Posts by dlh6213

Doesn't look good; locate the file, right-click on it, select Properties, and post whatever info you can get on it (Company, version, etc.)

Hi yikyang, welcome to DaniWeb :D

Is that a complete log scanned while in 'normal' mode (not Safe Mode)? It looks very short.

Right-click in an empty area of your desktop and select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Xpjava.exe is part of a worm, scan with hijackthis and have it fix this entry:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

Close any open windows, other then hijackthis, and hit Fix checked.

Do a search for xpjava.exe and delete any entries found.

Msdiretx.sys is probably a malacious driver, but I don't see it in your log.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post the entire log along with the Silent Runners log.

There is still some spyware in C:\Documents and Settings\Hello Kitty\Local Settings\Temp -- please be sure to clean out that folder completely.

WildTangent is still showing in that log as well. Go to C:\Program Files and delete the WildTangent folder.

After you clean up those two things, run cleanmgr, and then post a new hijackthis log please.

Well, I see a few things there that should be corrected, but nothing that really explains (to me) why the problem keeps reoccuring.

This may help with the problem, but no guarantees... Scan with HijackThis and have it fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.red.clientapps.yahoo.com/...www.yahoo.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [IEDriver] C:\WINDOWS\System32\IEDriver\IExplore.exe /U
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O9 - Extra button: (no name) - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\td.exe
O9 - Extra 'Tools' menuitem: MaxSpeed - {1A00C40B-DA85-4aa3-A67F-582D9347EECD} - C:\WINDOWS\System32\td.exe
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/pote_x.cab
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.ne...ab/67yf61fg.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/D.../bridge-c18.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/UK/install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by3fd.bay3.hotmail.msn.com/r...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/22028cf...ip/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - http://racing.youbet.com/wr_5_4/controls/ybrequest.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tec...ta/SymAData.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: …

In addition to what DMR suggested, Open Firefox, go to Tools, Options, and click on Privacy, and click the Clear All button.

Hi frenemy, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if present):

WildTangent

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINNT\System32\param32.dll)

Scan with hijackthis, and have it fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/
O1 - Hosts: 69.50.173.4 lycos.com
O1 - Hosts: 69.50.173.4 www.lycos.com
O1 - Hosts: 69.50.173.4 altavista.com
O1 - Hosts: 69.50.173.4 www.altavista.com
O1 - Hosts: 69.50.173.4 amazon.com
O1 - Hosts: 69.50.173.4 www.amazon.com
O1 - Hosts: 69.50.173.4 aol.com
O1 - Hosts: 69.50.173.4

Well, I think you answered your own question in your post "single user Norton antivirus 2005"

But if you read your License Agreement with Symantec, you will find the following statement:

"You may:
A. use one copy of the Software on a single computer. If a License Module accompanies, precedes, or follows this license, You may make the number of copies of the Software licensed to You by Symantec as provided in Your License Module."

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Please get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Close any open browser windows, 'Scan and Save Log' with HijackThis, and then copy and paste the log here.

These programs will (hopefully) help us locate the problem.

The Ewido I have doesn't have a Fix option; if yours does, go ahead and use it.

Yes, scan in Safe Mode. :)

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Open Firefox, go to Tools, Options, and click on Privacy (padlock icon on the left); click on the Clear All button.

Download, install, update, and run PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Scan with HJT and have it fix this entry:
O4 - HKLM\..\Run: [oxpacud] c:\windows\system32\hpklvh.exe r

Reboot into Safe Mode and delete these files:

C:\windows\system32\hpklvh.exe
C:\WINDOWS\njopaiqeo.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\zfvridb.exe

Empty your Recycle Bin, and do another scan with …

You will need to disconnect from the internet so you may wish to print these instructions.

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet).

Download Nailfix from here:
http://www.noidea.us/easyfile/file.php?download=20050515010747824
Unzip it to your desktop, but do not run it yet.

Disconnect from the net and reboot into Safe Mode.

Double-click on the Nailfix.cmd that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

If you have an hijackthis.exe icon on your desktop, do this:

Right-click in an empty area of your desktop and select New, Folder; give the folder a name (something like HJT or HijackThis). Then, drag the hijackthis.exe icon into this folder.

Close any open browser windows, open HijackThis, and click on 'Scan and Save Log'

Copy the log and paste it here in this thread.

Your log looks clean to me other then the possible exception of

O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)

If you didn't put this in your Trusted Zone yourself, you can have hijackthis fix it.

Are you still having problems with your system?

Okay, we'll wait for the new log.

Did you set Dawn.com as your start page yourself?

Is that the complete log? It doesn't have any O15, O16, or O23 entries like your first one did.

Scan with hijackthis and have it fix the following entires:

O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [BNInv] invbn.exe
O4 - HKLM\..\RunServices: [IE Runtimes] winis.exe

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted folder and file:

C:\Program Files\winupdates
C:\WINDOWS\system32\invbn.exe

Do a search for winis.exe and delete any instances found.

Note: if any of these cannot be deleted in normal mode, try Safe Mode.

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with hijackthis, and post a new log please.

I don't see much else wrong.

Please go to http://virusscan.jotti.org/ and have this file scanned:
C:\WINDOWS\System32\wbem\wmiprvse.exe

Post the results back here and let us know what problems you are still having.

Hi soulkeeper, welcome to DaniWeb :D

Start with this --

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Update your anitvirus program and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Empty your Recycle Bin and Reboot.

Close any open browser windows, scan with hijackthis, and post a new …

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in this thread.

Please post another hijackthis log as well.

Turn off System Restore.

Go to Add/Remove Programs in your Control Panel and remove (if present):

Oemji
WeatherBug

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Go to Start, Run, and type in cleanmgr, and then click OK. Select the drive XP is on, and check the boxes for Downloaded Program Files (move any files you wish to keep out of this folder first), Temporary Internet Files, Recycle Bin, Temporary Files, Temporary Offline Files, Offline Files, (and Compress old files & Catalog files for the Content Indexer if you wish), and then click OK. Click Yes to confirm you want these files deleted. It may take awhile for this to run, please be patient.

Note: if any of these temporary files cannot be deleted while in normal mode, try Safe Mode.

Download, install, update, and run PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.oemji.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.oemji.com/side_search.html
O2 - BHO: OemjiSearchPlus - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiPls.dll
O3 - Toolbar: …

Is it OK to search the registry for Norton and deleting everything Norton related if the program is uninstalled?

I actually did this myself a couple of weeks ago, and so far, no problems. I suggest you backup the registry before doing so though, just in case.

Since you're uninstalling Norton, are you sure you want to reinstall it? There are better alternatives...

Congratulations Danielle, seems you've helped yourself :)

Download, install, update, and run the PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally.

Scan with hijackthis and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {54C421A4-9F62-F88E-18C2-94BC6D78E3BA} - C:\WINDOWS\system32\xnlbokz.dll
O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no …

Have you tried the Norton solution from my prior post yet?

512MB should be plenty of RAM.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to Start, Run, and type in regedit; click OK and the Registry Editor will open.

At the top of the Registry window, click on File, and then click Export... An Export Registry File window will open; choose a location to save the backup to (like My Documents), and give it a name (like Panda Removal), and then click the Save button.

You now have a backup of your registry in case anything goes wrong :)

Hi Jennifer, welcome to DaniWeb :D

To answer your question "Does everything that show on the log indicate something "wrong"?" The answer is NO! Just about everything shown in an HijackThis log is important to proper operation of your computer.

CCAPP.EXE is a part of Norton, and you can find a possible solution here:
http://service1.symantec.com/SUPPORT/nav.nsf/5faa3ca6df6f549888256edd0061c0a4/10c2fdd9a6f5d98288256d75006b7b86?OpenDocument&src=bar_sch_nam

But I think it's probably a lack of RAM in your computer; Norton is a resource hog, and your description of your Add/Remove Programs problem indicates insuffient RAM. Can you tell us how much RAM you have in your system?

I see a few (minor) things in your log that could be fixed, but could you first post a new one please? That one didn't come out right for some reason and is a bit hard to read... And will be hard to reply to.

Before reinstalling, try an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

IE fragmented?? :confused:

From Panda:

Dear Customer

In order to uninstall the Panda Antivirus Titanium program manually proceed as follows, deleting the entries in the Registry and files detailed below. However, if at any time the entries or files cannot be found, continue with the uninstallation process, as depending on the version installed the files or entries may or may not exist.

Follow the steps below:

First attempt to remove Panda from Control Panel, Add remove programs. Once this is done, make sure that there are no Panda Services running in the Services section in Control panel. Ensure they are stopped and set to disabled.

Open the Registry from Start, Run, write REGEDIT, and click on OK. Highlight 'My Computer' at the top of the list, then go to 'Edit' and 'Find'. Type 'panda' into the box and then click on 'Find Next'. This will search the Registry for panda files. When it brings up a folder or file, press 'delete' or right-click on the highlighted file/folder and select 'delete' from the menu to remove it. Then press 'F3' to search again and find the next Panda entry.

Continue to search and delete Panda entries in the Registry until no more entries are found. Then repeat this process, this time searching for 'pav'. When both searches are complete, close the Registry and restart the computer.

Once this operation has been carried out, using Windows Explorer delete the Panda Software folder that is below C:\Program files. You …

I don't see anything else in your log; if you're still having a problem, can you please give us as much info on it as possible?

Hi gg, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if present):

Viewpoint Manager (or Viewpoint)

Right-click in an open area of your desktop and select New, and then Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Scan with hijackthis and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0B478A5F-80D3-2FF6-AF0E-5653B825ADD2} - C:\WINDOWS\system32\ipks32.dll
O4 - HKLM\..\Run: [sysxh.exe] C:\WINDOWS\sysxh.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\atlnc32.exe

Be sure to close any open windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\sysxh.exe
C:\WINDOWS\system32\ipks32.dll
C:\WINDOWS\system32\atlnc32.exe

C:\Program Files\Viewpoint

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with hijackthis, and post a new log please. And let us know if you're still having problems.

Glad to hear everything is turning out well :)

Before you go online with your new computer, have a look at this thread:
http://www.daniweb.com/techtalkforums/thread16365.html

If you're going to go to XP, why not just format and start fresh?

Your log looks good now; might be a good time to set a Restore point :)

You still need to get the Critical Updates for Win98 and IE.

Have hijackthis fix this entry:

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Other then that, I think you're good to go :)

Hi Pikachu,

What little I could find out about it doesn't really help much (http://translate.google.com/translate?hl=en&sl=zh-CN&u=http://bbs.db.kingsoft.com/forumdisplay.php%3Ffid%3D110%26sid%3Dnbdq4L&prev=/search%3Fq%3DNPFMONTR.exe%26hl%3Den%26lr%3D%26sa%3DG).

Lack of information is usually a pretty good indiction of a bad file. Can you right-click on NPFMONTR.exe, go to Properties, and let us know whatever info you can (Manufacturer, version, etc.).

Hi Maurine, welcome to DaniWeb :D

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Update McAfee and run a full system scan.

Run a at least two of these free online anti-virus/anti-spyware scans and have them clean what they can:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Download, install, update, and run these tools:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html

Download Ewido Security Suite -- http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1
Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.
From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/
Note -- When you run Ewido for the …

SilentBob, any updates here?

Larry, please stick to this thread:
http://www.daniweb.com/techtalkforums/thread25186.html

Agbd, please start a new thread (per forum rules -- http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules), and include an HijackThis log: Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it in your new thread.

restore? you mean formatting everything again?
no I don't think this would help.

No, he didn't mean format again, he meant to use System Restore to return your system to a point when it was working properly. Here are instructions for using System Restore:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;Q306084

I have a couple of other suggestions as well. Since you're using Norton's firewall, you should disable the XP firewall -- that could be causing your problem.

Also, a reformat may help if you install SP2 before installing Norton (or use something other then Norton), but you will still need to disable the XP firewall, as you should only have one software firewall running.

Note: if you have a broadband connection, you should also have a hardware firewall.

Here's a detailed review of different antivirus programs:
http://www.virusbtn.com/library/files/4pg_reprint.pdf

Hi Benny591, welcome to DaniWeb :D

Since you suspect a 'bug' I've move your thread to the Virus forum (for the time being anyway).

In order for us to see what you have running on your system, I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

I don't see anything else, but let's let crunchie make the final decision :)

How's your computer running now?

You seem to have missed a step there :):

"Next please run HijackThis, click Scan, and check:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked."

Now all's well with my Dell.

That's what really matters :)

You may want to check and see if CTHelper is still on your system; and if you ever need HijackThis again, remember to put it into it's own folder.

For some tips on protecting your 'like new' computer, see this thread:
http://www.daniweb.com/techtalkforums/thread16365.html

Enjoy the site and happy computing!!

Hi Kiwi Chris, welcome to DaniWeb :D

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

scan with hijackthis, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0058/
4 - HKLM\..\Run: [cAg0u] C:\WINDOWS\SYSTEM\0B8C0040.hta

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\SYSTEM and delete 0B8C0040.hta

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Check this site for additional worm removal steps:
http://www.pchell.com/internet/kakworm.shtml

Go to Windows Update and get the Critical Updates for your system.

Scan with hijackthis and post a new log please.

It's still in a Temp folder (C:\Documents and Settings\Jp.STARGAZER\Local Settings\Temp\Temporary Directory 5 for hijackthis.zip\HijackThis.exe).

Hi nas116, welcome to DaniWeb :D

You have a few things that should be fixed, but before fixing anything with HijackThis, you need to move it out of the Temp folder it is in now into it's own permanent folder (something like c:\HJT\hijackthis.exe).

Before posting a new log you can:

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty the Recycle Bin.

Also, you may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:
"CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are …

Hi Chili-man, welcome to DaniWeb :D

Sorry for the delay in responding to this; it got overlooked somehow :(

If you still need assistance, please put hijackthis into it's own folder, like E:\HJT\hijackthis.exe (not running directly from the drive as you have it now).

Close any open browser windows, scan with hijackthis, and post a new log please.

Also let us know if you know what these (bolded) entries are for:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http: //www.fkitvgwkekbwsbiynvs.com/.../aNHRUeARk.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http: //www.fdljtqkxgbclmd.com/IBQyR...7PL9kHpfMI.html

In Windows Me, RUNDLL32.EXE should be in the C:\WINDOWS\System folder (C:\WINDOWS\System\RUNDLL32.EXE), not in C:\WINDOWS as it shows in your log (C:\WINDOWS\RUNDLL32.EXE).

Make sure you have it here -- C:\WINDOWS\System\RUNDLL32.EXE
If you do, delete this one -- C:\WINDOWS\RUNDLL32.EXE
Make sure you don't delete the wrong one :)

Update and run about:Buster (http://www.majorgeeks.com/download4289.html)

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {D35D61AC-D852-4B0A-9A53-5477D612EC36} - C:\WINDOWS\SYSTEM\INBNOG.DLL
O4 - HKLM\..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O18 - Filter: text/html - {B553B599-5A99-42E5-8AC0-9493E3CBC625} - C:\WINDOWS\SYSTEM\INBNOG.DLL
O18 - Filter: text/plain - {B553B599-5A99-42E5-8AC0-9493E3CBC625} - C:\WINDOWS\SYSTEM\INBNOG.DLL

Be sure to close all open windows, other then hijackthis, before hitting Fix checked.

Go to the following location and delete the highlighted file:

C:\WINDOWS\SYSTEM\INBNOG.DLL

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for …

It would help if we could see your HijackThis log.

SilentBob3208,

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Post your HijackThis log and we'll see if we can figure this out.

Hi paraque_1, welcome to DaniWeb :D

Try this...

Scan with hijackthis and have it fix the following entries:

O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\System32\ie2cltr.dll
O16 - DPF: {11212111-2121-1311-1141-115611111222} - ms-its:mhtml:file://d: oo.mht!http://195.95.218.82/users/zoom/web...hm::/update.exe
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (ｳｲﾙｽﾊﾞｽﾀｰ On-Line Scan) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

If these IP addresses are not related to your ISP, have hijackthis fix all the O17 entries as well -- 69.50.176.198 and 195.225.176.153

Close any open windows, other then hijackthis, before hitting Fix checked.

Go to C:\WINDOWS\System32 and delete ie2cltr.dll

Reboot, close any open browser windows, scan with hijackthis, and post a new log please. Let us know if you still have it.