Posts by 'Stein

Heh my apolegies ShadowPuterDude. By the way, are u enrolled at MRU, cause ure name sounds famailiar...

daddysla- glad we could help. It'd be incredible if ya marked the thread as 'solved'.

Thanks again.

Heh ya, we already tried that, with the LSPfix.

Thanks.

Ja, it looks all clean to me. However, before ya go, we need to rehide hidden folders:

We need to re hide system files. To do so, please follow the steps below:

1. Double-click My Computer.
2. Click the Tools menu, and then click Folder Options.
3. Click the View tab.
4. Put a check by "Hide file extensions for known file types."
5. Under the "Hidden files" folder, select "Show hidden files and folders."
6. Check "Hide protected operating system files."
7. Click Apply, and then click OK.

Lastly, are ya having any more problems?

If so, mention them here, and we'll work from there.
If not, mention that ya don't, and mark the thread as solved.

Thanks again.

Hmmm, I'm outta ideas too.

Let's clean some more tho.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' …

Hello, welcome to daniweb. Begin by dowload HijackThis, a diagnostic software.

After downloading, drag the HJT icon onto the desktop, and run a scan with it, saving the log.

Post the log back here, and we'll take a look at it and get back to ya.

Thanks.

Alrite good. It seems Ewido caught the Qoologic, so that's good. However, what I still see is CnsMin, another hard-to-kill infection.

We're now gonna try 2 things.

First,
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files".
9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

After this, see if this file exists:

C:\WINDOWS\Downloaded Program Files\CnsMin.dll

If you're able to, try to delete it.

Regardless if ya were able to delete or not, download SpySweeper (link in my sig below). Update definitions, and run a full scan, saving the scan log.

Post back here with the SS scan log, HJT log, and whether that file was present.

Thanks.

Good good, so you're now connected to teh internet. However, still follow tayspern's instructions from the last post, as your are in no ways clean spyware-wise.

After following his instructions, post a new log here and we'll contiune with the fix.

Thanks.

Hmm, well if this was me, I would completely uninstall eEye Digital Security, for
1) there's better programs on the market
2) I've never heard of it before, and for all I know, its dubious software.

My reccomendation is to keep your Symtanic products, keep Ewido, and download Microsoft Defener, and uninstall eEye.

Link for Defender:
http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&displaylang=en

O ya, and after doing all of those steps, post 1 more HJT log to verify uou're clean.

Thanks.

First, try uninstalling FreeRAM XP Pro. It looks pretty dubious to me

Couple more to check:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O11 - Options group: [INTERNATIONAL] International*

After this, reboot into safe mode and delete this folder:

O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions

After that, it wouldnt hurt to download SpySweeper and run a scan.

Thanks.

Arg, typo up there, and too late to edit. It removed the ENTIRE infection, not half. My bad :mrgreen:

Thanks.

Ahhh good. I've done some researching, and from what I read, Adaware should be able to remove it. However, this info was posted yesterday, so I'm not completely certain of it just yet--as the required update is not avaiable for automatic update yet. What ya need to do is install Adaware, and then also install an update manually.

Let's try this.

Download Adaware, and update definitions.

Then, after this, install this update: http://updates.ls-servers.com/public/defs.zip

After that, run a full scan, and when done, restart the computer.

Next, run HJT and post a new log.

Thanks.

Alrite, it removed half the infection, but that happens sometimes. If ya could, rerun the entire process ya just completed, but right after ya finish step 7, don't restart and post a log.

Instead, after step 7, do the following:

1) Uninstall the following in the Add/Remove Program list:

Voboc
IncrediBar

2) Place checks next to the following with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Webflits
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {36DBB90D-A8C1-6F5F-8BB2-5816F0F90809} - C:\DOCUME~1\Eigenaar\APPLIC~1\BODYHO~1\WMASEND.exe (file missing)
O4 - HKLM\..\Run: [Oszmshpu] C:\Program Files\Voboc\Ouffys.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\Program Files\IncrediBar\bin\IBTBar.dll (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from …

So you're saying ya opened regedit and modified the registry, according to the Microsoft instructions, and it still doesn't work?

Hmmm. Install SpySweeper (link in sig below), update definitions, and run a scan. Post the log back here.

Thanks.

This problem isn't due to spyware or such. Rather, it's a bug in the software.

Here's the solution, and you're gonna need regedit:

http://support.microsoft.com/default.aspx?scid=kb;EN-US;170086

To get to regedit, go to start>run, and type 'regedit' (minus the '').

Thanks.

Welcome to daniweb. Let's begin uninstalling the following:

AdawareAlert
SpywareFighterGuard

After this, open HJT and check the following:

O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\adwarealert.Exe -boot
O4 - HKLM\..\Run: [spywarefighterguard] C:\Program Files\SPYWAREfighter\spfprc.exe
O4 - HKLM\..\Run: [eTrust PestPatrol Active Protection] none
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

After this, reboot into safe mode and delete the following folders and files:

C:\Program Files\AdwareAlert
C:\Program Files\SPYWAREfighter
C:\Program Files\Yahoo!\Common\yinsthelper.dll

After this, reboot into normal mode and install Ewido (link found in my sig below). After installation, update definitions and run a full scan, saving the log.

Post back here with a new HJT log and the Ewido log.

Thanks.
Post back here with a new

Alrite great. As I said, ya have several infections, so we'll deal with 1 at a time.

Let's begin with the Aurora infection.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install …

Arg, alrite. We're now gonna try a LSPfix, although I don't think that's the problem.

Download LSPfix here, and run it.

Post a log if it gives it to ya.

After that, run a new HJT scan and post back here.

Thanks.

Sure thing. By the way, welcome to daniweb :)

First off, ya don't have the most recent version of HijackThis. Download it from here. Move the icon to your desktop, and run a new scan.

Ahead of time, I already see an Aurora/Nail infection, so just be ready for that.

Thanks.

Hmm, the log's clean. Do ya still not have internet access?

(Hint: It might be named 'spool32', but that's a guess.) :cool:

Hmm, well the log looks clean. Let's try this. Uninstall SpySweeper.

After doing this, run another Ewido scan, and if it just finds tracking cookies, then ya don't need to post it.

After that, to be sure it's clean, we'll run 2 online scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/

Run both, and post back logs here if they give them to ya.

Then, 1 more HJT log after it all.

Thanks.

Yep, all clean except for one thing:

O20 - Winlogon Notify: winprb32 - winprb32.dll (file missing)

Fix that and you're good.

Now for everything else. SmitFraudfix is pretty pointless for anything other then SpyAxe etc, so I would take it off your computer. Ewido I would leave on, as it's a very good cleaner (NOTE: After 14 days or so, it'll tell ya that the free subscribtion has expired. However, the only things ya lose are automatic updates and a background guard--none of which are necessary. Rather, before scanning, be sure to manually update.)

Other then that, I see nothing else.

Glad we could help:)

Thanks.

Hah welcome back. Lets begin by uninstalling anything in Add/Remove Programs that has to do with UltimateBet.

Then, follow up by checking the following:

O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{081B9341-1060-428C-B409-3DA4DC40CDA9}: NameServer = 210.14.16.5 210.14.16.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{081B9341-1060-428C-B409-3DA4DC40CDA9}: NameServer = 210.14.16.5 210.14.16.2

After fixing these, reboot into safe mode and delete the following folder:

C:\Program Files\UltimateBet

Arg, ure right along that, but I wanna where the physical files are. Did ya try scanning with SpySweeper, or did ya jus look for the scan log?

The best thing to do would be to run a new scan, save the log, and post that, but if ya can't do that cause of membership restrictions, I understand too.

Lastly, fix the following in HJT:

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

After this, post a new HJT log, and the spysweeper log if possible.

Thanks.

Roger that about firefox :)

Haha good, it all looks good. Just 1 more thing. Could ya post a new HJT log?

Thanks.

Wow. Mabe it's your connection then. What type of connection do ya got? And along with that, do ya ever experience irratical behavior with other things (ie music streams, etc)?

I guess that's good in a sense that its just the interhet that's affected.

Thanks.

Hmm, alrite. We're gonna do several things. First off, outta curiosity, did ya recently uninstall Norton Antivirus, or is it still on your computer?

Other then several entries because of what was mentione above, your log is clean.

The next best thing to do is run a new SpySweeper scan and save the log, posting it here, even though you cannot delete the folders with SpySweeper. We'll do it manually.

Ok, so 1 thing in the nxt post: new SpySweeper log.

Thanks.

Hmm I don't see anything to toxic. Still, fix teh following:

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} (Progetto1.int_ver34) - http://advnt01.com/dialer/int_ver34.CAB
O20 - Winlogon Notify: Themes - C:\WINNT\system32\ftsdrv.dll

After this, delete this file in safe mode (ya might have to unhide hidden files to get at it):

C:\WINNT\system32\ftsdrv.dll

After this, run an Ewido scan and post a log back here, along with a new HJT log.

Thanks.

EDIT: It also wouldn't hurt to watch this topic for a few days, and let some other people give thoughts

Heh damn, I missed it somehow. Anyways, it's part of the OS:
http://www.liutilities.com/products/wintaskspro/processlibrary/wmiprvse/

Hmm, if the keyboard isn't having problems, then I think we can rule out an outside disruption of the signals.

The best bet now is to either post at a different subforum here or to jus call the helpline. (I have no further knowledge on the issue :mrgreen: )

Thanks again.

(heh, musta missed those entries ;) Good catch tayspern :cheesy: )

Here, the link's broken for SmitRem. Instead, we'll use SmitfraudFix.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

Thanks.

Heh, I'm the exact same with CCleaner. :cheesy:

The processes ya named

1) wisptis.exe - This is a Microsoft process that runs with Adobe Acrobat
2) I couldnt find the other one.

Most likely, the best things are these:

1) try to use a wired mouse and try it out. If the irradic behavior still persists, then ya kno the prob's inside the computer.

I don't think its an inernet problem, simply because (I assume), ya still have the problems when not online.

Heh, and I don't have the best knowledge about wireless network cards and such, but did ya upgrade the card or the router recently?

Lastly, it prly wouldn't hurt to repost the same problem in another subforum here, cause there are some prettty smart people here (id recommend reposting in Windows NT forum or the Tips and Tweaks)

O ya, and make sure ya tell them its not spyware when ya post there.

Thanks.

Welcome to daniweb. Heh it IS in fact a great community to work at too. Now let's get down to business. I'll admit it, you're pretty infected, but we can fix everything that's in there.

Let's begin by downloading Ewido and SpySweeper (links for both are in my sig below). Update definitions for both, and run full scans with both, fixing everything they find, and saving both logs.

After doing that, restart your computer and fix the following through HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R3 - URLSearchHook: (no name) - {013CE0E5-7B2E-60EE-7C82-5087EAF4BEBB} - C:\WINNT\system32\nnr.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Nothing - {edbf1bc8-39ab-48eb-a0a9-c75078eb7c8e} - C:\WINNT\system32\hp60BB.tmp
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

After doing this, reboot into safe mode and delete the following files (ya might have to unhide hidden folders to do this):

C:\WINNT\system32\nnr.dll
C:\WINNT\system32\hp60BB.tmp

Restart into normal mode after this, and run HJT and post a new log here, along with the spysweeper and ewido logs.

Thanks.

Alrite great. Let's begin with HijackThis, a diagnostic software that helps us determine the problem.

Download HijackThis]L], and move the icon out of the unzipped folder to your desktop. After doing this, run a scan and post a log back here. From that, we'll work from there.

Thanks.:)

Welcome to daniweb. Your log is clean.

However, it wouldn't hurt to download CCleaner.

Download the latest version of it, update its defenitons, and run scans in both the 'Issues' and 'Cleaner' toolbars.

Also, have ya run an Ewido scan anytime soon (I see that ya have it already installed)? If yes, do ya recall if it found anything besides cookies? If ya havn't run one recently, run a scan and post a scan log here.

I have a feeling the mouse problem might be 2 things: either old batteries in the mouse (try changing them), or outside intereference. Oftentimes something like a fan or the microwave, or cordless phones affect this connection, creating some wierd things to happen.

Thanks.

Haha nah, its not the lightbulb. One of the admin must of marked it already.

We're glad we could help ya. :)

Thanks again.

Alrite, a couple things. First, could ya post the contents of this file in your nxt post:

C:\Look2Me-Destroyer.txt

Then, fix the following in HJT:

O4 - HKCU\..\Run: [Taae] "C:\DOCUME~1\Daddy\APPLIC~1\RACLE~1\winlogon.exe" -vt rbnd
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E35CB13D-8054-4E07-8758-94AD785FFE83}: NameServer = 24.29.103.10,24.29.103.11

Ok, time for Killbox. The ~ in the file name show that the computer cannot read exactly what the name is. Therefore, we sorta have to guess in a sense which folder it is based on the letters we know.

Therefore, I'm pretty confident the initial folder is Doc & settings. So we know so far it's this : C:\Documents and Settings.

