Scumware won't let me run regedit. It appears briefly then closes. My HijackThis log follows. I have included remark " .... scumware?" in the log. Logfile of HijackThis v1.97.3 Scan saved at 10:24:50 PM, on 10/20/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\CfgSrvc.exe C:\WINDOWS\System32\CfgSrvc.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\WINDOWS\System32\RUNDLL32.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe C:\WINDOWS\System32\UWHSDKK.exe C:\Program Files\Messenger\msmsgs.exe C:\SABRE\Apps\ATS\SSSClnt.exe C:\WINDOWS\SYSTEM32\Drivers\DadTray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\sabserv.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Microsoft Money\System\urlmap.exe C:\Downloads\hijackthis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Betty/HomePage.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/ O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.exe NvQTwk,NvCplDaemon initialize O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG -off O4 - HKLM\..\Run: [DadApp] C:\WINDOWS\SYSTEM32\Drivers\dadapp.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe O4 - HKLM\..\Run: [Winsuckz4 driver] UWHSDKK.exe .... scumware? O4 - HKLM\..\Run: [MSConfig] PADYPUGKOJ.exe ......... scumware? O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [Sabre Site Services] C:\SABRE\Apps\ATS\SSSClnt.exe O4 - HKCU\..\RunOnce: [MSConfig] PADYPUGKOJ.exe ......scumware? O4 - HKCU\..\RunOnce: [Winsuckz4 driver] UWHSDKK.exe ..scumware? O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.exe O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O4 - Global Startup: Sabre Server.lnk = C:\WINDOWS\sabserv.exe O4 - Global Startup: webdav.exe O4 - Global Startup: whlp32.exe O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: MoneySide (HKLM) O17 - HKLM\System\CCS\Services\Tcpip\..\{DE499F15-6A59-4FEC-8362-D751485FE194}: NameServer = 209.244.0.3 209.244.0.4 I removed the questionable items before but the driver Winsuckz4 came back and so did another bogus exe (under a different name). How can I get rid of these scumware? Your help is most appreciated. Thanks

Can you run msconfig? if not, you have a virus, forget HiJack and run a complete virus scan.

afbyorb, You are infected with W32.Spybot. Download and run ProcessExplorer and End (kill) Process on the following: UWHSDKK.EXE PADYPUGKOJ.EXE webdav.exe whlp32.exe http://www.sysinternals.com/ntw2k/freeware/procexp.shtml Run HT again and check the following items. . Next, close all browser Windows, and have HT 'fix checked'. You MUST restart your computer to safe mode when you're done. O4 - HKLM\..\Run: [Winsuckz4 driver] UWHSDKK.exe O4 - HKLM\..\Run: [MSConfig] PADYPUGKOJ.exe O4 - HKCU\..\RunOnce: [MSConfig] PADYPUGKOJ.exe O4 - HKCU\..\RunOnce: [Winsuckz4 driver] UWHSDKK.exe O4 - Global Startup: webdav.exe O4 - Global Startup: whlp32.exe Once in safe mode delete the following files: PADYPUGKOJ.EXE UWHSDKK.EXE Reboot to Windows and run an online scan here and delete any files listed as infected. RAV

Thanks TOM41. I couldn't kill webdav.exe nor whlp32.exe because process explorer didn't show them. However after killing the the other two scumware exe's and fixing with HijackThis I was able to run msconfig. I unchecked webdav.exe and whlp32.exe from the startup. Then I rebooted in safe mode and deleted the 2 scumware exe's. Rebooted normally but no go. The 4 scumware items came back under different names. After killing and fixing I see that there are now duplicate entries for webdav.exe and whlp32.exe in the startup from msconfig. One set of entries is checked for startup the other unchecked. Wits end.

Thanks again Tom41. I updated my Norton Anti-virus. I deleted webdav.exe and whlp.exe. Ran Norton in Safe Mode, quarantined and rebooted. I had 166 instances of W32.spybot in my system. I am healthy again.

I have a number of problems similar to his ( i have prosses explorer) 1.Regedit doesnt work 2.Task manager doesnt work 3.sometimes when i delete SOme of the adware in process explorer it shuts down my comp Logfile of HijackThis v1.97.7 Scan saved at 3:33:15 PM, on 11/23/2003 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\LEXBCES.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG6\avgserv.exe C:\WINDOWS\system32\drivers\dcfssvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\wanmpsvc.exe C:\WINDOWS\Explorer.exe C:\Program Files\Real\RealPlayer\RealPlay.exe C:\Program Files\Grisoft\AVG6\avgcc32.exe C:\WINDOWS\System32\WUAUMQR.exe C:\WINDOWS\System32\dumnkqea.exe C:\WINDOWS\System32\IEDriver\IEDriver.exe C:\WINDOWS\uptodate.exe C:\WINDOWS\System32\lexpps.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\BigFix\BigFix.exe C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe C:\Program Files\WinZip\WZQKPICK.exe C:\WINDOWS\System32\Tioyv6.exe C:\WINDOWS\System32\Yzyp.exe C:\Documents and Settings\Matt (Admin)\Local Settings\Temp\procexp.exe C:\Program Files\Internet Explorer\iexplore.exe C:\PROGRA~1\WINZIP\winzip32.exe C:\Documents and Settings\Matt (Admin)\Local Settings\Temp\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\System32\sb.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost O2 - BHO: (no name) - {000E7270-CC7A-0786-8E7A-DA09B51938A6} - C:\WINDOWS\System32\n3tpa1.dll O4 - HKLM\..\Run: [RDLL] RunDll16.exe O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft\AVG6\avgcc32.exe /startup O4 - HKLM\..\Run: [Winsock2 driver] WUAUMQR.exe O4 - HKLM\..\Run: [SysExplore] C:\WINDOWS\System32\explorer32.exe O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe O4 - HKLM\..\Run: [dumnkqea.exe] C:\WINDOWS\System32\dumnkqea.exe O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IEDriver.exe O4 - HKLM\..\Run: [RunWindowsUpdate] C:\WINDOWS\uptodate.exe O4 - HKLM\..\Run: [2N85L533MR#GJT] C:\WINDOWS\System32\IbdJ5ZW.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe O4 - HKLM\..\RunServices: [RDLL] RunDll16.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\RunOnce: [Winsock2 driver] WUAUMQR.exe O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe O4 - Global Startup: dcom.exe O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\KODAK\KODAK Software Updater\7288971\Program\backWeb-7288971.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe O4 - Global Startup: TFTP22360 O4 - Global Startup: TFTP8040 O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.exe O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O9 - Extra button: AIM (HKLM) O9 - Extra button: ICQ Lite (HKLM) O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM) O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab