Posts by dlh6213

Any other ideas?

I'm afraid I don't at the moment; I'll see if I can find out anything. Maybe someone else here will have some suggestions.

Looks okay to me :)

ok. i did everything you said again. i THINK it might have worked this time. the same files did not come back up in HJT. :)

I think you might be right :)

I don't see anything else in your log; let us know if you have anymore problems. And don't forget to consider disabling CTHelper.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [pwjjck] c:\windows\system32\jmpvui.exe
O16 - DPF: {09C6CAC0-936E-40A0-BC26-707480103DC3} -
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

Remember to close all windows before hitting Fix checked.

Make sure your system is set to Show hidden files and folders.

Go to the following locations and delete the highlighted files:

C:\WINDOWS\systb.dll
C:\windows\system32\jmpvui.exe

Reboot, close any open browser windows, scan with HJT, and post a new log please.

Those files are usually found in the C:\Windows\System32 folder, but one user reported finding one of the files in a "C:\!Submit" folder, so you may want to see if you have one of those too. As I said before, those files are just a hunch; the symptoms you described seem similar to other infections going around recently.

Have you tried using System Restore to return to a point prior to when you lost your search function?

If that doesn't work, try an in-place upgrade (aka repair installation); instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

You should also go to Windows Update and get SP1 for XP.

Hi aslee, welcome to DaniWeb :D

This first part if kind of a guess, so you may not find any of the files listed.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any icons from your desktop that you didn't put there, and empty your Recycle Bin.

Scan with hijackthis, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findyourcouple.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findyourcouple.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.findyourcouple.com
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related …

Try here for the locate.zip file:
www.searchengines.pl/phpbb203/pliki/picasso/downloads/locate.zip

Hi Quitahd, welcome to DaniWeb :D

Your English is pretty good :)

First thing to do is right-click on your desktop, and select New, Folder. Give the new folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Now, scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.adblaster2.info/ace100.htm
R3 - Default URLSearchHook is missing

Close any open windows, other then hijackthis, before hitting Fix checked.

That is the only thing I see in your log. Reboot, close any open browser windows, scan with hijackthis, and post a new log.

Is there an error code with the message on the blue screen? Can you tell us exactly what the message says?

Well, if it were me, I'd just remove that LKAI64CD, but I'll leave that up to you. The fact that there is no manufacturers name is not a good sign. You could go to LKAI64CD.dll, right-click on it, and open it with notepad (or Wordpad) and see if there is anything helpful there.

If you wish to remove it, first go to Add/Remove Programs and, if it is there, remove it. Then have hijackthis fix these entries:

O2 - BHO: (no name) - {1E939C88-1797-444D-9E7D-9FE566C5679D} - C:\PROGRAM FILES\LKAI64CD\LKAI64CD.dll
O4 - HKLM\..\Run: [LKAI64CD] C:\PROGRAM FILES\LKAI64CD\LKAI64CD.EXE

And, finally, go to C:\PROGRAM FILES and delete the LKAI64CD folder.

You mentioned that you found param32.dll in a folder called C:\!Submit; that doesn't sound like a legit folder, what else is in there? That entire folder may need to be deleted.

Other then that, you log looks good to me. As soon as possible you need to go to Windows Update and get all the Critical Updates for your system.

What problems are you still having, if any?

Hi maizzie, welcome to DaniWeb :D

Start with this --

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you run Ewido for the first time, you will get the warning Database could not be found!, click OK when you do.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode (reboot your computer and tap the F8 key while it's starting back up).

Double-click on the Nailfix.bat that is on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run a full system scan with Ewido (note: you will be posting the log from this scan when back in normal mode).

Reboot normally

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

Hey, it looks like we're off to a good start :)

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0058/
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Reboot, close any open browser windows, scan with HJT, post a new log, and let us know if you're still having problems. If so, please explain what the problem is.

Hi Wagas, welcome to DaniWeb :D

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Let your system reboot normally.

Delete any unwanted icons from your desktop and then empty your Recycle Bin.

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

Did you have any of the files I had listed in my first post (post #3)? If so, were you able to delete them?

The next time you post an hijackthis log, please post the entire log.

Go to Add/Remove Programs in your Control Panel and remove (if found):

Viewpoint (or Viewpoint Manager)

Scan with hijackthis and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0058/
O2 - BHO: (no name) - {08351225-6472-43BD-8A40-D9221FF1C4CE} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Go to the following location and delete the highlighted folder:

C:\Program Files\Viewpoint

Do you know what LKAI64CD is? It's in your Program Files; if you don't, could you go to the properties of it and give us whatever info you can on it?

Reboot, close any open browser windows, scan with HJT, and post the entire log please.

See if you can find anything helpful at either of these sites:
http://www.theeldergeek.com/shutdown_issues_in_xp.htm
http://support.microsoft.com/default.aspx?scid=kb;en-us;308029

Welcome to DaniWeb WCH1086 :D; you've been moved to the appropriate forum :)

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

Go ahead and follow the previous recommendations :)

You have HijackThis in a Temp folder (C:\Documents and Settings\Gebruiker\Local Settings\Temp\HijackThis.exe). You need to move HijackThis to It's own permanent folder, like c:\HJT\hijackthis.exe.

After you move it to it's own permanent folder, please post a new log. :)

Thanks!! I will definitely take those precautions. What web browser do you guys hzdll.dll and hoo.dll I've had issues with netscape on a few different machines. It seems to really "crunch" the computer at times.

Anyways, you have been a great help!

Try Firefox and Opera and use the one you prefer :)

DMR is correct about how quickly you can become infected, you may wish to do some things before you go online for the first time -- this thread may be of some help (a lot of it reiterates what DMR has already suggested):
http://www.daniweb.com/techtalkforums/thread16365.html

Go ahead with the other steps crunchie suggested.

Hi Laura, I don't think it will help with your Shutdown problem, but there are some things in your log that should be fixed.

Go to Add/Remove Programs in your Control Panel and remove (if found):

Media Access
Internet Optimizer

Scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {1FF04B25-0A23-4A12-960C-73F8B9950436} - C:\Program Files\WebSearch\Util\XBK52AHI.dll
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O16 - DPF: {0191ABF4-9421-435E-9FFD-CD827A2A82D8} (SBITAX7Ctrl Class) - http://directplugin.com/tl7000.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M.../bridge-c10.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downl...922/wmv9VCM.CAB
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...006_regular.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/...ash/swflash.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

Be sure all windows are closed, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted file …

Hi SirQuester, welcome to DaniWeb :D

So that we can see exactly what you have running on your system, I suggest you get the self-extracting version of HijackThis from here (in line 2):
http://www.malwareremoval.com/downloads.html

Then, close any open browser windows, 'Scan and Save Log' with hijackthis, copy the log, and paste it here in this thread.

This should help you out:
http://www.daniweb.com/techtalkforums/thread13362.html

I'm still trying to get a handle on this particular infection myself, but you can start with this --

Download Ewido Security Suite from here:
http://fileforum.betanews.com/detail/ewido_security_suite/1098736486/1

Install it, and while installing, under Additional Options, uncheck Install background guard and Install scan via context menu.

From the main Ewido screen, click on Update in the left menu, and then click the Start update button. After the update finishes (the status bar at the bottom will display Update successful), close the program (don't scan yet). If you have problems updating see here:
http://www.ewido.net/en/download/updates/

Note -- When you do run Ewido for the first time, you will get a warning Database could not be found!, click OK when you do, we will fix this in a moment.

Download Nailfix from here:
http://users.pandora.be/bluepatchy/nailfix.zip
Unzip it to your desktop, but do not run it yet.

Reboot into Safe Mode

Double-click on the Nailfix.bat on your desktop. Your desktop and icons will disappear and reappear, and a window should open and close very quickly -- this is normal.

Then run Ewido, and run a full system scan (you will be posting the log from the scan later when back in normal mode).

Reboot normally

Before fixing anything with hijackthis, you should put it into it's own folder. To do this, right-click in an open area on your desktop, select New, Folder; give the new folder a name (something like …

...I've followed your instructions to the "T"...

Not quite, you still need to get the latest version of hijackthis :) You can get the self-extracting version from here (in line 2):
http://www.malwareremoval.com/downloads.html

The O-2 BHO's with (No file), are they deletable?

Yes, it is safe to have hijackthis fix the BHO's with (no name) & (no file)

As you can tell by looking I've not much experience in this area, but would really like to educate myself.

There are several HijackThis tutorials available, such as this one:
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42

He actually waited two days! Sorry it got overlooked NoS.

As crunchie said, there's nothing obvious in your log that would indicate a problem. Perhaps a Disk Cleanup and Defrag would help?

Hi adion, welcome to DaniWeb :D

Your system most likely has been severely compromised; can you use System Restore to return it to a date before you were infected? (http://securityresponse.symantec.com/avcenter/venc/data/hacktool.rootkit.html) You may need to consider reinstalling XP; if you do, get SP2 as soon as possible thereafter.

