Download DelDomains.inf from this link http://www.mvps.org/winhelp2002/restricted.htm and run it per the instructions. This will delete the 015's in yuor log and the registry. Let me know how the computer works after you run it.

0

ad-aware se personal takes care of spy sherrif, i had to deal with it too... The things that come to those that wait may be the things left behind by those who got there first.

0

Thanks all! jabuck - I got it ran it and things look pretty much the same. It said I didn't have to reboot. Any ideas? New log: Logfile of HijackThis v1.99.0 Scan saved at 7:44:44 PM, on 12/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\MSMSGS.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Palm\hotsync.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\LxrJD31s.exe c:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\Documents and Settings\Owner\Desktop\hijackthis.exe O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe O4 - Startup: Organize.lnk = ? O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Billminder.lnk = C:\Ron's World\billmind.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Ron's World\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Ron's World\QWDLLS.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{51990ABC-37A3-4262-95E0-184CF1DEB5F5}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Lexar JD31 - Unknown - LxrJD31s.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Still learning, but aren't we all!

0

You mentioned spysheriff in your earlier post but I can see no evidence of it. Try this desktop cleaner from mosaic1 and if that doesn't get things sorted we'll run through the the spysheriff removal procedure. This fix is only for XP & Windows 2000 Download and Save Cleandesktop to your computer from this link: http://www.thespykiller.co.uk/files/cleandesktop.exe and double click on the cleandesktop.exe It will automatically extract to c:\desktopclean where it needs to be to run and will automatically run the cleandesktop.vbs script If it doesn't open then go to c:\desktopclean and double click on the cleandesktop.vbs Do not run any other file from there please unless asked to If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run. It is not malicious. If you get a message when you first run it "Can not find script file "blah blah blah" then don't worry just doubleclick the cleandesktop.vbs script again you sometimes get that message when a script blocker blocks the script It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your normal desktop and context menu functions. It will restart Explorer. Once you have performed the big cleanup, each of the other Users on the System needs to be signed in to clean up their desktop and regain the right click. I have included another vbs to do this. It is named Other Profiles Regfix.vbs Have each User sign in and run Other Profiles Regfix.vbs Open C:\ (Go to Start>Run and type C: Press enter) and Open the c:\desktopclean folder. Double click on Other Profiles Regfix.vbs Explorer will be ended and that user's active desktop registry entries will be repaired. Explorer will be restarted. To restore the desktop to whatever picture you normally have right click on a blank part of desktop & select properties/desktop & select your prefered picture press apply & then ok to exit and then press F5 You will need to do this step for every user account

0

So far so good!!!! The only problem is... after I clean the desktop, I get the nice default smooth crystal blue MS background and if I select ANY image for a background it goes back to the eye-wracking tan/white slow blinking screen. Almost there! Any final advice? Thanks!!!!! KFA Still learning, but aren't we all!

0

Go to control panel>display>desktop>customize desktop>web>delete everything except "my current home page">ok

0

Thanks!!!! SO MUCH!!! Now, I've got this damned PointRoll.com slit of a tool bar at the top of my screen just below my regular toolbar, please advise: Here's HT log: Logfile of HijackThis v1.99.0 Scan saved at 10:53:14 PM, on 12/16/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\MSMSGS.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Palm\hotsync.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\LxrJD31s.exe c:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\hijackthis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe O4 - Startup: Organize.lnk = ? O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Billminder.lnk = C:\Ron's World\billmind.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Ron's World\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Ron's World\QWDLLS.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{51990ABC-37A3-4262-95E0-184CF1DEB5F5}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O23 - Service: Symantec Event Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Lexar JD31 - Unknown - LxrJD31s.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Still learning, but aren't we all!

0

Run Ht again and remove this item unless you use it: O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll Then look in control panel>add/remove programs for the tool bar and unintall it if found.May be similar to these: MyWay MyWebSearch Webhancer Freshbar Pointroll

0

I found something called Search Extender, I try to remove it and it sends me to a site: SmartFinder, then it sends me to some "site" requesting eMail, name, then it says I will be able to uninstall it. That doesn't seem right. Still learning, but aren't we all!

0

KFA, Click "Start" -> "Run" Type "regedit" and click OK. In navigation tree go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\SharedTaskScheduler Then delete all keys at the right panel (just click on it and press Delete key) Then go to HKEY_CURRENT_USER\software\classes\CLSID\{3F143C3A-1457-6CCA-0A7-7AA23B61E40F} and delete all keys too. Restart your PC in safe mode and set up the computer to view hidden files by going to control panel>folder options>view tab>tick the circle beside "show hidden files and folders" and untick the box beside"hide extensions of know file types" and "hide protected system operating files". run hijackthis and fix this entry if it exists, O2 - BHO: OsbornTech Popup Blocker - {FF1BF4C7-4E08-4A28-A43F-9D60A9F7A880} - C:\WINDOWS\System32\mshelper.dll and any R0 & R1 entries relating to smartfinder.biz and the O13 entries as well Go to C:\WINDOWS\system32\ folder. Find file mtwirl32.dll and delete it. and then delete the C:\WINDOWS\System32\mshelper.dll

0

O.K. I appreciate all this help. I'm just stumped. I did not find any of the HKEY's nor did I find the 02-BH0 or R0, R1 entries (relating to smarfinderbiz.) NOR did I have the mtwirl32.dll OR mshelper.dll. I checked for them and they do not appear to be on the system. Where to now? (Whew.... this is tough one, eh?) Thanks again KFA Still learning, but aren't we all!

0

KFA,Install HT in a folder of is on, such as ,C:\HT It currently resides on your desktop. We want to do this so that "backups" are easy to locate and reinstall if needed. If you have to create the new folder,download HT again to it<extract all files from the HT zip folder so that the red T.N.T. sticks(icon for HT shows in the folder). Once you do this folders called "backups" will be stored here when you remove items in you HT scan. Post back when you have done this.

0

Done! Thanks, yet again, here it is: Logfile of HijackThis v1.99.1 Scan saved at 3:00:37 PM, on 12/17/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Messenger\MSMSGS.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Palm\hotsync.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\LxrJD31s.exe c:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\HT\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe O4 - Startup: Organize.lnk = ? O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Billminder.lnk = C:\Ron's World\billmind.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Ron's World\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Ron's World\QWDLLS.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{51990ABC-37A3-4262-95E0-184CF1DEB5F5}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Still learning, but aren't we all!

0

Ever so tough,finally found the connection to spysheriff.Run HT again,close all windows and browsers,place a check beside the following items and and press"fix checked". O17 - HKLM\System\CCS\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CCS\Services\Tcpip\..\{51990ABC-37A3-4262-95E0-184CF1DEB5F5}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS1\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 O17 - HKLM\System\CS2\Services\Tcpip\..\{0AF3EFBE-CB28-46E0-9E07-EF4CC8E0C14E}: NameServer = 69.50.166.94,69.31.80.244 Download http://noahdfear.geekstogo.com/smitRem.exe and save it to the desktop. Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem. Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish. Reboot the computer

0

Now, to work on smartfinder, download Adaware SE and cwshredder(stand alone version) update them both and run them in safe mode and normal mode.

0

All done. I still have the "slit" window right above my screen and below my Mozilla tool bar. It has arrows on either end and a small green sliver in the middle, it looks like the very top of a thumb tack. Any idea what this is???? It didn't show up until all my adware phooey began. The search extender is STILL there and here's where I end up when I try to remove it: http://looking-for.cc/smartfinder/uninstall/SearchExtender.html Still learning, but aren't we all!

0

You might try this manual removal method. http://www.safer-networking.com/removeSearchExtender.php

0

Well, that took care of that, I think. However, I just tried to set my background to something standard via Windows and yet again, it denied me that ability and gave me the tan/white slow blinking background with the thick blue borders around all of my icons. Also, I've still got the slit of a window above my regular window. I'm still at a loss. I mean, the most serious stuff has been addressed, but it seems clear that there's a lot of residue still. Any ideas? Thanks again!!! KFA Still learning, but aren't we all!

0

KFA,You did run smitremfix earlier, right? Would you please post a new HT log and a startup list log. For the start up list log do a HT scan>cong>misc tools>startup list log.Post an Ewido log. Now for a newer twist in case coolwebsearch is using RootKit technology download BlackLight from this link http://www.f-secure.com/blacklight/ and post it's log. The log should be on your desktop or root directory (C:\). This is the format for the log file name: fsbl-<date-and-time>.log If you have any trouble finding it do a search for fsbl*.log.

0

Start Up Log StartupList report, 12/18/2005, 9:48:03 AM StartupList version: 1.52.2 Started from : C:\HT\HijackThis.exe Detected: Windows XP SP2 (WinNT 5.01.2600) Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180) * Using default options ================================================== Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\LxrJD31s.exe c:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Messenger\MSMSGS.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Palm\hotsync.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\HT\HijackThis.exe --------------------- Listing of startup folders: Shell folders Startup: [C:\Documents and Settings\Owner\Start Menu\Programs\Startup] HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe Organize.lnk = ? spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe Shell folders Common Startup: [C:\Documents and Settings\All Users\Start Menu\Programs\Startup] Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe Billminder.lnk = C:\Ron's World\billmind.exe HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe Quicken Scheduled Updates.lnk = C:\Ron's World\bagent.exe Quicken Startup.lnk = C:\Ron's World\QWDLLS.exe WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe --------------------- Checking Windows NT UserInit: [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] UserInit = C:\WINDOWS\system32\userinit.exe, --------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SunJavaUpdateSched = C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe HPHUPD05 = c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe HPHmon05 = C:\WINDOWS\System32\hphmon05.exe UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r Recguard = C:\WINDOWS\SMINST\RECGUARD.exe ccApp = "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" NAV CfgWiz = c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" PS2 = C:\WINDOWS\system32\ps2.exe Sunkist2k = C:\Program Files\Multimedia Card Reader\shwicon2k.exe HPDJ Taskbar Utility = C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe YBrowser = C:\Program Files\Yahoo!\browser\ybrwicon.exe SBC Yahoo! Connection Manager = "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" IPInSightMonitor 01 = "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot Symantec NetDriver Monitor = C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer MimBoot = C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe --------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RecordNow! = BackupNotify = c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe MSMSGS = "C:\Program Files\Messenger\MSMSGS.exe" /background --------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=*INI section not found* SCRNSAVE.EXE=*INI section not found* drivers=*INI section not found* Shell & screensaver key from Registry: Shell=Explorer.exe SCRNSAVE.EXE=C:\WINDOWS\System32\HOMEBO~1.SCR drivers=*Registry value not found* Policies Shell key: HKCU\..\Policies: Shell=*Registry value not found* HKLM\..\Policies: Shell=*Registry value not found* --------------------- Enumerating Task Scheduler jobs: Easy Internet Sign-up.job Norton AntiVirus - Scan my computer.job Symantec NetDetect.job WebReg 20040918231516.job --------------------- Enumerating Download Program Files: [{9F1C11AA-197B-4942-BA54-47A8489BB47F}] CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38163.7801851852 [YahooYMailTo Class] InProcServer32 = C:\Program Files\Yahoo!\Common\ymmapi.dll CODEBASE = http://download.yahoo.com/dl/installs/ymail/ymmapi.dll [Shockwave Flash Object] InProcServer32 = C:\WINDOWS\system32\macromed\flash\Flash.ocx CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab [PopCapLoader Object] InProcServer32 = C:\WINDOWS\Downloaded Program Files\popcaploader.dll CODEBASE = http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab --------------------- Enumerating Winsock LSP files: Protocol #1: SpSubLSP.dll (file MISSING) Protocol #2: SpSubLSP.dll (file MISSING) Protocol #3: SpSubLSP.dll (file MISSING) Protocol #4: SpSubLSP.dll (file MISSING) Protocol #5: SpSubLSP.dll (file MISSING) Protocol #11: SpSubLSP.dll (file MISSING) --------------------- Enumerating ShellServiceObjectDelayLoad items: PostBootReminder: C:\WINDOWS\system32\SHELL32.dll CDBurn: C:\WINDOWS\system32\SHELL32.dll WebCheck: C:\WINDOWS\System32\webcheck.dll SysTray: C:\WINDOWS\System32\stobject.dll --------------------- End of report, 7,614 bytes Report generated in 0.141 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only HJT Report: Logfile of HijackThis v1.99.1 Scan saved at 9:48:44 AM, on 12/18/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\system32\spoolsv.exe c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\system32\LxrJD31s.exe c:\Program Files\Norton AntiVirus\SAVScan.exe C:\WINDOWS\System32\svchost.exe c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe C:\WINDOWS\System32\hphmon05.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\WINDOWS\system32\ps2.exe C:\Program Files\Multimedia Card Reader\shwicon2k.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe C:\Program Files\Yahoo!\browser\ybrwicon.exe C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\Yahoo!\browser\ycommon.exe C:\Program Files\Messenger\MSMSGS.exe C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe C:\Program Files\interMute\PopSubtract\PopSub.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe C:\Program Files\WinZip\WZQKPICK.exe C:\Program Files\Palm\hotsync.exe C:\Program Files\interMute\SpamSubtract\SpamSub.exe C:\Program Files\Mozilla Firefox\firefox.exe c:\Program Files\Norton AntiVirus\navapsvc.exe C:\HT\HijackThis.exe C:\WINDOWS\system32\notepad.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_6_0.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.exe O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [NAV CfgWiz] c:\Program Files\Common Files\Symantec Shared\CfgWiz.exe /GUID NAV /CMDLINE "REBOOT" O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] "C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe" O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.exe" /background O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\hotsync.exe O4 - Startup: Organize.lnk = ? O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Billminder.lnk = C:\Ron's World\billmind.exe O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtract\PopSub.exe O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Ron's World\bagent.exe O4 - Global Startup: Quicken Startup.lnk = C:\Ron's World\QWDLLS.exe O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_games/popcap/insaniquarium/popcaploader_v6.cab O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing) O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - LxrJD31s.exe (file missing) O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe Ewido Scan Report: ewido security suite - Scan report + Created on: 10:26:16 AM, 12/18/2005 + Report-Checksum: FBD25B52 + Scan result: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup :mozilla.15:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.16:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.19:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.20:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup :mozilla.21:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup :mozilla.22:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup :mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup :mozilla.39:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup :mozilla.40:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup :mozilla.42:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.43:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.44:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.45:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup :mozilla.46:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup :mozilla.47:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup :mozilla.52:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.53:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.54:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.55:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup :mozilla.56:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.57:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.58:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.59:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup :mozilla.65:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.67:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.75:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.76:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.77:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.78:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup :mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.83:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.84:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.85:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.86:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.87:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.95:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.96:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.97:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.98:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.99:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.100:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.104:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.105:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.106:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup :mozilla.110:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup :mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\2wi0y0fi.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wfk4qkcpgeo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkysgczsgp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@e-2dj6wjkywgd5ofo.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@edge.ru4[1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup C:\Documents and Settings\Owner\Cookies\owner@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup ::Report End BlackLight Report: 12/18/05 09:45:01 [Info]: BlackLight Engine 1.0.30 initialized 12/18/05 09:45:01 [Info]: OS: 5.1 build 2600 (Service Pack 2) 12/18/05 09:45:01 [Note]: 7019 4 12/18/05 09:45:01 [Note]: 7005 0 12/18/05 09:45:06 [Note]: 7006 0 12/18/05 09:45:06 [Note]: 7011 1504 12/18/05 09:45:06 [Note]: FSRAW library version 1.7.1014 12/18/05 09:46:42 [Note]: 7007 0 Still learning, but aren't we all!

0

It is not a RootKit, but coolweb search is still there. If you didn't run smitremfix in responce #20 run it. Download the cws removal tool called aboutbuster http://www.malwarebytes.org/AboutBuster.zip and update it then download this tool called cleanup http://www.stevengould.org/software/cleanup/download.html. Reboot into safe mode.Double click "About:Buster". Click "Start" to begin the scan. If prompted to end the Explorer.exe process, click "Yes".Your desktop may disappear --- this is normal. Allow the program to scan twice, and when complete click "Save Log" This will create a text file called "AB Logfile.txt" in the folder where About:Buster is saved. Post the log file after running cleanup. Exit About:Buster then open it and run it again to make sure it comes up clean. From the program screen, click on Options, then the Temporary Files tab at the top. In the box in the middle delete the entry that says *.bak.Do not change any other settings. Click "Ok", then "Cleanup!. Run the desktop cleanup tool again then go to control panel>display>desktop>customize destop>web>remove everything except"my current home page".Make a note of what is there and post it.

0

My computer won't let me open adbuster. I keep getting a prompt saying that there's a corrupt database - should I try it from IE? Thanks, KFA PS - I did as requested in #20. Still learning, but aren't we all!

0

Yes try it in IE

0

Just did. No better luck. Still learning, but aren't we all!

0

try double clicking the site link>open>extract all or run ever which works.

0

Just did it. I don't know what is happening, but I am unable to activate AboutBuster. It's the strangest thing. I was getting help from another site a few days back and they too suggested that product and I'm having the same problems. Perhaps I'm "missing something" and need to be walked through this ever so slowly? Apologies on this, it's just amazingly frustrating. BTW - You've been a wonderful help so far, I appreciate all your efforts and am also anxious to defeat this pest! - KFA Still learning, but aren't we all!

0

KFA,Do a search for this file MSVBVM60.DLL and make sure you have a copy in C:\WINDOWS\System32 folder, if you only find it in the I386 folder copy it to C:\WINDOWS\System32 then try Aboutbuster again. Sometimes this is the problem.

0

Also this version of cws deletes shell.dll so do a search for for it also.If not found you can get a copy here http://spywareinfo.com/~merijn/winfiles.html

0

Here's the latest - - - MSVBVM60.DLL was already in the system32 folder as well as the i386 . . . SHELL.DLL was in system, shell.dll was in system32 and digital imaging/etc. What next?! Still learning, but aren't we all!

0

One other thing I can think of is .zip file associations. You said you could open the file, meaning zip file? Download this zip file association fix and see if it will open. It's the last one on the page at this link http://dougknox.com/xp/file_assoc.htm

0

oh, yes, i can get into the zip file... i went to the link and found the last one, but when I click it, it's a log file. what should i do? should i save the log and make the edits accordingly? Still learning, but aren't we all!

0

Double click it zip file association fix>click save>in the file name box type zipfolder_fix.reg>save to the desktop.Open it click merge.

0

All done! That was actually quite simple. I am CLEARLY out of my league when it comes to this stuff. Thanks! What next? Still learning, but aren't we all!

0

Try opening aboutbuster

0

That was great! It did it. I mean, I finally got it opened. Heres the log: AboutBuster 5.1, reference file 33 Scan started on [12/18/2005] at [8:22:16 PM] ------------------- No Ads Found! ------------------- Removed File! : C:\WINDOWS\idsdr.dat Removed File! : C:\WINDOWS\ngnwo.dat ------------------- Scan was COMPLETED SUCCESSFULLY at 8:23:03 PM Still learning, but aren't we all!

0

Great,Go back and follow the procedure in #27 before this thing catches on.

0

All done. Here's the log list: AboutBuster 5.1, reference file 33 Scan started on [12/18/2005] at [8:22:16 PM] ------------------- No Ads Found! ------------------- Removed File! : C:\WINDOWS\idsdr.dat Removed File! : C:\WINDOWS\ngnwo.dat ------------------- Scan was COMPLETED SUCCESSFULLY at 8:23:03 PM AboutBuster 5.1, reference file 33 Scan started on [12/18/2005] at [8:37:23 PM] ------------------- No Ads Found! ------------------- No Files Found! ------------------- Scan was COMPLETED SUCCESSFULLY at 8:38:08 PM AboutBuster 5.1, reference file 33 Scan started on [12/18/2005] at [8:38:31 PM] ------------------- No Ads Found! ------------------- No Files Found! ------------------- Scan was COMPLETED SUCCESSFULLY at 8:39:05 PM AboutBuster 5.1, reference file 33 Scan started on [12/18/2005] at [8:39:47 PM] ------------------- No Ads Found! ------------------- No Files Found! ------------------- Scan was COMPLETED SUCCESSFULLY at 8:40:22 PM Still learning, but aren't we all!

0

And your blinking screen.

0

Well, I tried to use a jpeg photo as a test for a background and "lo and behold" the blinking screen came back after I selected the photo. In short - it's STILL there, arrrrghhh!!! What next? Thanks! Still learning, but aren't we all!

0

Run the desktop cleaner again in response #10 then: Go to control panel>display>desktop>customize desktop>web>delete everything except "my current home page">ok.

0

GO to Start>run and type "Services.msc" (without quotes) > Ok. Scroll down and find the service called 'Network Security Service' or 'Remote Procedure Call (RPC) Helper' or 'Workstation NetLogon Service'. If none are present,good but if found double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled >apply>ok. Close services.

0

KFA, after reviewing your HT logs (# 19 and 26) it appears that your graphic accelerator didn't start, which would cause the problem that you are having. And as you can tell by looking at the rest of the logs it wasn't running when you had the blinking screen. If responce 46 and 47 don't work go to control panel>system>hardware>device manager>clcik the + sign beside display adapter>right click eack item>uninstall>ok. Restart the computer and windows should reinstall the drivers for the display adapter.

0

O.K. I'm back great... I just restepped #10. I'm the only user on this system (it's a home PC), so it was not necessary to have all users do this (was it?) But, yes, I did the desktop clean up. Also, #47, none were present. #48: I did that and my desktop had resorted back to the 8-bit/big icon screen. I reset it. HOWEVER, I did not try to change the background. Should I try it? Also, I've still got the damned slit window on my Mozilla browser window. Would it be worth uninstalling and reinstalling Mozilla? Is the window attached to that? Thanks! KFA Still learning, but aren't we all!

0

KFA,Go to response #36 and open the dougKnox link. Start at the bottom(vbs) since you have already done (zip) and run each of the file association fixes. There are a few that are not file association fixes so don't worry about those. After that restart the computer allowing 30 seconds for it to power down before you restart it. Then restart and try to change the background and see if the slit is affected.

0

I'm back! Great idea. My desktop IS back to normal. It looks just as I hoped it would. However, "slit window"? still there... Is reinstalling Mozilla a good plan? Thanks! KFA Still learning, but aren't we all!

0

Usually any toolbars have to be installed via add/remove programs so if you do not see anything unusual there I believe I would try reinstalling Mozilla,which is a browser I know nothing about. I have a tool somewhere that will allow me to view your add/remove program list, I just can't seem to find it. If I do I'll leave a message here. Let me know if the reinstall works.

0

KFA, For me to view your add/remove program list open HT(do not run the scan)click open the misc. tool section>click open uninstall manager>click save list>save and copy that into a post.

0

Good Day to You! It's done. Everything to seems to be in fine, clean and relatively tidy working order. I reinstalled Mozilla and the mini-window is gone! I believe that, afer about a week, you did it. I really appreciate all of your assistance and guideance. Is there any way to send "feedback" or recomendations, or post compliments for your patience and all? Please, advise, thanks, KFA Still learning, but aren't we all!

0

Thanks You. Purge System Restore by shutting it down and restarting it. To create a new restore point go Start>Run>type "msconfig" without the quotes>ok>Launch System Restore>Tick the circle beside "create a restore point">next>name it anything you wish>Create>home>restart the computer. Do a google search for "spywareblaster", install it and update it. Best free spyware preventer to me.

0