Posts by dlh6213

Move HijackThis from the Temporary folder it is in now, into it's own permanent folder (something like C:\Program Files\Hijackthis\Hijackthis.exe or C:\HJT\hijackthis.exe).

Then, close any open browser windows, Scan and Save Log with HijackThis, copy and past the new log here in this thread.

Did this problem start after you went online with the 'new' computer?

If so, this may help explain what might have happened:
http://www.daniweb.com/techtalkforums/thread16365.html

Try using System Restore to set your system back to a point before you started having trouble.

Hi Andrew, welcome to DaniWeb :D

Sorry for the delay in responding to this :(

Please review this thread to get the latest version of HijackThis, and put it into it's own permanent folder. Then, post a new log please.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in this thread.

Please post another hijackthis log as well.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\jsass.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {16BD821E-5751-423E-4850-6CC5D07FECD8} - C:\WINDOWS\winds32.dll
O4 - HKLM\..\Run: [crov32.exe] C:\WINDOWS\system32\crov32.exe

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\winds32.dll
C:\WINDOWS\system32\jsass.dll
C:\WINDOWS\system32\crov32.exe

Note: If any cannot be deleted, try booting into Safe Mode first.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Download, install, update, and run the PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [Explorer] C:\WINDOWS\System32\shellexpi.exe en
O4 - HKCU\..\Run: [Jmvqmnlc] C:\WINDOWS\System32\??plorer.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{825D152C-2F32-46E5-86E0-0CF77C48CBA2}: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{90B7A41F-8E9A-4D1D-BAA1-5FBAE09427C2}: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\Tcpip\..\{9C840AE1-AAB3-4325-844F-68BB7397719C}: NameServer = 69.57.146.14
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CS2\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS2\Services\VxD\MSTCP: NameServer = 69.57.146.14
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 69.57.146.14
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ipbc.exe" /s (file missing)

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files (if present):

C:\WINDOWS\System32\shellexpi.exe
C:\WINDOWS\System32\??plorer.exe
C:\WINDOWS\ipbc.exe

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post a new log please.

iv fixed it, thanks to microsfot anti-spyware beta 1.

Hey, it's been awhile :)

Glad you got it cleaned up and thanks for letting us know!

Hi,

I have this same adware or malware whatever it is. I would like to know if Norton Anti-virus 2004, 2005 or Mcafee latest version can clean it.

Pls help.

Thanks
Anu

Hi Anu, welcome to DaniWeb :D

Please start your own, new thread and describe your problem there.

Also, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in your new thread.

Thanks :)

Hi allisonmaria, welcome to DaniWeb :D

Please review this thread and then post a new HijackThis log:
http://www.daniweb.com/techtalkforums/thread24085.html

Thanks :)

I spent too much $ on Norton, I will probably switch once this subscription is up. Deleting every trace then reinstalling did the trick.

That's what I did, cleaned everything out when it was time to renew my subscription.

Glad you got the problem resolved :)

Hi stemp65, welcome to DaniWeb :D

Please review the following thread, and then post a new HijackThis log:
http://www.daniweb.com/techtalkforums/thread24085.html

Thanks :)

Nothing can catch everything, but SpywareGaurd is one recommended program; a link to it can be found in this thread (along with other helpful advice and tools):

http://www.daniweb.com/techtalkforums/thread5690.html

Hi Tammy, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if present):

WeatherBug
Ebates

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). …

Hi c21werner, welcome to DaniWeb :D

Start with this --

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/
Note …

According to Staples (http://www3.staples.com/spotlights/000000/virus.htm), you must first remove all previously installed antivirus software, and any active firewall needs to be disarmed; have you done this?

Personally I think the program is unnecessary because there are enough free programs available to do what this claims to do, but since you've already purchased it, you may as well use it (if you can).

Most likely the teen is using the net for research (just researching some stuff he shouldn't be in the midst of what he should be).

I think giving him his own computer, if connected to the net, will just encourage the behavior, though it would keep the offensive material away from the rest of the family.

You may find some helpful articles here:
http://www.pcuser.com.au/pcuser/hs2.nsf/($SearchView)?Searchview&Query=child&SearchOrder=2&count=10&SearchMax=0&SearchFuzzy=0&SearchWV=0&Start=1

Turn off System Restore.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Oemji
WeatherBug

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Download, install, update, and run PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O3 - Toolbar: …

Go here and try the recommendations and removal instructions:
http://securityresponse.symantec.com/avcenter/venc/data/w32.sowsat.c@mm.html

Then post a new HJT log and let us know if it helped any.

Go to C:\WINDOWS\Driver Cache\i386 and delete GainPlugin.dll.

If you can't delete it while in normal mode, try it from Safe Mode.

It works fine for now, if I have any more problems I will have the guy up grade the PC and reformat the drives.

You can do this yourself :)
http://www.daniweb.com/techtalkforums/thread6632.html

Is it OK to search the registry for Norton and deleting everything Norton related if the program is uninstalled?

I actually did this myself a couple of weeks ago, and so far, no problems. I suggest you backup the registry before doing so though, just in case.

Since you're uninstalling Norton, are you sure you want to reinstall it? There are better alternatives...

I recently started using Mozzila firefox but I dont know where the ''Temp'' folder of Mozilla is and whether is accesible just like IE or not.

Go to Tools, Options, click on Privacy (padlock icon on the left), and there you have it -- and there's even a button to Clear All!

Another question:is there any difference between Mozzila and Mozzila Firefox?

Yes there is, but they can probably explain it better then I can :)
http://www.mozilla.org/products/choosing-products.html

Congratulations Danielle, seems you've helped yourself :)

Download, install, update, and run the PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {54C421A4-9F62-F88E-18C2-94BC6D78E3BA} - C:\WINDOWS\system32\xnlbokz.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no …

Hi Chendrum, glad you finally decided to join :D

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run HSRemove -- http://www.majorgeeks.com/download4286.html

Reboot, close any open browser windows, scan with HJT, and post a new log along with the log from the last Ewido scan.

Several instances of svchost.exe running is normal and nothing to worry about.

Try the removal instructions here:
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.bla.trojan.html

Let us know how it goes.

Hi quicksilvr, welcome to DaniWeb :D

I've split your post into it's own thread (per forum rules -- http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules)

Please review this thread and then post a new log:
http://www.daniweb.com/techtalkforums/thread24085.html

Have you tried the Norton solution from my prior post yet?

512MB should be plenty of RAM.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to Start, Run, and type in regedit; click OK and the Registry Editor will open.

At the top of the Registry window, click on File, and then click Export... An Export Registry File window will open; choose a location to save the backup to (like My Documents), and give it a name (like Panda Removal), and then click the Save button.

You now have a backup of your registry in case anything goes wrong :)

Hi Jennifer, welcome to DaniWeb :D

To answer your question "Does everything that show on the log indicate something "wrong"?" The answer is NO! Just about everything shown in an HijackThis log is important to proper operation of your computer.

CCAPP.EXE is a part of Norton, and you can find a possible solution here:
http://service1.symantec.com/SUPPORT/nav.nsf/5faa3ca6df6f549888256edd0061c0a4/10c2fdd9a6f5d98288256d75006b7b86?OpenDocument&src=bar_sch_nam

But I think it's probably a lack of RAM in your computer; Norton is a resource hog, and your description of your Add/Remove Programs problem indicates insuffient RAM. Can you tell us how much RAM you have in your system?

I see a few (minor) things in your log that could be fixed, but could you first post a new one please? That one didn't come out right for some reason and is a bit hard to read... And will be hard to reply to.

Before reinstalling, try an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

IE fragmented?? :confused:

From Panda:

Dear Customer

In order to uninstall the Panda Antivirus Titanium program manually proceed as follows, deleting the entries in the Registry and files detailed below. However, if at any time the entries or files cannot be found, continue with the uninstallation process, as depending on the version installed the files or entries may or may not exist.

Follow the steps below:

First attempt to remove Panda from Control Panel, Add remove programs. Once this is done, make sure that there are no Panda Services running in the Services section in Control panel. Ensure they are stopped and set to disabled.

Open the Registry from Start, Run, write REGEDIT, and click on OK. Highlight 'My Computer' at the top of the list, then go to 'Edit' and 'Find'. Type 'panda' into the box and then click on 'Find Next'. This will search the Registry for panda files. When it brings up a folder or file, press 'delete' or right-click on the highlighted file/folder and select 'delete' from the menu to remove it. Then press 'F3' to search again and find the next Panda entry.

Continue to search and delete Panda entries in the Registry until no more entries are found. Then repeat this process, this time searching for 'pav'. When both searches are complete, close the Registry and restart the computer.

Once this operation has been carried out, using Windows Explorer delete the Panda Software folder that is below C:\Program files. You …

Hi HurlaBurrito, welcome to DaniWeb :D

Go to Windows Update and get SP1a for XP

Scan with hijackthis and have it fix the following entries:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\kodhu.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/min...ransporter.cab?
O17 - HKLM\System\CCS\Services\Tcpip\..\{016EBAE4-1B81-4249-BDB3-1A8A7867735F}: NameServer = 69.50.184.84 195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{BCD6FDD1-6654-4D05-BCEF-9B0B880178FF}: NameServer = 69.50.184.84,195.225.176.37

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Get the latest version of HijackThis (1.99.1), close any open browser windows, scan with HJT, and post a new log please.

Looks like it's going to be stubborn :(

Try this... (Do not to reboot until instructed to do so).

Download CWShredder 2.14 from here:
http://www.intermute.com/products/cwshredder.html
Run it and press the Fix, not scan, and allow it to clean the infection

Physically disconnect your Internet/network cable from your computer.

Run HSRemove, and about:Buster consecutively; have them fix whatever they find.

Run CWShredder and press Fix (not scan).

Reboot into Safe Mode.

Run HSRemove, CWShredder, and about:Buster (yes, again).

Run HijackThis again and have it fix the following entries (don't worry if the actual filenames in the entries have changed):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bdulc.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O23 - Service: Workstation NetLogon Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winln.exe (file missing)

Be sure your system is set to Show hidden files and folders.

Go to the following locations and delete the highlighted files (if the filenames have changed, delete whatever filename(s) now appear in the R1 & R0 entries of your log):

C:\WINDOWS\system32\bdulc.dll

Go to each of these files, right-click, go to Properties, and give …

I did a file by file check on Norton it looks like the file is in C:\WINDOWS\Driver Cache\i386

Are you saying the GainPlugin.dll file is in C:\WINDOWS\Driver Cache\i386? That's not what was indicated in post #9 so I'm a bit confused.

Glad to hear it :)

You're welcome.

I don't see anything else in your log; if you're still having a problem, can you please give us as much info on it as possible?

Scan with hijackthis and have it fix the following entries:

O4 - HKLM\..\Run: [imvfk] C:\WINDOWS\System32\imvfk.exe
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\System32 and delete imvfk.exe
(If you can't delete it, try booting into Safe Mode)

Reboot (normally), close any open browser windows, scan with hijackthis, and post a new log; let us know if you're still having trouble. If you are, please give us specific details about the problem(s).

Hi rkerner, welcome to DaniWeb :D

Please review this thread, and the post a new log:
http://www.daniweb.com/techtalkforums/thread24085.html

Thanks.

Hi lazyfly21, welcome to DaniWeb :D

Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

Hi psulions, welcome to DaniWeb :D

Boot into Safe Mode and do a search for that file; you'll probably find it in two locations -- the Prefetch folder and a Temp folder. Delete any instances found.

If you would like us to help you clean up anything else that may be on your system, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in this thread.

Glad to hear everythings working properly now :)

Just one more thing you should do; go to C:\Program Files and delete the WebSearch folder.

Happy computing!

Hi rex, welcome to DaniWeb :D

Please review this thread, and then post a new log please:
http://www.daniweb.com/techtalkforums/thread24085.html

Thanks.

You're welcome :D

Hi gg, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if present):

Viewpoint Manager (or Viewpoint)

Right-click in an open area of your desktop and select New, and then Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Scan with hijackthis and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0B478A5F-80D3-2FF6-AF0E-5653B825ADD2} - C:\WINDOWS\system32\ipks32.dll
O4 - HKLM\..\Run: [sysxh.exe] C:\WINDOWS\sysxh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlnc32.exe

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\sysxh.exe
C:\WINDOWS\system32\ipks32.dll
C:\WINDOWS\system32\atlnc32.exe

C:\Program Files\Viewpoint

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with hijackthis, and post a new log please. And let us know if you're still having problems.

You can remove Newdotnet either from Add/Remove Programs, or by going to http://www.newdotnet.com/#remove and scrolling down to the Uninstall tool.

Go to Windows Update and get SP2 for XP and IE ASAP.

See this thread for more advice on keeping your computer clean:
http://www.daniweb.com/techtalkforums/thread16365.html

Hi chuckles225, welcome to DaniWeb :D

Please review this thread and then post a new log:
http://www.daniweb.com/techtalkforums/thread24085.html

Thanks.

Glad to hear everything is turning out well :)

Before you go online with your new computer, have a look at this thread:
http://www.daniweb.com/techtalkforums/thread16365.html

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally, delete any unwanted icons from your desktop, and empty your Recycle Bin.

Scan with hijackthis, and have it fix the following entires:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesearches.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesearches.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
F2 - REG:system.ini: Shell=Explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hpC3EB.tmp
O16 - DPF: …

If you're going to go to XP, why not just format and start fresh?