You can try the following to see if it helps any:

Go to Windows Update and get SP1a for both XP and IE.

Check for, and delete, the files listed here:
http://vil.mcafeesecurity.com/vil/content/v_102335.htm

Go to Start, Run, and type in services.msc; when the Services window opens, disable (for the time being at least) any entries that say Remote Access... (To disable them, first right-click on the entry, go to Properties, and next to Startup type, use the drop-down arrow and select Disable.

Scan with hijackthis and have it fix the following entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - E:\WINDOWS\web\related.htm

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal …

Get the PocketKillbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Run the PocketKillbox and paste C:\WINDOWS\System32\logm.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot.

After you've rebooted, check to make sure the file is gone and let us know the results.

Looks good to me :) Happy computing :D

Glad to hear things are working well :), but can you post a fresh hijackthis log just to make sure?

Good job :) I only see one more thing in your log; scan with hijackthis and have it fix:

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Be sure all windows are closed, other then hijackthis, before hitting Fix checked

Then go to C:\WINDOWS and delete svcproc.exe

Reboot, post a new log and let us know if you're still having problems (if so, please give us the details).

Hi DoctorTracker, welcome to DaniWeb :D

Get the PocketKillbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any could not be deleted, (most likely param32.dll), run the PocketKillbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally and delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Scan with hijackthis, and have it fix the following entry:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.specialgoods.info/ad/ad0271/

Be sure all windows are closed, other then hijackthis, before hitting Fix checked

Reboot, close any open browser windows, scan with hijackthis, post a new log, and let us know if you're still having problems.

You still need to put hijackthis into it's own folder;. To do this, right-click on an empty area of your desktop, select New, Folder; give the new folder a name (like HJT or HijackThis). Then, drag the hijackthis.exe icon that is on your desktop into the new folder.

Go to the following locations and delete the highlighted folders (if found):

C:\Program Files\SideFind
C:\Program Files\ISTsvc

Close any open browser windows, scan with hijackthis, and post a new log please.

Hi KlondikeTW, welcome to DaniWeb :D

Go to Add/Remove Programs in your Control Panel and remove (if found):

ISTsvc
SideFind

Before fixing anything with HijackThis, you should put it in it's own folder. To do this, right-click on an empty area of your desktop, select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

After you've moved it, please post a new log.

I noticed HotOffers in your log, so I thought I'd make a suggestion:

Get the Pocket Killbox from here (if you don't already have it -- I haven't read the entire thread):
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files and delete any instances found:

param32.dll
guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

If any of these files could not be deleted, (most likely param32.dll), run Pocket Killbox and paste the full file path of file in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now?, Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Reboot normally, delete any unwanted icons from your desktop, and empty your Recycle Bin.

Go to Windows Update and get the Critical Updates for your system ASAP.

Update your antivirus program and do a full system scan.

Hi Prongs24, welcome to DaniWeb :)

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed (you may wish to print these instructions).

Boot into Safe Mode and do a search for these files:

guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete any found, and then do a search for param32.dll

Run Pocket Killbox and paste the full file path of param32.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Go to AddRemove Programs in your Control Panel and remove ADVANCED SEARCHBAR, if found.

Scan with hijackthis, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:NavigationFailure
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:NavigationFailure
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} …

Hi Gandalftheking, welcome to DaniWeb :)

Try Winsockfix and see if it helps:
http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Also, have you checked your firewall settings to see if anything there could be blocking some sites?

Go to Add/Remove Programs again and remove Viewpoint Manager

Scan with HJT and have it fix the following entries (if found):

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

Go to C:\Program Files and delete the Viewpoint folder

I don't see anything else, are you still having problems?

I tried that link and it wouldn't work; I think this is it:
www.kellys-korner-xp.com/regs_edits/desktoptab.reg

Before fixing anything with hijackthis, you need to move it out of the Temp folder it's in to it's own permanent folder, like c:\HJT\hijackthis.exe

After you move it, please post a new log (with all browser windows closed when you scan).

Ad-Aware SE and Spybot (http://www.download.com/) should both be able to fix that particular problem, did you update Spybot before running it? Did you try Ad-Aware?

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Scan with hijack this and it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: (no name) - {00000049-8F91-4D9C-9573-F016E7626484} - (no file)
O2 - BHO: (no name) - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - (no file)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Be sure all windows are closed, other then …

Go to Add/Remove Programs in your Control Panel and remove ISTsvc (if found).

Get CWShredder from:
http://www.downloads.subratam.org/CWShredder.exe

Open CWShredder, click on Check for updates, and after it's finished updating, click on Fix.

Scan with hijackthis and have it fix the following entries:

O4 - HKLM\..\Run: [CTfvH] C:\WINDOWS\pcgbmf.exe
O4 - HKLM\..\Run: [n8behn55] C:\WINDOWS\System32\n8behn55.exe
O4 - HKLM\..\Run: [IST Service] C:\ProO9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)gram Files\ISTsvc\istsvc.exe

Be sure to close all windows, other then hijackthis, before hitting Fix checked.

Go to the following locations and delete the highlighted file or folder:

C:\WINDOWS\pcgbmf.exe
C:\WINDOWS\System32\n8behn55.exe
C:\Program Files\ISTsvc

Reboot, close any open browser windows, scan with hijackthis, and post a new log please.

Do you use Viewpoint Manager?

Scan with HJT and have it fix the following entries:

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

Remember to close all windows, other then HJT, before hitting Fix checked

Help keep your system clean and protected with Ad-Aware SE, Spybot Search & Destroy, and SpywareBlaster (you can download them all -- for free -- from Download.com). Keep them all updated along with your antivirus and Windows Updates.

Try booting into Safe Mode first, then scan with HJT and have it fix:

O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {11212111-2121-1311-1141-115611111222} -
O16 - DPF: {24311111-1111-1121-1111-111191113457} -

Be sure all windows, other then hijackthis, are closed before hitting 'Fix checked.'

Reboot normally, close any open browser windows, scan with HJT, and post a new log.

Hi Indy, welcome to DaniWeb

The first thing you need to do is go to Windows Update and get SP1a for both XP and IE.

Next, you need to move HijackThis out of the Temp folder it's in to a permanent folder of it's own (like c:\HJT\hijackthis.exe).

After you've done that, close all browser windows, scan with hijackthis, and post a new log please.

Do you use Viewpoint Manager?

Before you fix anything with HijackThis, you should move it from the Temp folder it's in to it's own permanent folder (like c:\HJT\hijackthis.exe)

I believe LogonDll.dll is bad, but I don't think streamhlp.dll is; you can have them both checked here:
http://www.kaspersky.com/remoteviruschk.htm

Your log looks clean to me now, glad we could help.

To help keep your computer clean and protected, you should get:
SpywareBlaster (http://www.download.com/SpywareBlaster/3000-8022_4-10372089.html?tag=lst-0-1)
Ad-Aware SE (http://www.download.com/Ad-Aware-SE...76.html?tag=pop)
Spybot Search and Destroy (http://www.download.com/Spybot-Sear...35.html?tag=pop)

Keep them all updated, along with your anti-virus program, and run them frequently (about once a week).

Hi derekbka, welcome to DaniWeb :)

I've split your post (from http://www.daniweb.com/techtalkforums/thread22827.html) into it's own thread so you can get individual attention and so the recommended fixes don't get confused.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Boot into Safe Mode and do a search for these files:

guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete any found, and then find param32.dll

Run Pocket Killbox and paste the full file path of param32.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Before you fix anything with HijackThis, you need to move it from the Temp folder it is in to it's own permanent folder (like c:\HJT\hijackthis.exe).

After you followed these steps, close any open browser windows, scan with hijackthis, and post a new log please.

Get the Pocket Killbox from here:
http://bleepingcomputer.com/files/spyware/KillBox.zip

Unzip the file to your desktop.

Go offline until this is completed.

Boot into Safe Mode and do a search for these files:

guninst.exe
popup_bl.dll
systr.dll
svrhost.exe

Delete any found, and then find param32.dll

Run Pocket Killbox and paste the full file path of param32.dll in the box and click on Delete on Reboot. Click on the button with the red circle and an X in the middle; you will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. (Note: the 'file path' will be something like C:\WINDOWS\System32\param32.dll)

Delete any unwanted icons from your desktop.

Empty your Recycle Bin.

Scan with hijackthis, and have it fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newgenlook.info/ad/ad0179/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Liens
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3

DMR --
In the beginning of this thread he said he didn't have access to any other computers, so I'm pretty sure he has only this one computer and no network.

Southernneonservice --
You should still answer all of DMR's questions to help determine a possible explanation/solution.

I recall asking you in a prior post how well you knew the person that installed XP on your computer; I don't recall the exact entries now, but something led me to suspect this person may attempt to do something like this because of certain programs on your computer that you didn't even know existed.

I still recommend a fresh installation of Windows2000 (or purchase XP), and install it yourself!