Posts by dlh6213

Hi midnightgirl, welcome to DaniWeb :D

You need to go to Windows Update and get SP1a for both XP and IE.

Go to Add/Remove Programs in your Control Panel and remove (if found):

tsa (or tsl)
fziq (or fziqm)
sf

Scan with HijackThis and have it fix the following entries:

O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [c4b9988b9ba3] C:\WINDOWS\System32\cc3260mt.exe
O4 - HKLM\..\Run: [Tsl] C:\PROGRA~1\COMMON~1\tsa\tsl.exe
O4 - HKLM\..\Run: [o78j3tP] gdipact.exe
O4 - HKCU\..\Run: [aclvbv] C:\WINDOWS\System32\aclvbv.exe
O4 - HKCU\..\Run: [ZwrtRjj6h] fecxsdk.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [sfita] C:\WINDOWS\sfita.exe
O4 - HKCU\..\Run: [fziq] C:\PROGRA~1\COMMON~1\fziq\fziqm.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1111255977349
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...494/mcfscan.cab

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\cc3260mt.exe
C:\WINDOWS\System32\aclvbv.exe
C:\WINDOWS\sfita.exe

And this folder:

C:\Program Files\sf

Do a search for the following files and folders, and delete any instances found:

fziq (folder)
tsa (folder)
AUNPS2.DLL (file)
gdipact.exe (file)
fecxsdk.exe (file)

Note: if any …

Just wanted to check in and see if there were any suggestions as to how to fix this problem. I think progress got cut off when the other two posted on this thread. Thanks.

Apparently it did; thanks for getting us back on track :)

Download, install, update, and run these tools:

HSRemove -- http://www.majorgeeks.com/download4286.html
about:Buster -- http://www.majorgeeks.com/download4289.html

Go to Add/Remove Programs in your Control Panel and remove (if found):

Home Search Assistant
InstaFinder
qmok
(or something similar, if you're not sure, ask us first)

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\macpi.dll/sp.html#93256
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {17FC5AF7-0C0F-B62B-EE7D-6FB2FEABA69B} - C:\WINDOWS\system32\appqi32.dll
O4 - HKLM\..\Run: [Windows Service] C:\WINDOWS\System32\prvdi.exe
O4 - HKLM\..\Run: [InstaFinderK] C:\Program Files\INSTAFINK\InstaFinderK_inst.exe
O4 - HKLM\..\Run: [d3em32.exe] C:\WINDOWS\system32\d3em32.exe
O4 - HKLM\..\Run: [crox32.exe] C:\WINDOWS\crox32.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 …

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [pwjjck] c:\windows\system32\jmpvui.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

Remember to close all windows before hitting Fix checked.

Make sure your system is set to Show hidden files and folders.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\systb.dll
C:\windows\system32\jmpvui.exe

Reboot, close any open browser windows, scan with HJT, and post a new log please.

Hi angelus88, welcome to DaniWeb :D

I've split your post into a new thread to prevent confusion with the other one.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot (normal reboot, not Safe Mode). Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll

Delete any unwanted icons from your desktop (icons you didn't put there).

Empty your Recycle Bin.

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread. (See this thread before posting the log -- http://www.daniweb.com/techtalkforums/thread24085.html)

Those files are usually found in the C:\Windows\System32 folder, but one user reported finding one of the files in a "C:\!Submit" folder, so you may want to see if you have one of those too. As I said before, those files are just a hunch; the symptoms you described seem similar to other infections going around recently.

Have you tried using System Restore to return to a point prior to when you lost your search function?

If that doesn't work, try an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

You should also go to Windows Update and get SP1 for XP.

Hi aslee, welcome to DaniWeb :D

This first part if kind of a guess, so you may not find any of the files listed.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any icons from your desktop that you didn't put there, and empty your Recycle Bin.

Scan with hijackthis, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related …

Hi GahlHateMyComp , welcome to DaniWeb :D

First of all, run a couple of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these three tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

Hi Angoisette, welcome to DaniWeb :D

I don't see any signs of My Way in your log, so do this; go to Add/Remove Programs in your Control Panel and remove any of the following found, and then let us know which one(s) in your next post:

MyWay
MySearch
MyBar
MySearchBar
(Or anything similar)

Scan with hijackthis and have it fix the following entries:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {5DFA69DD-9627-184B-9E20-AF90B8476199} - C:\WINDOWS\system32\d3mj.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/tec...sa/LSSupCtl.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/d428788f/enter.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...sa/SymAData.cab

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\system32 and delete d3mj.dll

Reboot, close any open browser windows, scan with hijackthis, post a new log, and let us know what you found regarding My Way...

Hi Latinflo, welcome to DaniWeb :D

Download VX2Finder from here:
http://www.downloads.subratam.org/VX2Finder.exe

Open the program and click the Click to Find VX2.aBetterInternet button. This will attempt to find all VX2 related files and registry keys and when present display them in its logfile. To create a logfile, click the button named Make Log. This will open the logfile using Notepad. Post the results in your next reply.

Download these two tools:

Dllcompare -- http://www.downloads.subratam.org/DllCompare.exe

KillBox -- http://www.downloads.subratam.org/KillBox.exe

Run Dllcompare, by clicking the Run Locate.com then click the Compare button. When done, post that log here along with the VX2Finder log -- do not reboot because all the filenames will change if you do.

Hope everything is working properly for you now :)

Don't forget to get the Windows Updates!

Try here for the locate.zip file:
www.searchengines.pl/phpbb203/pliki/picasso/downloads/locate.zip

Hi Dave, welcome to DaniWeb :D

To help us see what you have going on, get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

And check this thread before you post the log:
http://www.daniweb.com/techtalkforums/thread24085.html

I guess I forgot to mention I did that too (haven't actually deleted anything yet, just went to the locations). It gives instructions for removing things within the folders, but I was wondering why I can't just delete the entire folders?

Hi Flinn$ter, welcome to DaniWeb :D

Please see this thread before we continue:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved hijackthis please post a new log. :)

...One more thing... Please close any open browser windows when scanning with HijackThis :)

Link to self-extracting version of HijackThis (line 2):
http://www.malwareremoval.com/downloads.html

Hi Sakeeta65, welcome to DaniWeb :D

Please see this thread before we continue:
http://www.daniweb.com/techtalkforums/thread24085.html

After you've moved hijackthis please post a new log. :)

I just removed SystemWorks 2004; prior to that I had 2002 and I know there are still some remnants of that as well as the 2004.

OS is XP Home, if it matters.

Your log looks okay to me, glad to hear things are back to normal :)

Enjoy yourself at the forum!

That was fast :)

Just need to do one more thing: right-click on your desktop and select New, Folder; give the new folder a name, like HJT or HijackThis, and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful). If you have problems updating see here:
http://www.ewido.net/en/download/updates/
Close the program (don't scan yet)

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (when you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do).
(Note: you will be posting the log from this scan when back in normal mode).

Reboot normally

Go to Add/Remove Programs …

Hi Quitahd, welcome to DaniWeb :D

Your English is pretty good :)

First thing to do is right-click on your desktop, and select New, Folder. Give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Now, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adblaster2.info/ace100.htm
R3 - Default URLSearchHook is missing

Close any open windows, other then hijackthis, before hitting Fix checked.

That is the only thing I see in your log. Reboot, close any open browser windows, scan with hijackthis, and post a new log.

Is there an error code with the message on the blue screen? Can you tell us exactly what the message says?

Hi Rebecca51, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove any of the following found:

MyWay
MySearch
MyBar
MySearchBar
(Or anything similar)
Toolbar
WinTools

None of that will help with Aurora, but it needs to be done.

Before fixing anything with hijackthis, you need to move it out of the Temp folder it is in now to it's own permanent folder, like c:\HJT\hijackthis.exe (or a folder on your desktop will work too).

After you've moved hijackthis, close any open browser windows, scan with HJT, and post a new log please.

I'm trying to completely remove Norton SystemWorks from my computer (without reformatting).

I've already used Add/Remove Programs to uninstall it.

I ran the SYMClean utility (because I've had older versions of Norton on this computer), but it said there was nothing to remove.

I ran the SymNRT utility, and it ran for a few minutes then said it was finished -- it didn't say whether it removed anything or not, but to reboot to complete the removal.

Now when I go to regedit, I not only have a Symantec folder, I have a SymNRT folder as well.

Will it hurt anything to just delete the HKEY_LOCAL-MACHINE\Software\Symantec and HKEY_LOCAL-MACHINE\Software\SymNRT folders completely?

If I do searches for Norton and Symantec, can I just delete anything I find or can that cause problems? I've already backed up my registry (before uninstalling Norton, and then again afterwards).

Hi CanaanJohnMarsh, welcome to DaniWeb :D

Before fixing anything with HijackThis, you need to move it out of the Temp folder it is in now to a permanent folder of it's own, like c:\HJT\hijackthis.exe (or a folder on your desktop would be fine).

After you've moved it, close any open browser windows, scan with HJT, and post a new log please.

I can't answer all your questions, but I'll tell you what I can :)

plz refer to following thread........( i wonder why such threads are closed????)

Threads such as that one are closed because they are of an informative nature and not intended for asking questions or posting replies.

can u plz say why u think that for people on broadband it is "must" and for dial up its "highly advisable" as i am almost about to get broadband connection in a week?????

There are a couple of reasons for this (that I know of, maybe more). For one, you are always connected to the internet with broadband, even if you're browser is closed, unlike dial-up where you're only connected when actually dial-up your ISP and connect. Also, with broadband, you have a static IP address, whereas with dial-up, your IP address will be different everytime you log on. Having the same IP address, and being always connected, makes it easier for crackers (http://www.daniweb.com/techtalkforums/thread16365.html) to attack your system.

what is immunise function and what it does?????

I believe Spybot's Immunize feature will protect your system from certain known spyware intruders. I don't know how it works though.

CAN anyone say why poeple use HIJACKTHIS program????? (should i use it also???

HijackThis is used to help find, and fix, certain problems; you shouldn't need it unless a problem arises. Since it is updated so often, and you should always use the latest version, it's best …

Your log looks okay to me, but I'm afraid I can't help with that registry scan. Hopefully someone else here can :)

Well, if it were me, I'd just remove that LKAI64CD, but I'll leave that up to you. The fact that there is no manufacturers name is not a good sign. You could go to LKAI64CD.dll, right-click on it, and open it with notepad (or Wordpad) and see if there is anything helpful there.

If you wish to remove it, first go to Add/Remove Programs and, if it is there, remove it. Then have hijackthis fix these entries:

O2 - BHO: (no name) - {1E939C88-1797-444D-9E7D-9FE566C5679D} - C:\PROGRAM FILES\LKAI64CD\LKAI64CD.dll
O4 - HKLM\..\Run: [LKAI64CD] C:\PROGRAM FILES\LKAI64CD\LKAI64CD.EXE

And, finally, go to C:\PROGRAM FILES and delete the LKAI64CD folder.

You mentioned that you found param32.dll in a folder called C:\!Submit; that doesn't sound like a legit folder, what else is in there? That entire folder may need to be deleted.

Other then that, you log looks good to me. As soon as possible you need to go to Windows Update and get all the Critical Updates for your system.

What problems are you still having, if any?

Hi maizzie, welcome to DaniWeb :D

Start with this --

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

Hey, it looks like we're off to a good start :)

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0058/
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Reboot, close any open browser windows, scan with HJT, post a new log, and let us know if you're still having problems. If so, please explain what the problem is.

Hi Wagas, welcome to DaniWeb :D

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Let your system reboot normally.

Delete any unwanted icons from your desktop and then empty your Recycle Bin.

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

Go to Add/Remove Programs in your Control Panel and remove SpamBlockerUtility.

Scan with hijackthis and have it fix the following entries:

O2 - BHO: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL
O3 - Toolbar: SpamBlockerUtility - {74CC49F7-EB32-4A08-B204-948962A6E3DB} - C:\PROGRAM FILES\SPAMBLOCKERUTILITY\BIN\4.6.1.0\SBHOSTIE.DLL
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [Spam Blocker for Outlook Express] C:\PROGRA~1\SPAMBL~1\BIN\461~1.0\SBInst.exe
O4 - HKLM\..\Run: [cdiyoots] C:\WINDOWS\SYSTEM\cfunvhmm.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility....ckerutility.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Remember to close all windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folders:

C:\PROGRAM FILES\SPAMBLOCKERUTILITY
C:\WINDOWS\SYSTEM\cfunvhmm.exe

Reboot, close any open browser windows, scan with hijackthis, and post a new log please -- and let us know if it's gone.

Scan with hijackthis and have it fix the following entries:

O4 - HKLM\..\Run: [msyn.exe] C:\WINDOWS\system32\msyn.exe
O4 - HKCU\..\Run: [autodisc] C:\WINDOWS\System32\autodisc.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.co...t/c381/chat.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/gam...nts/y/tt3_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/gam...nts/y/pt3_x.cab
O16 - DPF: Yahoo! Spades - http://download.games.yahoo.com/gam...nts/y/st2_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaudio.com/download/ccpm_0237.cab
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) - http://www.20x2p.com/9f9d000f/enter.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.inf...iTunesSetup.exe
O16 - DPF: {525A15D0-4938-11D4-94C7-0050DA20189B} - http://www.ea.com/downloads/games/c...py/iesnoopy.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1108037454841
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) …

Did you have any of the files I had listed in my first post (post #3)? If so, were you able to delete them?

The next time you post an hijackthis log, please post the entire log.

Go to Add/Remove Programs in your Control Panel and remove (if found):

Viewpoint (or Viewpoint Manager)

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0058/
O2 - BHO: (no name) - {08351225-6472-43BD-8A40-D9221FF1C4CE} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Go to the following location and delete the highlighted folder:

C:\Program Files\Viewpoint

Do you know what LKAI64CD is? It's in your Program Files; if you don't, could you go to the properties of it and give us whatever info you can on it?

Reboot, close any open browser windows, scan with HJT, and post the entire log please.

Hi MandyC, welcome to DaniWeb :D

Start with this --

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan later when back in normal mode).

Reboot normally

Go to Add/Remove Programs in your Control Panel and remove (if found):

MyWebSearch
My Search
SearchAssistant

Move HijackThis into it's own folder by right-clicking in an empty area of your desktop, select …

Hi italianpest, welcome to DaniWeb :D

Start with this --

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode

Double-click on the Nailfix.bat on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with run Ewido (you will be posting the log from this scan later when back in normal mode).

Reboot normally

Go to Add/Remove Programs in your Control Panel and remove (if found):

PartyPoker

Scan with hijackthis and have it fix the following entries:

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [aiepk] C:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\43FZQOHT\aiepk2[1].exe
O4 - …

Hi WildFire1617, welcome to DaniWeb :D

Before fixing anything with hijackthis, can you please move it to a permanent folder? Something like c:\HJT\hijackthis.exe (or a folder on your desktop would be fine).

After you've moved it, close any open browser windows, scan with Hijackthis, and post a new log please.

Hi Stereovisionary, welcome to DaniWeb :D

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode

Double-click on the Nailfix.bat on your desktop; your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Run a full system scan with Ewido (you will be posting the log from the scan later when back in normal mode).

Reboot normally

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKCU\..\Run: [vcdex] C:\WINNT\System32\vcdex.exe
O16 - DPF: {01112B00-3E00-11D2-8470-0060089874ED} (Support.com RemoteControl Class) - http://www.comcastsupport.com/sdcco...wnload/tgrc.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdcco...oad/tgctlcm.cab
O16 - DPF: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} (Microsoft VM) …

Hi anarchymedes, welcome to DaniWeb :D

The first thing you should do is go to Windows Update and get SP1a for both XP and IE (hold off on SP2, at least until your system gets cleaned up).

You should also put hijackthis into it's own folder. To do this, right-click in an open area of your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Go to Add/Remove Programs in your Control Panel and remove (if found):

Viewpoint (or Viewpoint Manager)
PartyPoker

After you've moved hijackthis, close any open browser windows, scan with it, and post a new log please.

Hi bgot22, welcome to DaniWeb :D

I don't have time at the moment to go through your log in detail, but follow the suggestions in this trhead, as they apply, and post a new HijackThis log.

http://www.daniweb.com/techtalkforums/thread23845-search+extender+shopping+wizard.html

This could be caused by a firewall setting, but since you mentioned Huntbar, you should check here first and see if there's anything that may help:
http://sarc.com/avcenter/venc/data/adware.huntbar.html

If you're using the XP firewall, check these links:
http://support.microsoft.com/default.aspx?kbid=842242
http://support.microsoft.com/default.aspx?kbid=875357

You can also try IEFix:
http://windowsxp.mvps.org/utils/IEFix.zip

And finally, you can try an alternative browser, such as Firefox, and see if the problem still exists; that will at least detemine if the problem is with IE or elsewhere. Besides that, your system will be safer using some browser other then IE :)

As far as your hijackthis log goes, I only see one thing that should be fixed:
R3 - Default URLSearchHook is missing

And, if you didn't set any of the O15 entries in your Trusted Zone yourself, you should have it fix those as well.

See if you can find anything helpful at either of these sites:
http://www.theeldergeek.com/shutdown_issues_in_xp.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;308029

Sorry it took so long for you to get a reply to this :(

Try these links and see if anything helps:
http://www.microsoft.com/security/malwareremove/default.mspx
http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

If they don't help, see the 'Manual Removal' instructions here:
http://support.microsoft.com/?scid=kb;en-us;897079

Welcome to DaniWeb WCH1086 :D; you've been moved to the appropriate forum :)

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

Welcome to DaniWeb Wojtek_K :D

Assuming this is XP, you should find everything you need here:
http://www.daniweb.com/techtalkforums/thread6632.html

If not, feel free to ask :)

Hi geneva.b, welcome to DaniWeb :D

Glad you got your problem resolved, but there's one more thing you should do as soon as possible: go to Windows Update and get the Critical Updates for your system -- at least SP1a :)

Go to Add/Remove Programs in your Control Panel and remove (if found):

My Way Search Assistant
MyWaySA
My Web Search
WinTools

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O20 - Winlogon Notify: cmdabr - C:\WINDOWS\system\cmdabr.dll (file missing)

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted file and folder:

C:\Program Files\MyWaySA
C:\WINDOWS\system\cmdabr.dll

Reboot, close any open browser windows, scan with HJT, and post a new log please.

Ad-Aware SE (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-2) and Spybot Search and Destroy (http://www.download.com/Spybot-Search-Destroy/3000-8022_4-10289035.html?tag=lst-0-1) should both be able to fix this.

You can also post an HijackThis log here to make sure it, and anything else bad, has been removed. You can get the self-extracting version of HijackThis from here (in line 2): http://www.malwareremoval.com/downloads.html

Here's some info on DyFuCa:
http://www.antivirusworld.com/articles/dyfuca.php

Hi db103, welcome to DaniWeb :D

Before fixing anything with hijackthis, you need to move it out of the Temp folder it is now in, to a permanent folder of it's own (like c:\HJT\hijackthis.exe).

After you've moved it, close any open browser windows, scan with hijackthis, and post a new log please.

Go ahead and follow the previous recommendations :)

Hi tonyb130, welcome to DaniWeb :D

Sorry this has been overlooked the past couple of days :(

Scan with hijackthis and have it fix the following entries:

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\system32\ngsh33.dll
O4 - HKLM\..\Run: [Aapp] C:\windows\system32\adprot
O4 - HKCU\..\Run: [ngpw36] C:\windows\system32\ngpw36.exe
O4 - HKCU\..\Run: [adprot] C:\windows\system32\adprot.exe

Be sure to close all windows, other then hijackthis, before hitting Fix checked.

Reboot into Safe mode.

Go to the following locations and delete the highlighted files:

C:\windows\system32\adprot
C:\windows\system32\adprot.exe
C:\windows\system32\ngpw36.exe
C:\WINDOWS\system32\ngsh33.dll

Reboot normally, close any open browser windows, scan with hijackthis, and post a new log please.

Way to go Dani! :D