flash Player 8
Microsoft Data Access Components KB870669
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Outlook Express 6
Microsoft VGX Q833989
Mozilla Firefox (1.5)
Outlook Express Q837009
Panda ActiveScan
Spybot - Search & Destroy 1.4
Windows 98 Q823559 Update
Windows 98 Q840315 Update
Windows 98 Q890175 Update
Windows Messaging Update 1
WinZip
I am also going to download the virus program you wanted me to download awhile ago and do a panda scan and update my spybot and other programs.
Post by: jen3ca on February 15, 2006, 02:14:57 PM
Incident Status Location
Adware:adware/cws Not disinfected C:\WINDOWS\Favorites\LIVING\Insurance.lnk
Adware:adware/cws.searchmeup Not disinfected C:\WINDOWS\SYSTEM\paytime.exe
Potentially unwanted tool:application/funweb
Not disinfected
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Adware:adware/tvmedia Not disinfected C:\WINDOWS\Application Data\tvmknwrd.dll
Adware:adware/clickalchemy Not disinfected C:\WINDOWS\INF\ALCHEM.INF
Adware:adware/gator Not disinfected C:\GatorPatch.log
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware/dollarrevenue Not disinfected C:\drsmartload1.exe
Adware:adware/sidesearch Not disinfected C:\PROGRAM FILES\Lycos
Adware:adware/dealhelper Not disinfected C:\WINDOWS\SYSTEM\DealHelper
Spyware:spyware/clipgenie Not disinfected Windows Registry
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\alc@2o7[2].txt
Adware:Adware/Secure32 Not disinfected C:\WINDOWS\SYSTEM\paytime.exe
Adware:Adware/IPInsight Not disinfected C:\WINDOWS\INF\ALCHEM.INF
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Spyware:Cookie/2o7.net Not disinfected C:\WINDOWS\Cookies\alc@2o7[2].txt
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\winsysupd2.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\winsysban2.exe
Spyware:Spyware/Clipgenie Not disinfected C:\Program Files\Support Software\SS2.DLL
Adware:Adware/DollarRevenue Not disinfected C:\drsmartload1.exe
Post by: guestolo on February 15, 2006, 11:41:24 PM
And your log is looking better
Optionally, not malware but not needed on startup
You can have hijackthis fix checked these entries with all other windows closed
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
Find and delete the following files or folders in bold please
Let me know which you couldn't find all of them
FILES
C:\WINDOWS\Favorites\LIVING\Insurance.lnk
C:\WINDOWS\SYSTEM\paytime.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
C:\WINDOWS\Application Data\tvmknwrd.dll
C:\WINDOWS\INF\ALCHEM.INF
C:\GatorPatch.log
C:\secure32.html
C:\drsmartload1.exe
C:\WINDOWS\winsysupd2.exe
C:\WINDOWS\winsysban2.exe
C:\Program Files\Support Software\SS2.DLL
C:\PROGRAM FILES\Lycos
C:\WINDOWS\SYSTEM\DealHelper
Afterwards
Download and install ONLY one of these free AV's
More than one will cause conflicts
All have a free version
AVG 7 by Grisoft (http://\"http://free.grisoft.com/doc/2/lng/us/tpl/v5\")
Avast Home Edition by ALWIL (http://\"http://www.avast.com/eng/down_home.html\")
AntiVir Personal Edition Classic (http://\"http://www.free-av.com/antivirus/allinonen.html\")
After it is installed run a full system scan and let it clean what it finds
Reboot the computer
*Install SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")[/url]
- *Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"
Open Spybot 1.4
Click the "Immunize" button on the left>>>OK at the prompt>>Immunzine at the top green cross
Please Immunize after every update
I would also recommend that you do a Disk Defragmentor on your system
I feel it's best to do this in safe mode
Post back and let me know how things are running
Post by: guestolo on March 05, 2006, 04:56:13 PM
Take care
/smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />