Hi,
Can you help me. I have the download.trojan virus as well my System 32 folder opens on log on and when opening Internet Explorer. NAV, Adaware, Spybot, Spyblaster, The Cleaner and Trojan removals no help. Below is Hijack file.
Thank you,
VC

Logfile of HijackThis v1.97.7
Scan saved at 12:07:43 AM, on 1/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\System32\KhwX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\KhwX.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Elise Schmelzkopf\Desktop\wpsetup.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\TEMP\_INS0432._MP
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Elise Schmelzkopf\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2EFCCEFF-C0FF-B92A-4A6F-C830F12A3AF0} - C:\WINDOWS\system32\hcsrzhlx.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {ACD26858-725E-317F-DDEB-C704552347B8} - C:\WINDOWS\system32\prnoaokh.dll
O2 - BHO: (no name) - {B2234DFD-DA2B-AB94-0AA2-C0B6B567BC80} - C:\WINDOWS\system32\coniyyan.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [svjjqxef] C:\WINDOWS\nmtzqqrr.exe
O4 - HKLM\..\Run: [iehelper] C:\Program Files\syslaunch.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Pcn67i0.exe
O4 - HKLM\..\Run: [a] C:\WINDOWS\System32\kqjopa.exe
O4 - HKLM\..\Run: [TB_setup] C:\DOCUME~1\ELISES~1\LOCALS~1\Temp\tb_setup.exe /dcheck
O4 - HKLM\..\Run: [j] C:\WINDOWS\System32\hhwtvu.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [HOUF] C:\WINDOWS\HOUF.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [HXIUL.EXE] C:\Program Files\Alset\HelpExpress\Elise Schmelzkopf\HXIUL.EXE
O4 - HKCU\..\Run: [HELPEXP.EXE] C:\Program Files\Alset\HelpExpress\Elise Schmelzkopf\Client\HelpExp.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.200.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.200.4

The right program you need right away:
Trojan Remover !!!
http://www.simplysup.com/tremover/details.html

Move Hijack This to a permanent directory like c:\program files\hijack this\hijackthis.exe. This way you can undo any changes if something goes wrong.

Please follow these steps, in exactly that order:

Run this uninstaller:

http://home01.wxs.nl/~kleyn080/uninst.exe

When done, use the following tool to delete the files themselves:

Download Drpepertobackup.exe, save to disk, and doubleclick the file; it will self extract to c:\.
Find the "C:\drpeper\Find backup and Delete Peper files.vbs" file and double click it.

http://www.mjc1.com/files/mo/drpepertobackup.exe

A box will appear, copy and paste:KhwX.exe and hit ok.

A second box will appear, copy and paste Pcn67i0.exe
and hit ok.

It will find all the files, delete them and will make backups in the same folder.
It'll open a text file (Peper.txt) with the list of all files deleted.

Post the log files deleted, and also a
new hijackthis log.

Good luck

abnormal

Hi,
Thanks for the help. Imp, I tried Trojan Remover but it didn't help.

Abnormal, I downloaded uninst.exe but it didn't open any window, so I don't know if it did anything. I downloaded and ran Drpepertobackup.exe found no KhwX.exe but found Pcn67i0.exe. That log is below and new hijackthis log also.
Thanks for your help.
--------------------------
Drpepertobackup log
1/14/2004 3:41:55 PM
C:\WINDOWS\SYSTEM32\Pcn67i0.exe
C:\WINDOWS\SYSTEM32\SbziJQ.exe
C:\WINDOWS\SYSTEM32\Xej7.exe

Logfile of HijackThis v1.97.7
Scan saved at 3:44:29 PM, on 1/14/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {2EFCCEFF-C0FF-B92A-4A6F-C830F12A3AF0} - C:\WINDOWS\system32\hcsrzhlx.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: (no name) - {ACD26858-725E-317F-DDEB-C704552347B8} - C:\WINDOWS\system32\prnoaokh.dll
O2 - BHO: (no name) - {B2234DFD-DA2B-AB94-0AA2-C0B6B567BC80} - C:\WINDOWS\system32\coniyyan.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Xej7.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.146.146

Put a check mark next to these, fix checked and reboot.

R3 - Default URLSearchHook is missing
O1 - Hosts: 12.129.205.209 search.netscape.com12.129.205.209 sitefinder.verisign.com
O2 - BHO: (no name) - {2EFCCEFF-C0FF-B92A-4A6F-C830F12A3AF0} - C:\WINDOWS\system32\hcsrzhlx.dll
O2 - BHO: (no name) - {ACD26858-725E-317F-DDEB-C704552347B8} - C:\WINDOWS\system32\prnoaokh.dll
O2 - BHO: (no name) - {B2234DFD-DA2B-AB94-0AA2-C0B6B567BC80} - C:\WINDOWS\system32\coniyyan.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Xej7.exe
This is the peper trojan you still have.

O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm

After you reboot run cwshredder, click fix not scan.
cwshredder.zip

cwshredder.exe

For the peper trojan leftovers;

Download 2xExplorer: http://gd.tuwien.ac.at/pc/bazar/2xExplorer.zip
(rightclick on the link and choose "Save Target As").
Unzip 2xExplorer. Double click and set up the following:

Menu> View> Options > Show hidden files should be checked > ok.

Menu > Tools > Find Files:

Named: *.exe
Look in: (browse or paste in) C:\WINDOWS\System32

Check the following: 'Use Text Constraints', 'Search non-text files' and in the 'Find What' paste: kern32

All other fields leave unchecked!

Hit the 'Find' tab...

The scan will run for few seconds and show the results. Rightclick then > print list >right click > select all > copy and post it.

More info on how to find the peper files;
http://www.mjc1.com/files/peperpage/

Post another log when your done.
Good luck

abnormal

Hi Abnormal,
I followed your directions and ended with nothing listed in the 2xExplorer results file.
Does that mean the computer is clean.
TRhanks again for the help,
VC

Looks like it may be gone, post another
log for us to see.

Sorry, I forgot, here's the log.
Thanks again for the assistance.

Logfile of HijackThis v1.97.7
Scan saved at 9:43:00 AM, on 1/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.sqwire.com/homepage.php?aid=975
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\realbar.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://active.macromedia.com/flash2/cabs/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.146.146

VCVC,

If you are suddently getting audio ads out of the blue.. its probably the new advertising "feature" with the new version of AIM.

To stop this, put the sites ads.aol.com, ads.web.aol.com, VTOT.proxy.aol.com and ar.atwola.com in the restricted sites section of Internet Explorer. If you don't know, you can find this under tools, internet options and then security.

ads.aol.com
ar.atwola.com
VTOT.proxy.aol.com
ads.web.aol.com

after you do that, no more audio ads.

Remove these two lines to stop VTOT.proxy.aol.com.

O17 - HKLM\System\CCS\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.146.146
O17 - HKLM\System\CS1\Services\Tcpip\..\{134C3913-96AC-4FCD-855E-B3F698F92BB8}: NameServer = 205.188.146.146

Other than that, your good to go.
Good luck

abnormal

Thank you Abnormal,
I really appreciate all the help. I couldn't have done it without. After a few days of trying I discovered this site and your feedback and assistance pulled me through.
Thanks again,
VCVC

Secure yourself with the tips under my name, all I ask for my time.

Good luck and stay safe.

abnormal

when i did the running thing a error came up that said that i cant open it while im in system32 mode