I get this a lot, where my computer says "couldn't find file "Info32.exe". And apparently, without Info32.exe, your internet goes really slow...

I've fixed this problem before, but I couldn't find the thread that explained how to fix this problem, so I'm posting a new topic.

If anyone knows how to fix this Info32.exe file, please let me know.

According to the link below which has Removal Instructions your computer may be infected with a Trojan.

BackDoor-DB.svr Removal Instructions

Tufenuf

Yep, that file is not a normal Windows file.

Derek

Info32.exe is a new variant of the CoolWebSearch hijacker. CWShredder has just been updated to detect and remove this variant but may not remove all of it. (We haven't gotten copies of all the files involved yet)

Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.

HijackThis!

I know that this problem can be fixed manually, by going into a certain directory and deleting the "RUN Info35.exe" command. I've done it before, but I forget which directory it's under.

Also, ever since my hijacking, I havn't been able to download ANY files whatsoever. So I can't download HijackThis! from this computer. I'll have to find another computer, download it there, save it to a disk, and put it into my current computer.

Hi Greensky, This doesn't sound like a simple Coolweb hijack..More like a virus.
If you can't download Hijack, try this:

First, Click Start > Run > type msinfo32 and click OK.
Click Software Enviroment then Startup Programs. Click edit, select all, edit, copy.
Then paste it to notepad.
Then click on running tasks and do the same.

Then copy and paste it into a reply.

Ok, here's what I got:

WinZip Quick Pick Startup Group "C:\Program Files\WinZip\WZQKPICK.EXE"
GStartup Startup Group "C:\Program Files\Common Files\GMT\GMT.exe" /startup
PowerReg Scheduler V3.exe Startup Group C:\Windows\Start Menu\Programs\StartUp\PowerReg Scheduler V3.exe
run Win.ini info32.exe
ScanRegistry Registry (Machine Run) c:\windows\scanregw.exe /autorun
TaskMonitor Registry (Machine Run) c:\windows\taskmon.exe
SystemTray Registry (Machine Run) SysTray.Exe
LoadPowerProfile Registry (Machine Run) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
TgAddServer Registry (Machine Run) "C:\@Home\tioga\bin\tgshell.exe" /fds "http:\\www\download\tioga"
RealTray Registry (Machine Run) C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
CC2KUI Registry (Machine Run) C:\PROGRA~1\COMET\BIN\CSTRAY.EXE
QuickTime Task Registry (Machine Run) C:\WINDOWS\SYSTEM\QTTASK.EXE
WinampAgent Registry (Machine Run) "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
EM_EXEC Registry (Machine Run) C:\MOUSE\SYSTEM\EM_EXEC.EXE
WhenUSave Registry (Machine Run) C:\PROGRA~1\SAVE\Save.exe
StillImageMonitor Registry (Machine Run) C:\WINDOWS\SYSTEM\STIMON.EXE
Share-to-Web Namespace Daemon Registry (Machine Run) c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
CMESys Registry (Machine Run) "C:\PROGRAM FILES\COMMON FILES\CMEII\CMESYS.EXE"
P2P NETWORKING Registry (Machine Run) C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
AltnetPointsManager Registry (Machine Run) C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
Tapicfg.exe Registry (Machine Run) \tapicfg.exe
LoadPowerProfile Registry (Machine Service) Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent Registry (Machine Service) mstask.exe

