My daughter clicked on one of those preference links while chatting with one of her friends and her PC got infected with the Downloader.MsCache and the Trojan.Sinkin Virus. Both virus's were detected by NAV2003 a couple days later when I did my routine system scan. I also ran Adware and Spybot Search and Destroy, It found and removed a bunch of stuff (Comman Name, Bargain Buddy, PAD Lookups by nCase etc). Anyway I wanted to make sure that I got it all so I ran hijackthis. The log is below. Two of the BHO entries (dcycongn.dll, adwqogqq.dll) looked suspect. They did not have a company name defined in the file properties, are not on the WEB either. I believe that these are remants the virus I was infected with. I searched my system to find out what files were created at the same time as these files (within 1 minute of each other. Here is the list 1 - ttil_sbc.exe (Search Bar Cash) 2 - cdt_bbi8016.exe 3 - cnbabie.exe 4 - msgcenter_lminvl.exe (porn kings) 5 - winfavorites.exe 6 - aaa.exe 7 - mslib.dat 8 - mslink32.exe 9 - mslink32.dat 10- dcycongn.dll (IELoader program) 11- adqqogqq.dll HijackThis Log NOTE - The win98 PC connects to the internet using a proxy program WINPROXY installed on a WinXP machine on my home network). Logfile of HijackThis v1.97.7 Scan saved at 11:23:00 PM, on 12/4/2003 Platform: Windows 98 Gold (Win9x 4.10.1998) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.exe C:\WINDOWS\SYSTEM\SPOOL32.exe C:\WINDOWS\SYSTEM\MPREXE.exe C:\WINDOWS\SYSTEM\MSTASK.exe C:\WINDOWS\SYSTEM\SSDPSRV.exe C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.exe C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\EXPLORER.exe C:\WINDOWS\TASKMON.exe C:\WINDOWS\SYSTEM\ATICWD32.exe C:\WINDOWS\SYSTEM\ATITASK.exe C:\WINDOWS\SYSTEM\SYSTRAY.exe C:\WINDOWS\STARTER.exe C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFTRAY.exe C:\WINDOWS\RunDLL.exe C:\PROGRAM FILES\THE HELPSPOT!\FAWGRD32.exe C:\PROGRAM FILES\THE HELPSPOT!\FA_GD32.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFAGENT.exe C:\PROGRAM FILES\MCAFEE.COM\PERSONAL FIREWALL\MPFCONSOLE.exe C:\WINDOWS\SYSTEM\DDHELP.exe C:\MY DOCUMENTS\DOWNLOAD\SPYWARE\HIJACKTHIS.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.0.0.1:80 F1 - win.ini: run=hpfsched O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: (no name) - {0DEE32FE-A6F0-9C2C-4ECB-4F09CDF36180} - C:\windows\system\dcycongn.dll O2 - BHO: (no name) - {ACCD93E2-0FAD-5F02-0EB4-C71BED2DFC1C} - C:\windows\system\adwqogqq.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe O4 - HKLM\..\Run: [AtiKey] Atitask.exe O4 - HKLM\..\Run: [SystemTray] SysTray.exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [AtiQiPcl] AtiQiPcl.exe O4 - HKLM\..\Run: [appload] C:\PROGRAM FILES\GATEWAY\HPA\BRCDSET.exe O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\MCAFEE.COM\PERSON~1\MPFTRAY.exe O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe O4 - HKLM\..\RunServices: [SSDPSRV] c:\windows\SYSTEM\ssdpsrv.exe O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY O4 - Startup: Windows Guardian.lnk = C:\Program Files\the HelpSpot!\Fawgrd32.exe O4 - User Startup: Windows Guardian.lnk = C:\Program Files\the HelpSpot!\Fawgrd32.exe O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html O9 - Extra button: AIM (HKLM) O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37885.4446412037 O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = bare87lan O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 10.0.0.1

Yes, Fix these two BHO's with HijackThis: O2 - BHO: (no name) - {0DEE32FE-A6F0-9C2C-4ECB-4F09CDF36180} - C:\windows\system\dcycongn.dll O2 - BHO: (no name) - {ACCD93E2-0FAD-5F02-0EB4-C71BED2DFC1C} - C:\windows\system\adwqogqq.dll

Can someone please help me i keep getting random pop up adds and there really annoying i have scanned my computer like 5 times with antivirus but it didnt pick up anything. then i used hijackthis and he is the log Logfile of HijackThis v1.97.7 Scan saved at 9:22:36 AM, on 18/12/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\tcpsvcs.exe C:\WINDOWS\System32\VetMsgNT.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\WINDOWS\System32\wfxsnt40.exe C:\WINDOWS\System32\taskswitch.exe C:\Vet\VetTray.exe C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\mwsvm.exe C:\WINDOWS\System32\ctfmon.exe C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\PROGRA~1\Altnet\DOWNLO~1\asm.exe C:\WINDOWS\System32\P2P Networking\P2P Networking.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\user1\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ihug.com.au R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?session=17191669-B621-4374-A5C3-25FC8A0F7658&version_id=18 R3 - URLSearchHook: PerfectNavBHO Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing) O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - (no file) O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file) O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_48.dll O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS\ieasst.dll O2 - BHO: Clear Search - {947E6D5A-4B9F-4CF4-91B3-562CA8D03313} - C:\Program Files\ClearSearch\IE_ClrSch.DLL (file missing) O2 - BHO: NavErrRedir Class - {A045DC85-FC44-45be-8A50-E4F9C62C9A84} - C:\PROGRA~1\PERFEC~1\BHO\PERFEC~1.DLL (file missing) O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file) O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file) O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [VetTray] C:\Vet\VetTray.exe O4 - HKLM\..\Run: [EasyTuneIV] C:\Program Files\Gigabyte\Gigabyte Windows Utility Manager\ET4\ET4Tray.exe O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup O4 - HKLM\..\Run: [KAZAA] C:\Program Files\Kazaa\Kazaa.exe /SYSTRAY O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe O4 - HKLM\..\Run: [CMESys] "C:\Program Files\Common Files\CMEII\CMESys.exe" O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe O4 - HKLM\..\Run: [ClrSchLoader] C:\Program Files\ClearSearch\Loader.exe O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS\mwsvm.exe O4 - HKLM\..\Run: [absr] C:\WINDOWS\mwsvm.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.exe" /background O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O10 - Hijacked Internet access by New.Net O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install013.exe O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} - http://office.microsoft.com/productupdates/content/opuc.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{5CC31893-4BC0-40D0-A40E-621543BCEE52}: NameServer = 203.56.11.1 203.109.250.50 Please help i dont know what im doing