0

Gents
Posting this for a friend that has been hijacked.
Have all of the components necessary:

Adaware, Spybot, CWShredder, etc.
Attached is latest HijackThis Log:

PLease advise as to which lines should be removed
GREATLY APPRECAITED ONE AND ALL

Logfile of HijackThis v1.98.2
Scan saved at 12:42:57 PM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\addjw.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crlf32.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\documents and settings\gavzya\local settings\temp\vRIONrM.exe
C:\documents and settings\gavzya\local settings\temp\j.exe
C:\documents and settings\gavzya\local settings\temp\Ejt9.exe
C:\Program Files\SED\SED.exe
C:\WINDOWS\System32\tibs3.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\PROGRA~1\COMMON~1\tsa\ts2.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\osprpl.exe
C:\WINDOWS\TEMP\winzip32.exe
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\srove.dll/sp.html#24015
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\srove.dll/sp.html#24015
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\srove.dll/sp.html#24015
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\srove.dll/sp.html#24015
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\srove.dll/sp.html#24015
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\srove.dll/sp.html#24015
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\srove.dll/sp.html#24015
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {D3F9FED7-F16A-C143-452D-C8418BD6B10E} - C:\WINDOWS\system32\javary32.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\documents and settings\gavzya\local settings\temp\rGfXl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crlf32.exe] C:\WINDOWS\system32\crlf32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [vRIONrM.exe] C:\documents and settings\gavzya\local settings\temp\vRIONrM.exe
O4 - HKLM\..\Run: [j.exe] C:\documents and settings\gavzya\local settings\temp\j.exe
O4 - HKLM\..\Run: [Ejt9.exe] C:\documents and settings\gavzya\local settings\temp\Ejt9.exe
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [lcusqjkfyk] C:\WINDOWS\System32\osprpl.exe
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\calsp.dll
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow.com/(dp5rqb55urchf545c4jtxkub)/ShowSetup5.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13d0baaca11704b8d206/netzip/RdxIE601.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://sbursametime.cognos.com/sametime/STMeetingRoomClient/STJNILoader.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C55CC3FE-5EF4-4726-B18F-CCDAF2813496}: Domain = cognos.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{C55CC3FE-5EF4-4726-B18F-CCDAF2813496}: NameServer = 142.88.64.100,10.67.11.76
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

4
Contributors
29
Replies
30
Views
12 Years
Discussion Span
Last Post by crunchie
0

Ok you say you have spy-bot ad-aware and cwshredder ,i think its now time to run them, and clean some of that mess up! and then post a new log .please follow this
,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Hi! To start with I would like you to do this

Please delete your temporary files by deleting all files and folders that are in those folders (do not delete the temp folder itself) like for example
C:\WINDOWS\Temp\
C:\Temp\
C:\Documents and Settings\username\Local Settings\Temp\
Also delete your Temporary Internet Files, be sure to also select delete all offline content.

Do a virus scan here.
If you get report of files that can’t be cleaned / deleted please write down the filenames and locations and post that in your reply.

Then please do this since it’s better to use automated tools to get rid of the bad stuff use these 2 programs first before doing the final cleaning with HJT

First use Spybot S&D. (Version 1.3)
Spybot
Unzip, and update. Install the updates and run. Delete all that it marks in red.
Reboot

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

Then post a new HJT log as a reply to this topic.

0

Caperjack:

Ran the virus checker - came up clean
Took the system off the net and reran the Spybot, Adaware and CWShredder for good measure. Also ran the LSPfix. There were actually 2 protocol handlers listed: calsp and rsvpsp, I only removed the calsp as directed.

I've rerun HijackTHis and attached log, but I'm sure that the culprit file is still there as the BHO file continues to change: COuld it be the crlf32.exe or the kalvkyr32.exe file?

Many thanks
- - agavzy

Logfile of HijackThis v1.98.2
Scan saved at 5:53:32 PM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\addjw.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crlf32.exe
C:\WINDOWS\System32\osprpl.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F8178FB3-8D25-D7C4-86A7-8FA8F80D9D53} - C:\WINDOWS\netay32.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crlf32.exe] C:\WINDOWS\system32\crlf32.exe
O4 - HKLM\..\Run: [vRIONrM.exe] C:\documents and settings\gavzya\local settings\temp\vRIONrM.exe
O4 - HKLM\..\Run: [Ejt9.exe] C:\documents and settings\gavzya\local settings\temp\Ejt9.exe
O4 - HKLM\..\Run: [lcusqjkfyk] C:\WINDOWS\System32\osprpl.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvkyr32.exe
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow.com/(dp5rqb55urchf545c4jtxkub)/ShowSetup5.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13d0baaca11704b8d206/netzip/RdxIE601.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://sbursametime.cognos.com/sametime/STMeetingRoomClient/STJNILoader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

0

COuld it be the crlf32.exe or the kalvkyr32.exe file?

Yes, those are two of your problems. Also, you still have some "nasties" running from within your C:\documents and settings\gavzya\local settings\temp folder. Did you fully follow caperjack's instructions regarding deleting all of the files in that folder?


1. Use your Add/Remove Programs control panel to remove the "Download Accelerator Plus" program, it is adware ("Flashget" is ad-driven also).


2. Have HijackThis fix the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F8178FB3-8D25-D7C4-86A7-8FA8F80D9D53} - C:\WINDOWS\netay32.dll
O4 - HKLM\..\Run: [crlf32.exe] C:\WINDOWS\system32\crlf32.exe
O4 - HKLM\..\Run: [vRIONrM.exe] C:\documents and settings\gavzya\local settings\temp\vRIONrM.exe
O4 - HKLM\..\Run: [Ejt9.exe] C:\documents and settings\gavzya\local settings\temp\Ejt9.exe
O4 - HKLM\..\Run: [lcusqjkfyk] C:\WINDOWS\System32\osprpl.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvkyr32.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow.com/(dp5rqb55ur.../ShowSetup5.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...8a29296baabe1d6
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/de...bGameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/de...pcaploader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13d0baa...ip/RdxIE601.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://sbursametime.cognos.com/same...STJNILoader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoot...aDownloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v1...ro.cab27513.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/de...aploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/lat...bex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games...ool/h2hpool.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab


3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- Delete the following files:
C:\WINDOWS\netay32.dll
C:\WINDOWS\system32\crlf32.exe
C:\WINDOWS\System32\osprpl.exe
C:\windows\system32\kalvkyr32.exe

** Note: The "kalvkyr32.exe" file can change its name randomly, but this particular infection seems to have a pattern: the filename will always be kalvxyz32.exe, where xyz are the only letters of the name which change. Delete any and all files within your system32 folder whose names fit the kalvxyz32.exe pattern.

- Delete the following folders entirely (if they still exist):
C:\PROGRAM FILES\DAP
C:\Program Files\FlashGet

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.


4. Reboot normally, run HijackThis again, and post a new log.

0

DMR:

Done as requested - new log attached:
PLease help!

Logfile of HijackThis v1.98.2
Scan saved at 5:53:32 PM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\addjw.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\crlf32.exe
C:\WINDOWS\System32\osprpl.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {F8178FB3-8D25-D7C4-86A7-8FA8F80D9D53} - C:\WINDOWS\netay32.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [crlf32.exe] C:\WINDOWS\system32\crlf32.exe
O4 - HKLM\..\Run: [vRIONrM.exe] C:\documents and settings\gavzya\local settings\temp\vRIONrM.exe
O4 - HKLM\..\Run: [Ejt9.exe] C:\documents and settings\gavzya\local settings\temp\Ejt9.exe
O4 - HKLM\..\Run: [lcusqjkfyk] C:\WINDOWS\System32\osprpl.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvkyr32.exe
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {11B2C0D3-DFFB-11D3-9253-00500498D7E5} (ShowSetupObj5 Class) - http://invite.mshow.com/(dp5rqb55urchf545c4jtxkub)/ShowSetup5.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=9eafaeb2a8e2a9518112bc6e0cedee1552dd4ecb1dd748bcf1cf4d42ced1394245b14c137e17952f3a6abadc3d36297b2b37:b70ac5aa8ec48e2e58a29296baabe1d6
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {4B9F2C37-C0CF-42BC-BB2D-DCFA8B25CABF} (PopCapLoaderCtrl Class) - http://zone.msn.com/bingame/rock/default/popcaploader1.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13d0baaca11704b8d206/netzip/RdxIE601.cab
O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
O16 - DPF: {7261EE42-318E-490A-AE8F-77649DBA1ECA} (JNILoader Control) - http://sbursametime.cognos.com/sametime/STMeetingRoomClient/STJNILoader.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab
O16 - DPF: {79849612-A98F-45B8-95E9-4D13C7B6B35C} (Loader2 Control) - http://static.topconverting.com/activex/loader2.ocx
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} (Actimage Room Control) - http://ib.armstrong.com/ib/databases/actimage30717.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab27513.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cognos.webex.com/client/latest/webex/ieatgpc.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldwinner.com/games/v51/h2hpool/h2hpool.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

0

when you check them in hijack you need to then click on FIX Checked .
and you need to delete the files in safe mode that DMR suggested you delete.

0

I did - somehow reposted the wrong log -

Latest attached, but some of the 015 entries would not go away, no matter ho many times I clicked 'fix'. ALso, now have 2 BHO entries!

PLease help!!


Logfile of HijackThis v1.98.2
Scan saved at 8:39:05 PM, on 12/15/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\system32\addjw.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\iezw.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe


O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iezw.exe] C:\WINDOWS\system32\iezw.exe
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

0

Open Task Manager & end process on the following:
addjw.exe
iezw.exe

Go to C:\WINDOWS\system32 and delete those files manually.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O4 - HKLM\..\Run: [iezw.exe] C:\WINDOWS\system32\iezw.exe

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

Go here http://www.billsway.com/vbspage/ and download, unzip and run the Registry Search Tool. Type crazywinnings in the dialog box. Let it run and after a few minutes, a prompt will appear. Click OK to write the results to Notepad and post them here.

Do the same for topconverting.

0

Crunchie:

Did as instructed, though I did not see the 2 apps running in the task mamanger - rebooted in safe mode and deleted the files.

Attached are the two logs as well as a new HJT

Thank You Kind Sir

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "topconverting" 12/16/2004 11:03:07 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting]

[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]

[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
"InstallDir"="C:\\Program Files\\TopConverting\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting\arkanoid]

[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]

"C:\\Documents and Settings\\GavzyA\\Local Settings\\Temporary Internet Files\\Content.IE5\\SZCB27SJ\\XviD-04102002-1[1].exe"="XviD-04102002-1[1]"
"C:\\Program Files\\TopConverting\\arkanoid\\arkanoid.exe"="Tetris by Crazywinnings"
_____________________________________________________________
REGEDIT4
; RegSrch.vbs © Bill James
; Registry search results for string "Crazywinnings" 12/16/2004 11:06:05 AM
; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]
"C:\\Documents and Settings\\GavzyA\\Local Settings\\Temporary Internet Files\\Content.IE5\\SZCB27SJ\\XviD-04102002-1[1].exe"="XviD-04102002-1[1]"
"C:\\Program Files\\TopConverting\\arkanoid\\arkanoid.exe"="Tetris by Crazywinnings"
__________________________________________________________
Logfile of HijackThis v1.98.2
Scan saved at 11:07:29 AM, on 12/16/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

0

Always back up your registry before making any changes. The easiest way to do this is to select the entry that you are going to delete with your mouse and go to File and choose Export. Call it any name that you like (selected branch should be pre-selected) and then send it to a New Folder on your Desktop as a reg file. If you have no further problems, rightclick on the New Folder and delete it. Do NOT doubleclick on a .reg file unless you want to put it back in your Registry.

Open the registry and navigate to each of these and manually delete them by right clicking on them and selecting delete.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TopConverting]

[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]

[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting]
"InstallDir"="C:\\Program Files\\TopConverting\\"

[HKEY_LOCAL_MACHINE\SOFTWARE\TopConverting\arkanoid]

[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\static.topconverting.com]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]

[HKEY_USERS\S-1-5-21-1764567485-459800859-2736415091-4696\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\frame.crazywinnings.com]

Reboot into safe mode following the instructions here and do following:

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.

Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

This one too if Win2K or XP.
C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

0

:) Crunchie!
From the log - it would seem that all has been fixed
PLease let me know if you see anything else

THanks!
ALso - WOuld like to do something approrpiate for the folks at DaniWeb.
Any ideas?

Logfile of HijackThis v1.98.2
Scan saved at 7:45:53 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

0

Looks like you may have done this log in safe mode? If so, just take a normal log and see if the unwanted entries are gone.

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.static.topconverting.com

were the only baddies in your previous log.

ALso - WOuld like to do something approrpiate for the folks at DaniWeb.
Any ideas?

What were you thinking??

0

Crunchie -

Still seem to be getting pop-ups -
Have posted the latesd log
Pop up is : http://www.seeq.com/popupwrapper.jsp?track=true&referrer=&domain=theplaceforcollectibles.com&direct=true
Have also posted latest log

You all have been very helpful and patient - not sure but would like to say "thanks" somehow, but not sure how as I don't have standard mail addresses or anything else - A contribution to a charity in the name of Daniweb? ANything

Anyway - here is latest log. Has a few 01 entries - not sure what these are:

Logfile of HijackThis v1.98.2
Scan saved at 9:35:31 AM, on 12/17/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com

0

You need to update hijackthis to version 1.99. Run hijackthis & go to *Config\Misc Tools\Check for update on-line*. If the site is down, go here. Remove the old version by opening the program, going to config\misc tools, then uninstall & exit. You then have to delete the file manually. Unzip the new version into the hijackthis folder.

Download and run VX2Finder(.exe).
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the 'Click to Find VX2.aBetterInternet' button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named: 'Make Log'. This will open logfile using Notepad. Please post (copy/paste) the results and post them in this topic.

Download these two tools:

http://www.downloads.subratam.org/DllCompare.exe
&
http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare, by clicking the "Run Locate.com" then click Compare button... when done post that log here..do not reboot because all the filenames will change otherwise.

0

Crunchie:
New HJT installed and ready to go

Log file from VX2Finder:
Log for VX2.BetterInternet File Finder
Files Found---

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---
{4E1C22C6-2A06-45F9-9B68-0CC06C808101}

LOG FROMO DLL COMPARE:
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\SYSTEM32\blfks.dll Fri Nov 19 2004 4:37:46a A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\cgxsv.dll Fri Dec 10 2004 11:57:10p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\cqsync.dll Fri Dec 17 2004 7:38:30a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\dykquoui.dll Wed Dec 15 2004 5:43:24p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\fplo03~1.dll Wed Dec 15 2004 11:06:56a ..S.R 223,232 218.00 K
C:\WINDOWS\SYSTEM32\galhj.dll Sat Dec 11 2004 9:32:38p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\i460le~1.dll Fri Dec 17 2004 7:46:30a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\ibmpagnt.dll Thu Dec 16 2004 10:52:54a ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\ifq.dll Wed Dec 15 2004 8:31:14p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\ipso32.dll Wed Dec 15 2004 10:52:08a A.SH. 98,816 96.50 K
C:\WINDOWS\SYSTEM32\jumps.dll Thu Nov 18 2004 3:23:02p A.SH. 56,320 55.00 K
C:\WINDOWS\SYSTEM32\kydcz2.dll Wed Dec 15 2004 5:06:36p ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\ltnkinfo.dll Thu Dec 16 2004 10:41:02a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\lvr209~1.dll Fri Dec 17 2004 9:21:44a ..S.R 226,054 220.75 K
C:\WINDOWS\SYSTEM32\m4640e~1.dll Wed Dec 15 2004 11:25:50a ..S.R 224,359 219.10 K
C:\WINDOWS\SYSTEM32\mgrd3x40.dll Thu Dec 16 2004 11:01:00a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\mqrev43.dll Wed Dec 15 2004 7:55:08p ..S.R 224,770 219.50 K
C:\WINDOWS\SYSTEM32\muastmib.dll Fri Dec 17 2004 7:27:58a ..S.R 225,755 220.46 K
C:\WINDOWS\SYSTEM32\n44s0e~1.dll Wed Dec 15 2004 12:29:22p ..S.R 224,639 219.37 K
C:\WINDOWS\SYSTEM32\n4l80e~1.dll Wed Dec 15 2004 11:33:50a ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\nitui0.dll Wed Dec 15 2004 8:20:44p ..S.R 223,895 218.64 K
C:\WINDOWS\SYSTEM32\wynsta.dll Fri Dec 17 2004 9:21:44a ..S.R 225,755 220.46 K
C:\WINDOWS\SYSTEM32\zoxqf.dll Fri Nov 19 2004 11:40:22p A.SH. 56,320 55.00 K
________________________________________________
1,250 items found: 1,250 files (23 H/S), 0 directories.
Total of file sizes: 231,480,091 bytes 220.75 M
Administrator Account = True
--------------------End log---------------------

0

You got the latest VX2 infection :(. Stay offline whilst doing the following fix.

Go offline now.

Open the killbox. Paste in the line; C:\WINDOWS\SYSTEM32\blfks.dll
With the full path to the file name in the topmost textbox, click the option Use Dummy which will create a numbered dummy file instantly for you.

Click the Red X ...and for the confirmation message that will appear, you will need to click Yes
A second message will ask to Reboot now? you will need to click No (since you are not finished adding all related files in yet)

Repeat this process until you reach the last line, when you will close all open programs and reboot your computer.

C:\WINDOWS\SYSTEM32\cgxsv.dll
C:\WINDOWS\SYSTEM32\cqsync.dll
C:\WINDOWS\SYSTEM32\dykquoui.dll
C:\WINDOWS\SYSTEM32\fplo03~1.dll
C:\WINDOWS\SYSTEM32\galhj.dll
C:\WINDOWS\SYSTEM32\i460le~1.dll
C:\WINDOWS\SYSTEM32\ibmpagnt.dll
C:\WINDOWS\SYSTEM32\ifq.dll
C:\WINDOWS\SYSTEM32\ipso32.dll
C:\WINDOWS\SYSTEM32\jumps.dll
C:\WINDOWS\SYSTEM32\kydcz2.dll
C:\WINDOWS\SYSTEM32\ltnkinfo.dll
C:\WINDOWS\SYSTEM32\lvr209~1.dll
C:\WINDOWS\SYSTEM32\m4640e~1.dll
C:\WINDOWS\SYSTEM32\mgrd3x40.dll
C:\WINDOWS\SYSTEM32\mqrev43.dll
C:\WINDOWS\SYSTEM32\muastmib.dll
C:\WINDOWS\SYSTEM32\n44s0e~1.dll
C:\WINDOWS\SYSTEM32\n4l80e~1.dll
C:\WINDOWS\SYSTEM32\nitui0.dll
C:\WINDOWS\SYSTEM32\wynsta.dll
C:\WINDOWS\SYSTEM32\zoxqf.dll

Add this one too; C:\Windows\System32\Guard.tmp

After a Reboot, Use the DllCompare again and create another log.
If all was successful, it should be empty. Post that log here.

0

Crunchie:

Ran the DLLcompare the second time and it still showed the
C:\WINDOWS\SYSTEM32\ibmpagnt.dll
Ran it a third time, showed the above file and one other.
Ran the Kill and the compare again and it came up with the following - which I assume means that I'm fixed, but will wait for your confirmation!