Kernel32.dll 4.10.2222 Microsoft Corporation Win32 Kernel core component C:\WINDOWS\SYSTEM\Kernel32.dll 4.3 Microsoft(R) Windows(R) Operating System
MSGSRV32.EXE 4.10.2222 Microsoft Corporation Windows 32-bit VxD Message Server C:\WINDOWS\SYSTEM\MSGSRV32.EXE 4.0 Microsoft(R) Windows(R) Operating System
Mprexe.exe 4.10.1998 Microsoft Corporation WIN32 Network Interface Service Process C:\WINDOWS\SYSTEM\Mprexe.exe 4.0 Microsoft(R) Windows(R) Operating System
Mstask.exe 4.71.1972.1 Microsoft Corporation Task Scheduler Engine C:\WINDOWS\SYSTEM\Mstask.exe 4.0 Microsoft® Windows® Task Scheduler
MMTASK.TSK 4.03.1998 Microsoft Corporation Multimedia background task support module C:\WINDOWS\SYSTEM\MMTASK.TSK 4.0 Microsoft Windows
Explorer.exe 4.72.3110.1 Microsoft Corporation Windows Explorer C:\WINDOWS\Explorer.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Internat.exe 4.80.3008.1 Microsoft Corporation Internat C:\WINDOWS\SYSTEM\Internat.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Taskmon.exe 4.10.1998 Microsoft Corporation Task Monitor C:\WINDOWS\Taskmon.exe 4.0 Microsoft(R) Windows(R) Operating System
Systray.exe 4.10.2222 Microsoft Corporation System Tray Applet C:\WINDOWS\SYSTEM\Systray.exe 4.0 Microsoft(R) Windows(R) Operating System
Realplay.exe 6.0.9.584 RealNetworks, Inc. RealPlayer C:\PROGRAM FILES\REAL\REALPLAYER\Realplay.exe 4.0 RealPlayer (32-bit)
Cstray.exe 1, 0, 0, 1 Comet Systems cstray C:\PROGRAM FILES\COMET\BIN\Cstray.exe 4.0 Comet Systems cstray
Qttask.exe C:\WINDOWS\SYSTEM\Qttask.exe 4.0
Winampa.exe C:\PROGRAM FILES\WINAMP\Winampa.exe 4.0
Em_exec.exe 8.21.573 Logitech Inc. Control Center C:\MOUSE\SYSTEM\Em_exec.exe 4.0 MouseWare
Save.exe 2, 5, 3, 1 WhenU.com, Inc. Save! C:\PROGRAM FILES\SAVE\Save.exe 4.0 Save!
Stimon.exe 4.10.2222 Microsoft Corporation Still Image Devices Monitor C:\WINDOWS\SYSTEM\Stimon.exe 4.0 Microsoft(R) Windows(R) Operating System
Hpgs2wnd.exe 2,3,0,0\ 161 Hewlett-Packard hpgs2wnd C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\Hpgs2wnd.exe 4.0 Hewlett-Packard hpgs2wnd
P2p networking.exe 1, 23, 10, 40 Joltid Ltd. P2P Networking C:\WINDOWS\SYSTEM\P2P NETWORKING\P2p networking.exe 4.0 P2P Networking
Points manager.exe 1, 0, 0, 108 ( Peer Points Manager C:\PROGRAM FILES\ALTNET\POINTS MANAGER\Points manager.exe 4.0 Peer Points Manager
Wzqkpick.exe 1.0 (32-bit) WinZip Computing, Inc. WinZip Executable C:\PROGRAM FILES\WINZIP\Wzqkpick.exe 4.0 WinZip
Gmt.exe 3.1.2.4 The Gator Corporation Gator Client Application C:\PROGRAM FILES\COMMON FILES\GMT\Gmt.exe 4.0 GAIN
Hpgs2wnf.exe 2, 6, 0, 161 $ hpgs2wnf Module C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\Hpgs2wnf.exe 4.0 hpgs2wnf Module
Pstores.exe 5.00.1877.3 Microsoft Corporation Protected storage server C:\WINDOWS\SYSTEM\Pstores.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Wmiexe.exe 5.00.1755.1 Microsoft Corporation WMI service exe housing C:\WINDOWS\SYSTEM\Wmiexe.exe 4.0 Microsoft(R) Windows NT(R) Operating System
Fdaagent.exe C:\PROGRAM FILES\FREE DOWNLOADS ACCELERATOR\Fdaagent.exe 4.0
Ddhelp.exe 4.08.01.0881 Microsoft Corporation Microsoft DirectX Helper C:\WINDOWS\SYSTEM\Ddhelp.exe 4.0 Microsoft® DirectX for Windows® 95 and 98
Winamp.exe 2.80 Nullsoft Winamp C:\PROGRAM FILES\WINAMP\Winamp.exe 4.0 Winamp
Msinfo32.exe 4.10.2222 Microsoft Corporation MSInfo32 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\MSINFO\Msinfo32.exe 4.0 Microsoft System Information
Notepad.exe 4.10.1998 Microsoft Corporation Windows Notepad application file C:\WINDOWS\Notepad.exe 4.0 Microsoft(R) Windows(R) Operating System

Click Start > Run > type win.ini and click OK.
Edit the Run= Info32.exe line so it reads Run=. (There should be nothing to the right of Run=)

Close the win.ini and save the changes.
Reboot.
Then see if you can download and run CWShredder:
CWShredder

Ok, I did that, and now I'm not getting the "msinfo" message when I log on anymore, but, my internet is still going slow, especially when I try to highlight something or type something into a search (like yahoo, google, ebay etc.). Scrolling down a page is horrible for me now. It used to be smooth and easy, but now it's really rough and slow.

Also, I still cannot download anything at all. So besides fixing the message that I got during start-up, all of my other conditions seem to be here still. And I downloaded CWShredder on another comp and transfered it to this comp, I opened it, it did what it was supposed to, killed registries etc. But it still didn't help with my new internet/typing lag, or my downloading troubles.

Do this, First check your security settings.
Click Tools > Internet Options > Security tab
For Internet Zone, If it shows "Custom level"
under "Security level for this zone", click the Custom Level button and scroll through the list and make sure "File Downloads" is enabled.

Also:
Click Start > Run > type regedit and click OK.

Click the + next to the following keys:
HKEY_LOCAL_MACHINE
Software
Microsoft
Internet Explorer
Plugins

Scroll down and click on the Extension folder. Is there anything listed other than default in the right hand window? Is there a + sign next to the Extension folder?

Also, Uninstall this :
C:\PROGRAM FILES\FREE DOWNLOADS ACCELERATOR

Keep forgetting to ask, What happens when you try to download something? Do you get an error message? Does IE close?

No, nothing happens at all when I try to download something. There used to be a pop up box saying "Open" and "Save", but that doesn't show up anymore...

I tried what you listed above, but I don't seem to have an Extension folder in the Plugins section...

Also forgot to add that my file downloads option was set to "enabled".

Try doing a repair of Internet Explorer.
Go to Add/Remove Programs and double click on Internet Explorer *X and Internet Tools.
Choose the repair option.

* The X will be whatever version of IE you are using.

Sorry, this is probably a stupid question, but where do you find the Add/Remove Program option?

Glad you all are working on this. I started having similar problems this morning. Same error messages. I can download, but IE doesn't work most of the time...wants to go somewhere I've never specified. Anyway, I managed to run HijackThis and got a 5-page log file. What should we be looking for...or you want to see?

Greensky
Click Start > Settings > Control Panel > Add/Remove Programs.

Stew66
To save space, email me your HijackThis log.
Click my name for the email addy.

Yes! I can finally download files again! Thanks a lot Tom!

But my Internet is still slow typing and slow scrolling on pages... It's pretty annoying too. If I can just get rid of this problem, my comp will be back to normal again.

Did you manage to get that CWShredder to run? If not try it now.

Derek

Greensky,
Install, update and run Spybot-S&D. Have Spybot fix all red entries it lists.

Spybot

Thankgod I've found this thread. Please keep this running to its conclusion... I've got all the same problems. The slow internet access is a real pain. I'll try some of the solutions suggested on this list.
Cheers.

Well, I woke up this morning, only to find that my homepage was set to "about:blank". This happens every single day! I have to re-run CWShredder, it removes the directories and files, and temporarily fixes the problem, but then, the nexy day, it's all back again. So, that really stinks.

Also, I tried all of the things listed above, but my internet typing, scrolling, and highlighting is still horribly slow. It's not the actual internet that's lagging. It goes to pages fast, loads things fast, but the prolem is exactly what I listed above.

I used the Spybot program, to find that I had quite a lot of red files. However, fixing these files didn't seem to fix my problem.

Here's a more detailed description of my typing problem if you think it would help:

My typing is fine on some applications (such as this forum, but not on other forums), but when I type in a search bar, or usually a forum, I type from my keyboard, and the typing cursor mooves very slowly across the page (left to right), not showing any letters until it finally stops mooving. I would say that it takes about 1 minute to load a normal sentence. It's incredibly frusterating. If I try highlighting something, it'll take about 1 minute to show up, or it simply won't show at all.

If anyone has any more suggestions, I'll be glad to take them.

Hi Greensky,
Download 'Hijack This!'. Unzip, doubleclick HijackThis.exe, and hit "Scan".
When the scan is finished, click "Save Log", and copy and paste it in a reply.

HijackThis!

Greensky and others.

Keep posting back. This is obviously turning out to be a difficult nut to crack totally. Tom41 has shown good solid, sensible, support and has my admiration for sticking like glue to this problem. I feel sure there this will result a satisfactory solution. Great work Tom41.

Derek

Logfile of HijackThis v1.97.2
Scan saved at 4:01:03 PM, on 30/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\WINAMP\WINAMPA.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WND.EXE
C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE
C:\PROGRAM FILES\ALTNET\POINTS MANAGER\POINTS MANAGER.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\HP SHARE-TO-WEB\HPGS2WNF.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ALTNET\DOWNLOAD MANAGER\ASM.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by @Home Network - Version 1.7
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar1.dll
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar1.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [TgAddServer] "C:\@Home\tioga\bin\tgshell.exe" /fds "http:\\www\download\tioga"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\COMET\BIN\CSTRAY.EXE
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [WinampAgent] "C:\PROGRAM FILES\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [EM_EXEC] C:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: Dialpad KR Java Applet - http://www.dialpad.co.kr/applet/vscp.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37587.7910532407
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O19 - User stylesheet: C:\WINDOWS\Web\win.def

This does seem to be a problem. I have the same message on re-boot each day, my IE homepage won`t save and I`ve lost the ability to run a rpogram or two that were CD based.

I`ll try the Hijak This option unless anyone else comes up with some other suggestion.

I also seem to be bombarded with messages supposedly from Microsoft. 71 messages so far since Saturday morning with 22 yesterday. Those very few that I have looked at (that was probably a mistake) have totally incomprehensible e-mail addresses. Two for example are osnwaqqnzc@confidence.ms.com. bndedbodtpmbqsl@advisor.msdn.com.

I don`t even open any of them now. Any ideas on how to stop them?

Greensky,
1. Uninstall Comet Cursor, Altnet Download Manager and Peer Points.

2. Run HT again and check the following items. (Not all of them may be listed after uninstalling the above) Next, close all browser Windows, and have HT fix all checked.

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O3 - Toolbar: (no name) - {FE6BC4EF-5676-484B-88AE-883323913256} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\PROGRAM FILES\MYWAY\MYBAR\1.BIN\MYBAR.DLL
O4 - HKLM\..\Run: [P2P NETWORKING] C:\WINDOWS\SYSTEM\P2P NETWORKING\P2P NETWORKING.EXE /AUTOSTART
O4 - HKLM\..\Run: [AltnetPointsManager] C:\Program Files\Altnet\Points Manager\Points Manager.exe -s
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - Startup: PowerReg Scheduler V3.exe
O19 - User stylesheet: C:\WINDOWS\Web\win.def

After restarting, delete the following:

tapicfg.exe
C:\Program Files\Altnet folder
C:\WINDOWS\SYSTEM\P2P NETWORKING folder
The contents of C:\Windows\Temp

Richard,
Run HijackThis and post your log.

Hey, All. I want to repeat Derek's kudos for Tom41: he's been a great help.

I seem to have got CSW out my system, but my IE still starts off very slowly with a proxy server (8080) that I've not specified. (Netscape works great.) Still working on Spybot and will be looking for help from my ISP when my phones are back up...electronic purgatory. Will post an update when available.

Just wanted to add my 'voice'...This morning I got the "couldn't find file Info32.exe" message when I booted up my computer. I'm going to follow all the suggestions above. Just for the record, I discovered that my son had been visiting porn sites on my PC yesterday afternoon (he's in big trouble!!!) so am sure its some kind of trojan/spyware...I've just updated my Anti-Trojan software and Spybot, so will also be running those. My homepage was also set to "about:blank" instead of my normal homepage and yet opened on a site called "www.luckysearch.net". Will keep you posted.

Hi Tom,

I'm having the same problem as others. I keep getting the message file info32.exe is missing whenever i boot up. here is my hijackthis log.

Logfile of HijackThis v1.97.2
Scan saved at 9:16:46 PM, on 1/10/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\ABCD.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\CMMPU.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?bzbjr about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hunterlink.net.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Dodo Internet
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.searchxp.com/search.php?qq=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://www.fastwebfinder.com/hp.php
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\SYSTEM\cmmpu.exe
O1 - Hosts: 66.28.33.54 auto.search.msn.com
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD.DLL
O2 - BHO: (no name) - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\PROGRAM FILES\WEBHANCER\PROGRAMS\WHIEHLPR.DLL (file missing)
O2 - BHO: (no name) - {27A5FF76-9919-492C-98E3-EDA3502FC829} - C:\WINDOWS\SYSTEM\ML_32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [PE2CKFNT SE] C:\Program Files\Ulead Systems\Ulead Photo Express 2 SE\ChkFont.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Gator] "C:\Program Files\Gator.com\Gator\Gator.exe"
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [PopUpKiller] C:\PROGRAM FILES\POPUP KILLER\POPUPKILLER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Shell] C:\WINDOWS/DOWNLO~1/tray.exe
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [LanLite] lanlite.exe
O4 - HKCU\..\Run: [AOL Instant Messenger (TM)] c:\program files\netscape\communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [od-stnd59] c:\program files\Webdialer\od-stnd59.exe -m
O4 - HKCU\..\Run: [iedll] C:\WINDOWS\iedll.exe
O4 - HKCU\..\Run: [loader] C:\WINDOWS\LOADER.EXE
O4 - Startup: RealDownload.lnk = C:\Program Files\Real\RealDownload\REALDOWNLOAD.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O12 - Plugin for .asf: C:\PROGRAM FILES\NETSCAPE\COMMUNICATOR\PROGRAM\PLUGINS\npdsplay.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hunterlink.net.au
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {430DDE24-C051-11CF-95BE-0020AFF75E4F} (ichat xchat Control) - http://www.rsvp.com.au:4080/chat/data/html/user/msie/msichat.ocx
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {09C1A291-8E2A-11D0-BB0B-00AA001F4283} (Pinger Class) - http://www1.pcpitstop.com/Ping.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {AB1E62EB-3DE3-428F-A417-64AB3C9B6CF0} (eConn Class) - http://econnect.libereco.net/econnect.cab
O16 - DPF: {DA9A0B1E-9B7B-11D3-B8A4-00C04F79641C} (NSUpdateLiteCtrl Class) - http://204.177.92.201/quickdl/proclaim/NSupd9x.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://connect.online-dialer.com/MaConnect.cab
O16 - DPF: {11BF0E2B-4229-4ADC-9C11-1C6968731018} (Download Class) - http://www.0190-dialer.com/VLoading.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/vet_install_popup.pl?2
O19 - User stylesheet: C:\WINDOWS\Web\win.def

Hope you can help me.

thanx.

Should I also paste the log file from "Hijack This"?

I've checked for Trojans and Spyware and my system is clean.

Tom41,

In response 8, you wrote "Edit the Run= Info32.exe line so it reads Run=. (There should be nothing to the right of Run=)" -- My win.ini file has not only the Info32.exe next to 'Run', but also "C:\WINDOWS\SYSTEM\cmmpu.exe", should I leave "cmmpu.exe" or take that reference away too?

Tom, I havn't deleted what you listed yet, mainly because I couldn't find any trace of those programs on my computer...

But also, I'd like to point out that at least two out of three of the programs you listed are from Kazaa Media Player. If I delete those files, Kazaa becomes un-usable. Could this problem have something to do with Kazaa? Also, maybe you could find another way for me to find those files on my computer. I tried searching for them with "Find", but no luck.

Jen, I wouldn't go too hard on him. It's like a built-in male quality (yes, males are sick :P). Heck, I don't know a single male friend of mine who doesn't look at pornographic material. Perhaps it's society's influence on making it sound so ordinary. For example, popular hit Television shows like "Friends" and "That 70's Show" have situations where the male characters are watching or reading pornography, as if it's an every day occurance.

Hi Jen, Yes, Just copy & paste your log in a reply.
Yes also to leaving the C:\WINDOWS\SYSTEM\cmmpu.exe reference in the win.ini file.

Dan77
First, Click Start > Run > type win.ini and click OK.
Edit the run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe C:\WINDOWS\SYSTEM\cmmpu.exe line so it reads run=C:\WINDOWS\SYSTEM\cmmpu.exe.
Close the win.ini and save the changes.

Then download and run CWShredder and reboot.
CWShredder

After running CWShredder, install, update and run Spybot-S&D. Have Spybot fix all red entries it lists and reboot.

Spybot

Run HT again and post a new log.

Tom,
Ditto,
I have the exact same problem
1)"can't load or run info32.exe
2)IE automatically resets its homepage to www.luckysearch.com
3)internet is slow and jumpy

Greensky, have you searched hidden files and folders?

Click Start > Settings > Folder options > View tab. Check 'Show hidden files'.
When searching, check 'Include subfolders'.
If you still can't find them, uninstall Kazaa and fix everything listed above.

steveas
See the links above and download and run CWShredder and Spybot.

Tom 41

Re your response 30 to me, here is the log:

Logfile of HijackThis v1.97.2
Scan saved at 19:16:51, on 01/10/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SVCINIT.EXE
C:\WINDOWS\SYSTEM\MVHV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\VPDP.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\E_S10IC2.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\WINDOWS\WINGATE.EXE
C:\PROGRAM FILES\ADAPTEC\EASY CD CREATOR 4\CREATECD\CREATECD.EXE
C:\WINDOWS\SVCHOST.EXE
C:\PROGRAM FILES\MUSICMATCH\MUSICMATCH JUKEBOX\MM_TRAY.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\COREL\GRAPHICS8\PROGRAMS\MFINDEXER.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SLLIGHTS.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\UNZIPPED\HIJACKTHIS[1]\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?bzbjr about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?bzbjr about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.ezcybersearch.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.ezcybersearch.com/search
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://www-cache.freeserve.net:8080;ftp=http://www-cache.freeserve.net:8080
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = http://xwebsearch.biz/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?bzbjr (obfuscated)
F1 - win.ini: run=C:\WINDOWS\svcinit.exe
O1 - Hosts: 645238813 xuto.search.msn.com
O2 - BHO: (no name) - {1F48AA48-C53A-4E21-85E7-AC7CC6B5FFAF} - C:\WINDOWS\TEMP\MSFECO.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\MY DOCUMENTS\MESSENGER SERVICE RECEIVED FILES\PIC1324(1)(1)(1)(1)(1).exe
O4 - HKLM\..\Run: [CC2KUI] C:\PROGRA~1\COMET\BIN\CSTRAY.EXE
O4 - HKLM\..\Run: [CriticalUpdate] c:\windows\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\Run: [HotPix2] c:\program files\dialers\hotpix2\hotpix2.exe /noconnect
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\SYSTEM\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] LOGI_MWX.EXE
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\Run: [nuedhjvux] vpdp.exe autorun
O4 - HKLM\..\Run: [Svchost] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [CreateCD] C:\PROGRA~1\ADAPTEC\EASYCD~1\CREATECD\CREATECD.EXE -r
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SVC Service] C:\WINDOWS\SYSTEM\svcinit.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Login Service] C:\windows\wingate.exe
O4 - HKLM\..\RunOnce: [ehl] mvhv.exe
O4 - Startup: kyi.exe
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O19 - User stylesheet: C:\WINDOWS\Web\win.def

Hope you can help me, or it`s back to the re-install disks

Richard

richard,
Before we start removing any of this mess that you have, go here and run an online virus scan. Copy the log and paste it in a reply.
You have two possibly three different viruses that we need to positively identify.
Let me know if you are unable to run the scan.

RAV

here is mine

* HijackThis v1.97 *
Written by Merijn - merijn@spywareinfo.com
http://www.spywareinfo.com/~merijn/files/hijackthis.zip
http://www.spywareinfo.com/~merijn/index.html

See below version history for short info on hijack sections.

* Version history *
[v1.96]
* Lots of bugfixes and small enhancements! Among others:
* Fix for Japanese IE toolbars
* Fix for searchwww.com fake CLSID trick in IE toolbars and BHO's
* O19 (user stylesheet) now only checks for known bad filenames
* Attributes on Hosts file will now be restored when scanning/fixing/restoring it.
* Added several files to the LSP whitelist
* Fixed some issues with incorrectly re-encrypting data, making R0/R1 go undetected until a restart
* All sites in the Trusted Zone are now shown, with the exception of those on the nonstandard but safe domain list
[v1.95]
* Added a new regval to check for from Whazit hijack (Start Page_bak).
* Excluded IE logo change tweak from toolbar detection (BrandBitmap and SmBrandBitmap).
* New in logfile: Running processes at time of scan.
* Checkmarks for running StartupList with /full and /complete in HijackThis UI.
* New O19 method to check for Datanotary hijack of user stylesheet.
* Google.com IP added to whitelist for Hosts file check.
[v1.94]
* Fixed a bug in the Check for Updates function that could cause corrupt downloads on certain systems.
* Fixed a bug in enumeration of toolbars (Lop toolbars are now listed!).
* Added imon.dll, drwhook.dll and wspirda.dll to LSP safelist.
* Fixed a bug where DPF could not be deleted.
* Fixed a stupid bug in enumeration of autostarting shortcuts.
* Fixed info on Netscape 6/7 and Mozilla saying '%s---browser%' (oops).
* Fixed bug where logfile would not auto-open on systems that don't have .log filetype registered.
* Added support for backing up F0 and F1 items (d'oh!).
[v1.93]
* Added mclsp.dll (McAfee), WPS.DLL (Sygate Firewall), zklspr.dll (Zero Knowledge) and mxavlsp.dll (OnTrack) to LSP safelist.
* Fixed a bug in LSP routine for Win95.
* Made taborder nicer.
* Fixed a bug in backup/restore of IE plugins.
* Added UltimateSearch hijack in O17 method (I think).
* Fixed a bug with detecting/removing BHO's disabled by BHODemon.
* Also fixed a bug in StartupList (now version 1.52.1).
[v1.92]
* Fixed two stupid bugs in backup restore function.
* Added DiamondCS file to LSP files safelist.
* Added a few more items to the protocol safelist.
* Log is now opened immediately after saving.
* Removed rd.yahoo.com from NSBSD list (spammers are starting to use this, no doubt spyware authors will follow).
* Updated integrated StartupList to v1.52.
* In light of SpywareNuker/BPS Spyware Remover, any strings relevant to reverse-engineers are now encrypted.
* Rudimentary proxy support for the Check for Updates function.
[v1.91]
* Added rd.yahoo.com to the Nonstandard But Safe Domains list.
* Added 8 new protocols to the protocol check safelist, as well as showing the file that handles the protocol in the log (O18).
* Added listing of programs/links in Startup folders (O4).
* Fixed 'Check for Update' not detecting new versions.
[v1.9]
* Added check for Lop.com 'Domain' hijack (O17).
* Bugfix in URLSearchHook (R3) fix.
* Improved O1 (Hosts file) check.
* Rewrote code to delete BHO's, fixing a really nasty bug with orphaned BHO keys.
* Added AutoConfigURL and proxyserver checks (R1).
* IE Extensions (Button/Tools menuitem) in HKEY_CURRENT_USER are now also detected.
* Added check for extra protocols (O18).
[v1.81]
* Added 'ignore non-standard but safe domains' option.
* Improved Winsock LSP hijackers detection.
* Integrated StartupList updated to v1.4.
[v1.8]
* Fixed a few bugs.
* Adds detecting of free.aol.com in Trusted Zone.
* Adds checking of URLSearchHooks key, which should have only one value.
* Adds listing/deleting of Download Program Files.
* Integrated StartupList into the new 'Misc Tools' section of the Config screen!
[v1.71]
* Improves detecting of O6.
* Some internal changes/improvements.
[v1.7]
* Adds backup function! Yay!
* Added check for default URL prefix
* Added check for changing of IERESET.INF
* Added check for changing of Netscape/Mozilla homepage and default search engine.
[v1.61]
* Fixes Runtime Error when Hosts file is empty.
[v1.6]
* Added enumerating of MSIE plugins
* Added check for extra options in 'Advanced' tab of 'Internet Options'.
[v1.5]
* Adds 'Uninstall & Exit' and 'Check for update online' functions.
* Expands enumeration of autoloading Registry entries (now also scans for .vbs, .js, .dll, rundll32 and service)
[v1.4]
* Adds repairing of broken Internet access (aka Winsock or LSP fix) by New.Net/WebHancer
* A few bugfixes/enhancements
[v1.3]
* Adds detecting of extra MSIE context menu items
* Added detecting of extra 'Tools' menu items and extra buttons
* Added 'Confirm deleting/ignoring items' checkbox
[v1.2]
* Adds 'Ignorelist' and 'Info' functions
[v1.1]
* Supports BHO's, some default URL changes
[v1.0]
* Original release

A good thing to do after version updates is clear your Ignore list and re-add them, as the format of detected items sometimes changes.

The different sections of hijacking possibilities have been separated into these groups:
R - Registry, StartPage/SearchPage changes
R0 - Changed registry value
R1 - Created registry value
R2 - Created registry key
R3 - Created extra registry value where only one should be
F - IniFiles, autoloading entries
F0 - Changed inifile value
F1 - Created inifile value
N - Netscape/Mozilla StartPage/SearchPage changes
N1 - Change in prefs.js of Netscape 4.x
N2 - Change in prefs.js of Netscape 6
N3 - Change in prefs.js of Netscape 7
N4 - Change in prefs.js of Mozilla
O - Other, several sections which represent:
O1 - Hijack of auto.search.msn.com with Hosts file
O2 - Enumeration of existing MSIE BHO's
O3 - Enumeration of existing MSIE toolbars
O4 - Enumeration of suspicious autoloading Registry entries
O5 - Blocking of loading Internet Options in Control Panel
O6 - Disabling of 'Internet Options' Main tab with Policies
O7 - Disabling of Regedit with Policies
O8 - Extra MSIE context menu items
O9 - Extra 'Tools' menuitems and buttons
O10 - Breaking of Internet access by New.Net or WebHancer
O11 - Extra options in MSIE 'Advanced' settings tab
O12 - MSIE plugins for file extensions or MIME types
O13 - Hijack of default URL prefixes
O14 - Changing of IERESET.INF
O15 - Trusted Zone Autoadd
O16 - Download Program Files item
O17 - Domain hijack
O18 - Enumeration of existing protocols
O19 - User stylesheet hijack

sorry lmao:)

i'll try that again

Logfile of HijackThis v1.97.2
Scan saved at 2:46:31 PM, on 10/1/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EASY INTERNET\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\USBMMKBD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\PILOT MOUSE WHEEL SCROLL\4DMAIN.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HIJACKTHIS\HIJACKTHIS.EXE
C:\UNZIPPED\CWSHREDDER\CWSHREDDER.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://acc.count-all.com/--/?pgdoc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://acc.count-all.com/---/?pgdoc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?pgdoc (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://acc.count-all.com/-/?pgdoc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?pgdoc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?pgdoc (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?pgdoc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://acc.count-all.com/-/?pgdoc about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/ext/hp/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://acc.count-all.com/--/?pgdoc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.white-pages.ws/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://acc.count-all.com/--/?pgdoc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://acc.count-all.com/--/?pgdoc (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://acc.count-all.com/---/?pgdoc (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.white-pages.ws/
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?pgdoc (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://acc.count-all.com/--/?pgdoc (obfuscated)
F1 - win.ini: run=C:\WINDOWS\..\PROGRA~1\COMMON~1\MICROS~1\MSINFO\info32.exe
O1 - Hosts: 3510794918 auto.search.msn.com
O2 - BHO: (no name) - {004A5840-FF59-11d2-B50D-0090271D3FD4} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet5_40.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: MapQuest - {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} - C:\WINDOWS\DOWNLO~1\MQGOLD1.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [USBMMKBD] usbmmkbd.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\PILOTM~1\4DMAIN.EXE -startup
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Trickler] "c:\program files\divx\divx pro codec\gain_trickler_3202.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [Tapicfg.exe] \tapicfg.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Easy Internet\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Forbes] C:\Program Files\Forbes\ForbesAlerts.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: RealGuide (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37893.800625
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {EE2589EB-7FC8-44DB-A892-573F2C4B41E0} - http://pdf.forbes.com/forbesnews/triggernews/ForbesDownloaderSigned.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: ConferenceRoom Java Client - http://208.187.22.155:8000/java/cr.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {4E7BD74F-2B8D-469E-A3FA-F363B384B77D} (MapQuest) - http://cdn.mapquest.com/mqtoolbar/mqgold1.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {1C955F3B-5B32-4393-A05D-24B4970CD2A1} (Video Class) - http://streamp.babenet.com/cabs/videox.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.300 - http://about.chatspace.com/Java/cfs40300.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/bcd48c18cb7498/housecall.antivirus.com/housecall/xscan53.cab
O19 - User stylesheet: C:\WINDOWS\Web\win.def

Jovirulez

First, Go to Add/Remove Programs and uninstall New.net.

Then download and run CWShredder and reboot.

CWShredder

Finally install, update and run Spybot-S&D. Have Spybot fix all red entries it lists.

Spybot

Hi all.

Been following thread with quite some interest, as I have been plauged by the 'luckysearch.net default' problem. I have completly got rid of this hijack, which I believe was delivered by a virus - all inter-linked to making 'www.luckysearch.net' the default page in IE web-browser. Took 2 hours, but was greatly helped by this thread - thanks especially Tom for your valuable info. The following information could potentially help anyone having any or all of the symptoms descriebd in this thread.

----------------

Being a keen visitor of attractivebabes.com, a high-class, completely free and pop-up free softcore porn site, I decided to visit one of the recommended links. The site I visited seemed fine in itself, but when clicking on further links, ie windows started exploding all over the place. Deciding that it was a really bad idea, I began closing windows as fast as they opened. During one I got a small dialog box with just a 'OK' button. It said something like 'Automatic FTP download beginning' etc.. following by strings of what looked like hex strings. I am sure this is what started the problems...

Anyway........to cut a long story short, the default page became constantly set to luckysearch.net. When clicking the 'use default in 'Internet options' I found the defualt was indeed luckysearch.net.

Using AntiVir (really good free anti-virus scanning and protection) I found that I had a trojan - called 'startpage.y' I am 90% positive that this is realated to the info32.exe file. I've deleted the trojan, bogus files, and updated my win.ini file. However, if you're interested in how it got there in the first place and how to protect against further insertions, read on!

The trojan and .exe file got through because of a security hole in microsofts virtual machine, which java uses in IE. It allows code to be run on a users compuer with them having no knowledge whatsoever of it even happening. Info and patch for this can be found here:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-011.asp

Interestingly enough, although I use windows update regularly, it has never identified this patch as needed, although I dont have it, and microsoft lists it as critical!!! Furthermore, I could only download this patch by clicking on 'Additional info. about this patch' link and tinkering around in there for ages, and then being redirected to a similar article. Finally, I found a downloadable link. If you're having the same problems, go to:

http://support.microsoft.com/default.aspx?scid=kb;en-us;816093

and click on the link for network administrators. Absolutely long winded, but you should be able to get the download form there.

Well, hope this long explanation helps, probably not explained very well, but I think I've covered everything. After installing the microsoft patch I ran antivir again, as well as adaware, the cwshredder and also spybot, just to be certain it had been removed. Also, delete some of the registry enteries as described in the first microsoft article link I've added here.

Tom41,

I think I may have corrected the problem, but will paste the HijackThis.log file here anyway coz you'll know better than me.

(Greensky, if my son was a teenager, I may not have said anything, but he's only 8!!! No more unsupervised internet for him!!!)

Here's the HijackThis.log...

Logfile of HijackThis v1.97.2
Scan saved at 09:46:27, on 2003/10/01
Platform: Windows 98 Gold (Win9x 4.10.1998)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
D:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINJECT.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\HP SIMPLE TRAX\HPCRON.EXE
C:\PROGRAM FILES\CD-WRITER PLUS\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\FMCTRL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\RunDLL.exe
D:\PROGRAMMES\POP-UP STOPPER FREE EDITION\PSFREE.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
D:\PROGRAMMES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON CLEANSWEEP\CSINSM32.EXE
C:\Program Files\Norton SystemWorks\Norton CleanSweep\Monwow.exe
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mweb.co.za/home/default.aspx
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O2 - BHO: (no name) - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\ODIGO\BIN\ODIGOBHO.DLL (disabled by BHODemon)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1.1\SDHELPER.DLL
O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\PROGRAM FILES\NAVEXCEL\NAVHELPER\V2.0.4\NHELPER.DLL (disabled by BHODemon)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\YCOMP5_0_2_3.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [hpbrdetect] C:\Program Files\Hewlett-Packard\HP Web PrintSmart\brdetect.exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [HP Simple Trax] C:\Program Files\CD-Writer Plus\HP Simple Trax\hpcron.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\CD-Writer Plus\DirectCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Q3dctlTray] Fmctrl.EXE
O4 - HKLM\..\Run: [NPROTECT] D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\Run: [Norton eMail Protect] C:\Program Files\Norton SystemWorks\Norton AntiVirus\POPROXY.EXE
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NORTON~2\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [NPROTECT] D:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O4 - HKLM\..\RunServices: [CSINJECT.EXE] C:\Program Files\Norton SystemWorks\Norton CleanSweep\CSINJECT.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "D:\PROGRAMMES\POP-UP STOPPER FREE EDITION\PSFREE.EXE"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: CleanSweep Smart Sweep-Internet Sweep.lnk = C:\Program Files\Norton SystemWorks\Norton CleanSweep\csinsm32.exe
O4 - Global Startup: ZoneAlarm.lnk = D:\Programmes\Zone Labs\ZoneAlarm\zonealarm.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer