Posts by dlh6213

Please let us know what OS you are using; if it is XP or Me, try using System Restore to a time before you started having problems.

You should not have more then one antivirus program installed on your computer at the same time; someone probably suggested you use Panda's free online scanner (not install Panda on your computer).

Reboot into Safe Mode, go to Add/Remove programs in your Control Panel, and see if you can remove Panda from there.

While in Safe Mode, go to msconfig and enable everything; later you can research (using Google, or asking here), to determine which specific entries, if any, you should disable in msconfig.

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

MyWay (or myBar)
PartyPoker
Windows ServeAd (or WinServAd)

Scan with HJT and have it fix the following entries:
(Note: some entries may no longer be here after using Add/Remove Programs)

O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab

Be sure all windows are closed, other the HJT, before hitting the Fix button

Go to the following location and remove the highlighted folder (if found):

C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\PartyPoker

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot

You …

Have a look at this thread, http://www.daniweb.com/techtalkforums/thread5690.html

Then, get HijackThis from here:
http://www.spywareinfo.com/~merijn/

Close all browser windows, 'Scan and Save Log' with hijackthis, copy and paste the log here in this thread.

You may also find this thread somewhat helpful/interesting:
http://www.daniweb.com/techtalkforums/thread16365.html

Tony's list (http://castlecops.com/CLSID.html) is indeed helpful, but someone new to HijackThis is best off using it with the assistance of someone familiar with it as mistakes can cause serious problems.

Celtic_moon, as suggested by OurNation, please move hijackthis into it's own folder (something like c:\HJT\hijackthis.exe), and then close all browser windows, scan with HJT and post a new log please.

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

SpamBlockerUtility (or Hotbar)

Scan with HJT and have it fix the following entries:
(Note: some entries may no longer be here after using Add/Remove Programs)

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [SpamBlocker] C:\Program Files\SpamBlockerUtility\Bin\4.6.1.0\SbOEAddOn.exe
O4 - HKLM\..\Run: [olghbibt] C:\WINDOWS\system32\anhubbfu.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmvkkr.exe
O9 - Extra button: ShopperReports - Compare travel rates - {946B3E9E-E21A-49c8-9F63-900533FAFE14} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: ShopperReports - Compare product prices - {E77EDA01-3C56-4a96-8D08-02B42891C169} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D...bridge-c338.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} (SbInstObj) - http://installs.spamblockerutility....ckerutility.cab
O20 - Winlogon Notify: Syncmgr - C:\WINDOWS\system32\k0nola531d.dll

If you didn't set this as your start page, have HJT fix this as well:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peegs.com/

Be sure all windows are closed, other the HJT, before hitting the Fix button

Hi Sickofit, welcome to DaniWeb :) You're not the only one who's sick of it! (malware that is)

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

Ebates_MoeMoneyMaker (or something similar)
PartyPoker (if you didn't install it yourself)

Scan with HJT and have it fix the following entries:
(Note: some entries may no longer be here after using Add/Remove Programs)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: DLMaxObj Class - {00000000-59D4-4008-9058-080011001200} - C:\WINDOWS\dlmax.dll
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [efbiwte] c:\windows\system32\efbiwte.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [mvmmlrturgu] C:\WINDOWS\System32\efbiwte.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Moniker32 Class) - http://connect.online-dialer.com/cax.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://static.flingstone.com/cab/20.../bridge-c17.cab
O16 - DPF: {E0CE16CB-741C-4B24-8D04-A817856E07F4} -

Close any open browser windows, scan with HJT, and have it fix the following entries (if found):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [8.tmp.exe] C:\DOCUME~1\KOLODZ~1\LOCALS~1\Temp\8.tmp.exe 1 10001
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
C:\WINDOWS\system32\ipba.exe

Be sure all windows, other than HJT, are closed before hitting the Fix button

Go to the following folders and delete the highlighted files:

C:\WINDOWS\system32\ipba.exe
C:\WINDOWS\web\related.htm

Get AboutBuster from one of the sites listed here:
http://www.besttechie.net/forums/index.php?showtopic=1488

Check for any updates first, and then reboot into Safe Mode to run it

When it's finished, while still in Safe Mode:

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Empty your Recycle Bin.

Reboot

Try Hoster to fix the IE problem; …

Well, these probably aren't going to be on your system, but you can do a search for them and see what you come up with. From what I can find out, it seems the problem is going to be in this DRIVERS folder, but the name can be different.

C:\WINDOWS\SYSTEM32\DRIVERS\beepw.sys
C:\WINDOWS\System32\drivers\hidclasy.sys
C:\WINDOWS\SYSTEM32\DRIVERS\battcc.sys

I'll see what else I can find out, or maybe someone else will have some ideas.

This program can help locate it, but, unfortunately, I don't know how to use it:
http://www.niksoft.at/_data/startdreck.zip

Have HJT fix this entry:

O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)

Since you don't have internet access, you will probably need to download these from another computer.

Try IEFix from here:
http://www.majorgeeks.com/download4467.html

Winsockfix may also resolve the problem:
http://www.digitalminds.net/index.pl/downloads

And, you can try Hoster:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Reboot

Close any open browser windows, scan with HJT, and post a new log please.

vx2,enjql1151.dll

HI! Welcome to DaniWeb :) Sorry for the delay in responding to this, I just found it in the wrong forum tagged onto another users thread. Please post all problems into a new thread, regardless of how similar it may seem.

Before fixing anything with hijackthis, you should put it into it's own folder; to do this, right-click on your desktop and select New, Folder. Give the folder a name, something like HJT or HijackThis would be good, and then drag the hijackthis.exe icon on your desktop into this new folder.

Close all browser windows, scan with HJT, and post a new log please.

So which is it, Messenger, Explorer, or what?

go on over to the Security section of this fourm and post you problem along with a hijackthis log.

Yup, been there, done that; I can't see anything in the log that would cause this, do you? Any ideas other then what I suggested already (in the other thread)?

This should help:
http://www.pcuser.com.au/pcuser/hs2.nsf/web/3D2F91493F7B80D5CA256EA80038C9A7
(Paragraph within this article: "Note : If you are using an XP Upgrade CD, you will be asked for a qualifying product during installation. Pop the CD with your older version of Windows into the drive, press <ENTER> or click ‘OK' as prompted, and return your Windows XP CD to the drive when asked. You may be prompted to ‘Create a Startup disk' and you can safely ‘Cancel' from that step if you do not wish to create a Startup diskette.")

And this:
http://www.pcuser.com.au/pcuser/hs2.nsf/web/3766D094A6F3FD83CA256EA80021C82D

You don't need to, nor should you, stop any processes that are running, just close any open windows.

From your log, it looks like you're running two antivirus programs (Nod32 and Norton); this can cause problems, you should decide which one you prefer (I'd recommend Nod32) and remove the other.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c7.cab

Be sure all windows are closed, other the HJT, before hitting the Fix button

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot, close any open browser windows, scan with HJT and post a new log please.

Welcome to DaniWeb! :) I split your post into it's own thread; we ask that you not tag onto other threads, even if the problems are similar.

Get FixBlast.exe from here:
http://securityresponse.symantec.com/avcenter/FixBlast.exe

Save the file to your Desktop

Close all the running programs before running it

Also try scanning with Stinger:
http://vil.nai.com/vil/stinger/

Save the file to your Desktop

If necessary, click the Add or Browse button to add additional drives/directories to scan. By default the C: drive will be scanned

Click the Scan Now button to begin scanning the specified drives/directories

By default, Stinger will repair all infected files found

Update your Panda antivirus and run a full system scan

Remove Newdotnet, using either Add/Remove Programs, or by getting the uninstall tool from here:
http://www.newdotnet.com/#remove

Download LSPfix from here:
http://castlecops.com/zxphoenix22/LSPFix.zip

On the opening screen, click the "I know what I'm doing" checkbox

Check any instances of "newdotnet6_38.dll" (and nothing else), and move them to the "Remove" pane

Click Finish.

This is optional, but I'd like to suggest another program for you to try, I've found it to find things most others can't. It's called CounterSpy and you can get it from here:

http://www.download.com/3000-8022_4-10337358.html

It has a 15-day free trial which will be plenty of time to get your system cleaned up, or you can purchase it for $20 (US). After you download it, …

You also need to go to Windows Update and get the Critical Updates for your system.

I can't find any info on Ball Peak or ACTIVE TEST POKE, which leads me to believe it's not a legit program. If you don't think you installed anything related to this, I would suggest removing it, but you may wish to do more research yourself or wait for confirmation from someone else here one way or the other. What folder is this in, by the way?

I also see you are using DAP which is not technically malware, but it may allow it into your system. I would strongly recommend uninstalling it.

Scan with HJT and have it fix the following entries:

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O4 - HKLM\..\Run: [Bin Two Mode Upload] C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo\DEBUG PHONE.exe
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Be sure all windows are closed, other the HJT, before hitting the Fix button

Go to the following and remove the highlighted folder (if found):

C:\Documents and Settings\All Users.WINDOWS\Application Data\WebFunkBinTwo
(That All Users.WINDOWS is an unusual folder, you may want to have a look to see what else is in there; it could be that whole folder should be deleted)

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your …

Well, after a bit of research, I think I've found a way to get rid of that nasty webtracer.

Get Find.zip from here:
http://www.atribune.org/downloads/find.zip

Download Find.zip into the same folder your HijackThis is in ('Files and Programs' in your case); make sure you Extract All Files

Double-click Find.bat and let it scan your computer (should only take a few seconds)

Look in the folder you have HijackThis in and find Report.txt

Double-click Report.txt, copy the entire contents of the log, and paste it here.

After running this program, do NOT shutdown or log off of your computer until after we have fixed the problem.

Sorry for answering so late, i've been checking for new answers everyday, but i just just realized that there was a page 2.

Don't feel bad, the same thing happened to me when I first came here :o

Good job so far! :)

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

VBouncer (or BundleOuter)
Web Offer

Scan with HJT and have it fix the following entries:
(Note: some entries may no longer be here after using Add/Remove Programs)

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\system32\kmvkkr.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [nsvcin] C:\WINDOWS\system32\n20050308.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [ujyoxj] c:\windows\system32\ujyoxj.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe

Be sure all windows are closed, other the HJT, before hitting the Fix button

Go to the following and remove the highlighted file or folder (if found):

C:\WINDOWS\isrvs
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\kmvkkr.exe
C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\picsvr
C:\WINDOWS\system32\ujyoxj.exe
C:\WINDOWS\system32\n20050308.exe
C:\Program Files\VBouncer

Do a search on your 'C' drive for Web Offer and delete the folder

Empty your Recycle Bin

Reboot, close any open browser windows, scan with HJT and post a new log please

Is your ISP AOL or Earthlink?

If this doesn't clear it up, or if problems return, I believe we will need to use some VX2/Look2Me …

Just a couple of things I forgot before...

Do a search for PIB.exe and delete any instances found.

If you have a version of SpywareBlaster that is earlier than 3.3, remove it, and get the latest version from here:
http://www.javacoolsoftware.com/sbdownload.html (you will be given a choice of download sites from there)

After you install it, check for 'Updates,' and then have it 'Enable all protection'

Download LSPFix from here:
http://www.cexx.org/lspfix.htm
Unzip to your desktop, and then run it.

1. Check "I know what I'm doing".
2. Click on (highlight) dolsp.dll
3. Then click ">>" to move it to the 'Remove' pane.
4. Double-check, and make sure that only the above file is in the 'Remove'pane.
5. Click "Finish >>"

Before fixing anything with hijackthis, it needs to be in it's own permanent folder; right now you have it in a temp folder. Please move it to a folder such as c:\HJT\hijackthis.exe

Whenever you scan with HJT, close all browser windows first. After you move it, please post a new log.

That file appears to be infected; if you have what is described here, you need to clean it off your machine before the 28th of the month! Follow the instructions described by Norton:
http://securityresponse.symantec.com/avcenter/venc/data/vbs.pub.html

Before you post a new log, right-click on your desktop, select New, Folder; give the New Folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon on your desktop into this new folder.

Now, close all browser windows, scan with HJT, and post the entire log.

You can try fixing this one again, other than that, your log looks okay:
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

If you continue having problems, let us know :)

By the way, when are you going to finish that signature of yours? :eek:

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

BullsEye Network
Media Access
Wild Tanget
WinTools
Zango Messenger

Scan with HJT and have it fix the following entries:
(Note: some entries may no longer be here after using Add/Remove Programs)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50245
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - E:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - E:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - E:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "E:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [Media Access] E:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [EasyMessage] "E:\Program Files\Zango Messenger\em2.exe" -wait
O4 - HKLM\..\Run: [BullsEye Network] E:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [WinTools] E:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [TBPS] E:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [Weather] E:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - E:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D.../bridge-c11.cab
O16 - DPF: {8C410098-8BA7-4550-A0A4-6959C02FC935} (karCntrlIE Class) - http://karaoke.cokemusic.com//karClientIE.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - E:\PROGRA~1\Toolbar\toolbar.dll
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - …

1. You need to get your Windows Updates, just SP1a for now (hold off on SP2, at least until your system is cleaned up)

2. You need to get the latest version of HijackThis (currently 1.99.1)

3. You need to put HijackThis into it's own folder instead of running it directly from the hard drive (it should be something like c:\HJT\hijackthis.exe)

4. Close all browser windows before scanning with HJT (you had IE open when you did the above scan)

Go to Add/Remove Programs in your Control Panel and remove (if found):

Web_Rebates
Viewpoint or Viewpoint Manager
WildTangent

Scan with HJT and have it fix the following entries:

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [DDCActiveMenu] "C:\Program Files\WildTangent\DDC\ActiveMenu\DDCActiveMenu.exe" -boot
O4 - HKLM\..\Run: [DDCM] "C:\Program Files\WildTangent\DDC\DDCManager\DDCMan.exe" -Background

Be sure all windows, other than HJT, are closed before hitting the Fix button

Go the following and delete the highlighted folder or file:

C:\Program Files\Web_Rebates
C:\Program Files\Viewpoint
C:\Program Files\WildTangent

After completing the listed steps, close all browser windows, scan with HJT, and post a new log please.

Windows 2000 and Windows XP (as well as Server 2003) are the only operating systems that use NTFS; if you are going to be installing one of those OS's, you don't need a startup disk at all, just set your BIOS to boot from CD first, put the CD in the drive, and start up the computer. You will be given options to format and define the file system you prefer (FAT or NTFS) during the setup process.

You can find complete instructions for installing XP here:
http://www.daniweb.com/techtalkforums/thread6632.html

Yes I have, and no they are not.

Go to C:\Program Files\BitComet and right-click on BitComet.exe and choose 'Scan for viruses'

Do you know what this is for?
O4 - HKCU\..\Run: [Ball Peak] C:\DOCUME~1\Yuyin\APPLIC~1\OBJCOR~1\ACTIVE TEST POKE.exe
If not, see if you can find what folder it is in, then right-click on the .exe file, go to Properties, and post whatever info you can find on it

If you didn't put these in your 'Trusted Zone,' have HJT fix them:

O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)

Reboot, close all browser windows, scan with HJT, post a new log, and describe what problem(s) you are having.

Try IEFix from here:
http://www.majorgeeks.com/download4467.html

Then try the Trend scan again

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Go to Add/Remove Programs in your Control Panel and remove (if found):

Ebates_MoeMoneyMaker (or something similar)

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjlwv.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\pjlwv.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\pjlwv.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {DCBA9611-B4B0-16C9-9872-C35C216F9B05} - C:\WINDOWS\netow32.dll
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [rF4U3mh] mriwseui.exe
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - HKLM\..\Run: [msfc.exe] C:\WINDOWS\system32\msfc.exe
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
If you didn't put these in your 'Trusted Zone' have HJT fix them as well:
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {22A88341-AFCB-45F0-A856-C2BAE74F878E} (InstallX Class) -

Do you have the 'Winrar' archiving program installed on your computer?

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Put HijackThis into it's own folder by right-clicking on your desktop, select New, Folder; name the folder whatever you like (something like HJT or hijackthis would be best). Then drag the hijackthis.exe icon that is on your desktop into the new folder.

Close all browser windows, scan with HJT, and post a new log please.

Something is causing this to be recreated but it's not showing in your HJT log (or if it is, I'm overlooking it). I'd like to suggest another program for you to try, I've found it can find things most other programs can't.

It's called CounterSpy and you can get it from here:

http://www.download.com/3000-8022_4-10337358.html

It has a 15-day free trial which will be plenty of time to get your system cleaned up, or you can purchase it for $20 (US). After you download it, install it; when asked for a registration number, just click next.

Before scanning the first time, make the following adjustments to the settings:

CounterSpy Settings

At the very top, click on File, and then Check for updates
When it’s finished updating, click the ‘Close’ button

Under ‘Spyware Scan’ on the left, click on ‘Run a spyware scan’
In the left pane, click on ‘Scan Options’
Mark ‘Full system scan’
Check all boxes under ‘Full system scan,’ including ‘Save these options’
In the right pane, near the bottom, click ‘Manage Schedule’
On the left side, select your preferred schedule options
On the right side, under ‘Scheduled Scan Options,’ check:
‘Always run a deep scan’
‘Automatically remove spyware cookies’
Click the ‘Update Schedule’ button

At the top, click on ‘System Tools’
Double-click on ‘History Cleaner’
Check the following options (if they are not grayed-out):
‘Internet Explorer …

You're welcome :)

I don't see anything in your log to indicate a problem. I'd like to suggest another program for you to try, I've found it to find things most others can't.

It's called CounterSpy and you can get it from here:

http://www.download.com/3000-8022_4-10337358.html

It has a 15-day free trial which will be plenty of time to get your system cleaned up, or you can purchase it for $20 (US). After you download it, install it; when asked for a registration number, just click next.

Before scanning the first time, make the following adjustments to the settings:

CounterSpy Settings

At the very top, click on File, and then Check for updates
When it’s finished updating, click the ‘Close’ button

Under ‘Spyware Scan’ on the left, click on ‘Run a spyware scan’
In the left pane, click on ‘Scan Options’
Mark ‘Full system scan’
Check all boxes under ‘Full system scan,’ including ‘Save these options’
In the right pane, near the bottom, click ‘Manage Schedule’
On the left side, select your preferred schedule options
On the right side, under ‘Scheduled Scan Options,’ check:
‘Always run a deep scan’
‘Automatically remove spyware cookies’
Click the ‘Update Schedule’ button

At the top, click on ‘System Tools’
Double-click on ‘History Cleaner’
Check the following options (if they are not grayed-out):
‘Internet Explorer History’
‘Internet Explorer Cookies’
‘Kazaa’
‘Temporary Internet Files’
…

Gotta find one with a number now, huh? Thanks a lot. How about...

5th Glove -- An input device for virtual reality in the form of a glove which measures the movements of the wearer's fingers and transmits them to the computer.

Are you still having problems?

Your log looks pretty good now; you can have HJT clean up these entries:

O20 - Winlogon Notify: Run - C:\WINDOWS\system32\k8440ihqe84e0.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\pKutoenr.dll (file missing)

I only see a coulple of minor things there now.

You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:

CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.

And you can have HJT fix this entry:

R3 - Default URLSearchHook is missing

Phishing -- The act of attempting to fraudulently acquire, through deception, sensitive personal information, such as passwords and credit card details, by masquerading in an official-looking email, IM, etc. as someone trustworthy with a real need for such information.

The term was coined in the mid 1990's by crackers attempting to steal AOL accounts. An attacker would pose as an AOL staff member and send an instant message to a potential victim. The message would ask the victim to reveal his or her password, for instance, to "verify your account" or to "confirm billing information." Once the victim gave over the password, the attacker could access the victim's account and use it for criminal purposes.

Today, online criminals put phishing to more directly profitable uses. Popular targets are users of online banking services, and auction sites such as eBay.

(From http://en.wikipedia.org/wiki/Main_Page)

Let's try the Registry Editor again (regedit).

Before you manually edit the Registry, you should create a backup. At the top of the Registry window, click on the Registry menu, click Export Registry File. In the Export range panel, click All, then save your registry as Backup. This way, if the operating of your PC is affected, you have a way to restore it.

Also set a System Restore point.

In the Registry Editor, click on the + next to HKEY_CURRENT_USER, and then the + next to Software, the + next to Microsoft, and then the + next to Internet Explorer. Find the folder that says Main and click on it; in the right-hand pane, find Start Page; right-click on it and select Modify. In the Value data field, delete whatever is there and replace it with http://www.google.com/ (you can change this to whatever you wish now, or change it later).

Go to HKEY_LOCAL_MACHINE and follow the same path and make the same change.

Close the editor, close all browser windows, scan with HJT, and have it fix:

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O1 - Hosts: 1159680172 auto.search.msn.com

Reboot, close all browser windows, scan with HJT, and post a new log please.

Okay, I see from your log you are using WinXP and IE. Try this; With IE open, click on the Search button (picture of a magnifying glass). On the left-hand side you should see a button that says Customize; in the box that opens, go through each of the options and make sure Yahoo isn't selected -- if you have a particular service that you wish to use, select it if it's listed there.

If that doesn't work for you, you may wish to post the question in the Internet Explorer forum for more suggestions.

It's looking a lot better! Are you still having problems?

There are a few more things to clean up; close all browser windows, scan with HJT, and have it fix the following entries:

F3 - REG:win.ini: run=C:\WINDOWS\inetdata\winlogon.exe
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

If you don't recognize this IP address as belonging to your ISP, have HJT fix these entries as well:
O16 - DPF: {14904A9A-051A-1BE6-83A0-2604321927D1} - http://69.50.182.94/1/rdgUS994.exe
O16 - DPF: {428FA2B5-B816-2E57-7260-5232628C14A2} - http://69.50.182.94/1/rdgUS994.exe

Remember to close all windows other than HJT before hitting the Fix button.

Reboot, close any open browser windows, scan with HJT, and post a new log please.

Before fixing anything with hijackthis, right-click on your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis). Now drag the hijackthis.exe icon that is on your desktop into the new folder.

Close all browser windows, scan with HJT, copy and paste the entire log into the Quick Reply box.

Also, please describe the problem you are still having.

I don't see anything in your log that would indicate a problem; can you please clarify the problem you are having?

A Windows 98 Startup disk can format and partition a drive; I don't know of anything that would offer a "higher and more secure level of format."

Are you trying to install an OS or what? If so, which one? For Win98 and prior, you should use a Win98 Startup disk; if Win2K or later, just boot with the CD and it will format and partition however you want it to.

Before you fix anything with hijackthis, it needs to be in it's own permanent folder. All your Temp folders are going to be cleaned out in an effort to clean up your system. Hijackthis is now in a Temp folder and will be deleted if you don't relocate it first. I recommend putting it in a folder like c:\HJT\hijackthis.exe.

After you've moved it:

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Empty your Recycle Bin.

Close all browser windows, scan with HJT, and post a new log please.

Before fixing anything with hijackthis, please put it into it's own folder by right-clicking on your desktop, select New, Folder; name the folder whatever you like (something like HJT or hijackthis would be best). Then, drag the hijackthis.exe icon that is on your desktop into the new folder.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FE07DF8E-EB48-201C-AF54-67375F54D0FD} - C:\WINDOWS\system32\syskn32.dll
O4 - HKLM\..\Run: [sdkdf.exe] C:\WINDOWS\sdkdf.exe
O4 - HKLM\..\RunOnce: [netdm.exe] C:\WINDOWS\system32\netdm.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...738&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
O23 - Service: Network Security Service (NSS) …

How to create an MS-DOS startup disk:

Insert a floppy disk into your computer's floppy drive.
Open My Computer, and then click the floppy disk drive to select it.
On the File menu, point to the name of the floppy drive, and then click Format.
Under Format options, click Create an MS-DOS startup disk.
Click Start.

Note: The MS-DOS startup disk only allows the system to boot into an MS-DOS prompt, the disk contains no additional tools.

Please clarify what you mean by a 'DOS Partition disk'

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Empty your Recycle Bin.

Follow the recommendations in this thread to remove HotOffers:
http://www.daniweb.com/techtalkforums/thread19959.html

Get HSFix from here:
http://www.atribune.org/downloads/HSFix.zip

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into Safe Mode

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Right-click on your desktop, select New, Folder; give the New Folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon on your desktop into this new folder.

Close all browser windows, scan with HJT, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {05A6952D-72E5-0216-C37E-08157768E5C8} - C:\WINDOWS\system32\celhqle.dll
O2 - BHO: (no name) - {FC5BCA13-77EE-4495-AC06-A437596C1131} - C:\WINDOWS\system32\lkbj.dll (file missing)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 …

Did you run the Hoster yet? Please post a new log after running it. Remember to close all browser windows before scanning with HJT or fixing anything with it.

I haven't used Nod32 myself yet, but it's consistantly rated above all the others. Perhaps the 'paid-for' version has more options for deeper scanning?