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found :)"
________________________________________________
1,250 items found: 1,250 files, 0 directories.
Total of file sizes: 227,283,839 bytes 216.75 M
Administrator Account = True
--------------------End log---------------------


Again - my most sincere thanks - and my question still stands - without being able to send something to you/DMR/crapsie directly - how can I best thank you all for everything?:p

0

Crunchie:
Also just realized that I ran the DLLcompare against c:\windows\system32
Should it have been run against c:\windows?
I ran it there and got the following log:

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
C:\WINDOWS\hdguf.dll Sun Dec 12 2004 4:43:30a A.SH. 56,320 55.00 K
C:\WINDOWS\mfcpo.dll Fri Dec 3 2004 9:18:12p A.SH. 99,636 97.30 K
C:\WINDOWS\srove.dll Wed Nov 17 2004 11:57:40p A.SH. 56,320 55.00 K
C:\WINDOWS\trbuy.dll Fri Nov 12 2004 8:02:54p A.SH. 56,320 55.00 K
C:\WINDOWS\ypfjq.dll Tue Dec 14 2004 2:42:40a A.SH. 56,320 55.00 K
________________________________________________
3,494 items found: 3,494 files (5 H/S), 0 directories.
Total of file sizes: 688,863,702 bytes 656.95 M
Administrator Account = True
--------------------End log---------------------

0

:(. Same drill for those files too agavzy. They seem to be more to do with the A:B hijack. Post the dllcompare log when done. Also check for the guard.tmp file and kill it if found.

Open the registry editor and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and export that key to your desktop. Call it notify.reg
Right click on it and then edit. Copy and paste the results here.

0

Crunchie:

Guard.tmp not found, other files run through killbox and deleted (reran DLLCompare on c:\windows with subdirectories and it came up clean)

Attached is result of notify.reg - PLease advise

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\App Paths]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lvr2099oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\guard.tmp"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

0

Guard.tmp is showing up in your registry as being in system32.

Is that all that was there? The valid keys under Notify are: crypt32chain, cryptnet, cscdll, ScCertProp, Schedule, sclgntfy, SensLogn, termsrv, and wlballoon.
Open regedit and export the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify<---- Key.
Go back to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify and delete these subkeys:

App Paths
Syncmgr

Open Killbox and Copy & Paste the path to the Desktop.ini for recycle bin.
ie:

C:\RECYCLER\Desktop.ini

Click Red X to delete it.

Also paste in C:\Windows\System32\Guard.tmp again and click the red X to delete that.

Run VX2Finder and click the *Find to find etc* button. Then hit the *restore policy* button and follow the prompts. Click the *UserAgent$* button and follow the prompts. Exit the program.

Reboot and post a dllcompare log, a VX2Finder log and another hijackthis log please.

0

Crunchie:

the following logs are attached:

DLLCompare:) , VX2:) , notify.reg:) , HijackThis:-|
Seems to be clean with the exception of the HJT which is showing some items I'm not sure of. THe R0 entry (which has not changed the default page), the 01 entries and the last 023 entry.

Have been using a different pc to post these logs so the infected one has not been connected to the net since we late yesterday.

THanks again
agavzy
++++++++++++++++++++++++++++++++++++++++++++++++++++++++

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________
O^E says: "There were no files found :)"
________________________________________________
3,494 items found: 3,494 files, 0 directories.
Total of file sizes: 688,539,066 bytes 656.64 M
Administrator Account = True
--------------------End log---------------------
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Log for VX2.BetterInternet File Finder
Files Found---

Guardian Key--- is called:
Asynchronous 000
DllName
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Shutdown WinShutdown
User Agent String---

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Logfile of HijackThis v1.99.0
Scan saved at 7:53:28 AM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GravitixService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\addjw.exe (file missing)

0

Looks like we got rid of A:B completely whilst getting rid of VX2 :D.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

O4 - Startup: PowerReg Scheduler V3.exe

O23 - Service: ISEXEng - Unknown - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) Helper - Unknown - C:\WINDOWS\system32\addjw.exe (file missing)

Reboot and post another hijackthis log.

Let me know if you are having problems with your recycle bin. This infection stops you from viewing deleted files in there.

0

Interestingly enough, my Recyclebin had been showing as blank. I just checked, however and items are now appearing, so that's a good thing.

Also - for whatever reason, after running HJT, the system indicated that it needed to be rebooted, first time for that one. Perhaps it was becasue a specific item was deleted? Not sure:surprised
Nevertheless, reran HJT once it came back up and it looks great as far as I can tell!:mrgreen: :cool:

Let me know - and thanks again
agavzy

Logfile of HijackThis v1.99.0
Scan saved at 8:46:25 AM, on 12/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Patchlink\Update Agent\GravitixService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\WINDOWS\system32\TpKmpSVC.exe
C:\WINDOWS\System32\BRMFRSMG.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\System32\RunDll32.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Lotus\Sametime Client\Connect.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\WINDOWS\Temp\WZQKPICK.EXE
C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
C:\Documents and Settings\GavzyA\My Documents\hjt\HijackThis.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [BMMLREF] C:\Program Files\ThinkPad\Utilities\BMMLREF.EXE
O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [TPKMAPHELPER] C:\Program Files\ThinkPad\Utilities\TpKmapAp.exe -helper
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Sametime Connect] "C:\Program Files\Lotus\Sametime Client\Connect.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MProcessor] "C:\Program Files\\MProcessor\mprocessor.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Startup: HotSync Manager.lnk = C:\Documents and Settings\GavzyA\My Documents\My Data\Handspring\HOTSYNC.EXE
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\WINDOWS\Temp\WZQKPICK.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: JT's Blocks - http://download.games.yahoo.com/games/clients/y/blt1_x.cab
O16 - DPF: Sametime Meeting Room Client ST31 - http://sbursametime.cognos.com/sametime/stmeetingroomclient/STMeetingRoomClient.cab
O16 - DPF: Toki Toki Boom - http://download.games.yahoo.com/games/clients/y/vtm_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: Yahoo! Reversi - http://download.games.yahoo.com/games/clients/y/rt0_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/games/clients/y/ywt0_x.cab
O16 - DPF: {B24F0664-7DDA-40B6-B38C-A4FD68DE8685} (CentraDownloaderCtl Class) - http://carlson2.centra.com/SiteRoots/CWT/Install/CentraDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\Software\..\Telephony: DomainName = ent.ad.cognos.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ent.ad.cognos.com
O23 - Service: Ati HotKey Poller - Unknown - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVSync Manager - Unknown - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: IBM PM Service - Unknown - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: PatchLink Update - Patchlink Corporation - C:\Program Files\Patchlink\Update Agent\GravitixService.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Check Point SecuRemote Service - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
O23 - Service: Check Point SecuRemote WatchDog - Check Point Software Technologies - C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
O23 - Service: IBM KCU Service - Unknown - C:\WINDOWS\system32\TpKmpSVC.exe

0

Interestingly enough, my Recyclebin had been showing as blank. I just checked, however and items are now appearing, so that's a good thing.

Just looked back a few posts and saw that I had already given you the fix for the recycle bin :). No wonder it works ok now.

0

:mrgreen: Im free! I'm free!!

By the by - you may want to check out www.download.com
They have a spyware section with all kinds of stuff.
I downloaded two of the ad checkers and they found things that AdAware did not.

WOuld have posted this as a notice on the board, but I'm afraid I don't have those capabilities

THanks again!

0

Just be wary of some of those tools. Some of them actually place the trash on your PC.

Thanks also to DMR and Caperjack for starting the repairs :).

You're welcome :). Marking this as solved. Anyone else with the same problem, please start your own thread. Thank you.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.