The nxt word is intact, so we know its here:
C:\Documents and Settings\Daddy

The nxt folder appears to be 'Applications'. So we now have this:
C:\Documents and Settings\Daddy\Application Data

After this step, it's becomming alittle difficult. Go to this spot so far (to get here, u'll prly need to unhide folders). Inside 'Application Data', look for a folder with the first letters being 'Racle' . Also, the file might just be 'Oracle'. After finding files, post back here the names of them, and we'll work from there.

Thanks.

Ahh, alrite great, that's good news.

I apolegize for that little scare there, I jus wanted to be sure Haxdoor was all gone.

If ya could mark the thread as 'solved', it would be great.

Thanks.

larbec, if ya could, simply start a new post. Although the topics may seem similar, they're generally more different then they appear.

So, if ya could start a new topic, it'd be great.:D

Thanks.

It looks all good to me, except for 1 program:

Spyware Begone was recently on the Rogue/Suspect list--in other words, its service is questionable as a spyware defender.

I would recommend uninstalling it, and instead, using Ewido as an antispyware. Also keep Norton running.

Other then that, it all looks good to me :D .

Haha just gonna wait for tayspern to second that before we let ya go :cheesy:

Thanks again, and if ya could, mark the post as 'solved'.

Thanks.

True, but do ya think it's safe to assume that that's the only part of it on the system? I was jus gonna run blacklight and verify it wasn't there.

Whaddya think? (heh ure the one with more experience, so its up to ya)

Alrite, incredible, we know where it's located now.

With killbox, delete the following on reboot (note: some may not be present, that's ok):

C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\CnsMin.dll
C:\WINDOWS\Downloaded Program Files\CnsMinIO.dll
C:\WINDOWS\Downloaded Program Files\cnsio.dll
C:\WINDOWS\Downloaded Program Files\CnsHook.dll
C:\WINDOWS\Downloaded Program Files\cnshint.dll
c:\program files\3721

After doing this, reboot your computer again, run SpySweeper again, and save the log. Then, reboot 1 last time, and run a HJT scan.

Post killbox results, spysweeper results, and the HJT results.

Thanks.

Arg, I wouldn't be so certain you're clean jus yet. For 1, ewido found a Haxdoor variant in its scan. Haxdoor is a very bad form of malware. It steals financial passwords and sends them to hackers.

However, I'm not saying this is the case; it's just a possibility. And with luck, DMR'll step in soon :)

Until then, lets download Blacklight:

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

Post back here with the blacklight log and a new HJT log.

Thanks.

Ahh so its Spyware Quake. By the way, that's probably the infection that's killin ya right now.

Well after ya run adaware, download Ewido (link found in my sig below). Download it, update its definitions, and run a full scan, fixing everything presented. Save the log and post it here.

THerefore, in the nxt post, post an Ewido log, and a new HJT log that was run after the ewido scan.

We'll work from here, although im now pretty confident its a Spyware Quake infection.

Thanks.

Ok, step 2.

Have ya tried deleting baidu in safe mode? If so, respond back, and we'll work from there.

ALSO, download 2 programs, SpySweeper and Adaware
(spysweeper in my sig. below)
(adaware - http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5 )

After downloading, run the update for both, and then run both programs, saving the SpySweeper log.

After doing that, fix these in the HJT log:

O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.htm...&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.htm...ns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.htm...s&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.htm...cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.htm...=cns&btn=clean (file missing)

After this, restart the computer and post a new HJT log, and teh Spysweeper log.

Thanks.

Also, after ya post, what was the software ya were tryin to install? Jus curious.

Thanks.

Hmm alrite, I don't see anything in the log, but that doesn't mean it isn't there. SpySweeper caught some bad things (other then cookies), so that's good news.

Outta curiosity, which antivirus/antimalware is it that's telling ya ure infected?

Thanks.

Alrite, a couple more things:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

Also, be sure to delete the file. After fixing it thru HJT, reboot into safe mode, and delete the following folder:

C:\WINDOWS\system32\hp341B.tmp

To find it, ya might have to enable hidden folders, under the 'tools' toolbar.

Thanks.

Alrite, Ewido is also rated to find, but won't always delete it. SOO, here's wat were gonna do.

Download Ewido (link found in my sig below). After downloading, update it's definitions, and run a scan. BE SURE to save a log.

After running the scan, post the scan log back here, along with a new HJT log.

Thanks.