Posts by 'Stein

Well spyware wise, ya dont got too much. Fix the following:

O3 - Toolbar: (no name) - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O17 - HKLM\System\CCS\Services\Tcpip\..\{3A1A2D54-C40A-485A-8FC6-3451C3B033A5}: NameServer = 68.94.156.1,68.94.157.1

Several things. To try to fix the IE problem, go to 'Config'>'Backups'. With luck, the things ya fixed earlier are still there.

Lastly, the person who screwed ya up, did he post here (as in Daniweb)?

Thanks.

Alrite, we'll try this one more time. Fix the following:

O2 - BHO: BandIE Class - {77FEF28E-EB96-44FF-B511-3185DEA48697} - C:\PROGRA~1\baidu\bar\baidubar.dll
O2 - BHO: IE - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O3 - Toolbar: 百度超级霸 - {B580CF65-E151-49C3-B73F-70B13FCA8E86} - C:\PROGRA~1\baidu\bar\baidubar.dll
O4 - HKLM\..\Run: [CnsMin] Rundll32.exe C:\WINDOWS\downlo~1\CnsMin.dll,Rundll32
O8 - Extra context menu item: 用比特精下载(&B) - C:\Program Files\BitSpirit\bsurl.htm
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.zs.yahoo.com/cnsbutton.ht...s&btn=yahoomail (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=taobao (file missing)
O9 - Extra button: Yahoo Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://cn.zs.yahoo.com/cnsbutton.ht...cns&btn=yassist (file missing)
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.zs.yahoo.com/cnsbutton.ht...ns&btn=yahoomsg (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://cn.zs.yahoo.com/cnsbutton.ht...=cns&btn=repair (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://cn.zs.yahoo.com/cnsbutton.ht...e=cns&btn=clean (file missing)

After fixing these, reboot into safe mode and delete the following folders:

C:\Program Files\baidu
C:\Program Files\BitSpirit

After doing this, search Windows for any of teh following and delete any entries:

CnsHook.dll
CnsMin.dll

After doing this, post back with a new log.

Thanks.

Alrite, that should do (I jus want DMR to second that before we move on), but in the meantime, fix the following:

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe

After doing this, run Ewido 1 more time. I wanna see if it'l clean the files that had an error the first time.

Thanks.

Well alittle more advice. For one, I would strongly recommend switching to FireFox, a different kind of internet browser. It's significantly safer to use, considering it's not as interconnected to the physical computer compared to FF. However, it still runs the same way as IE.

The link for it can be found in my sig below.

Also, I would recommend keeping Windows Defender. Although many people think it's bad because its Microsoft, it actually is a very good 'real-time' anti-spyware because it prevents the prevention of spyware installation.

And that's about it. Good luck.

Thanks.

Question then,

What prevents ya from dling Ultimate Boot CD and using it on some random person's computer?

(Heh sry, saw the post from afar, and looked pretty interesting.)

Heh my bad...

You're right:
Quote:
Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use something like "C:\Program Files\HijackThis" but feel free to use any name. See here for specific instructions and screen shots to help:
http://russelltexas.com/malware/createhjtfolder.htm
This is to ensure it makes the necessary backups for recovery if needed.

Haha thanks... :mrgreen:

Arg, I'm pretty certain its just the filename we worry about, but ya got alot more experience then me :) . According to the GUID (at castlecops), its spyaxe, and the filename they list is this:

hp****.tmp (* = random char or digit)

So I dunno, but I think it'd be better to play it safe rather then let it go.

Whaddya think? :-|

Alrite, it could be MarketBrowser. Let's begin by checking the following:

O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy

After doing this, reboot into save mode and delete the following file:

C:\Program Files\MarketBrowser

After doing this, reboot into normal mode and download SpySweeper (link in my sig below). Update its definitons and run a scan, saving the scan log.

Post back here with a eew HJT log, SpySweeper log, and the Ewido log if ya still have it.

Thanks.

Hmm, well Wareout seems to be the main problem so far.

Let's fix this WareoutFix. Have ya tried uninstalling it and then reinstalling it again? This might fix it. If u've already tried this, post back and we'll work from there.

Thanks.

EDIT: Haha forget it, you're clean enough lol

Alrite, let's fix the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Alrite, after doing this, reboot into safe mode. While in safe mode, delete the following file if it's there (I jus wanna double check it's not still there):

C:\WINDOWS\svchost.exe

After fixing these, download Ewido (link in my sig. below). Download it, update its definitions, and run a scan. Be sure to save the scan log.

Post back here with a new HJT log and the Ewido log.

Thanks.

Alrite, sorry this is alittle delayed, but let's begin with a little safeguard.

Open Program Files, and create a new folder there, and name it 'HJT'. Then, drag the HJT icon into this newly-created folder, and run a new scan.

We'll work from this new log.

Thanks again.

Yep, you're right. Ya got a nasty version of SpyAxe.

Let's begin with a safeguard. The first problem I see is that HJT was run from a temporary folder. Fix this by creating a folder inside Program Files, and name it 'HJT'. Drag the HJT icon into this new folder, and run a new scan.

Thanks.

Here's the link:

http://downloads.malwareremoval.com/hijackthis.zip

One thing to be sure of when running a scan--the program's in a permenant folder. To do this, create a new folder inside Program Files, and name it 'HJT'. Then, when ya download HJT, immedeatly drag the HJT icon into this newly-created folder, and run it from here.

After doing this, run a scan and post the results.

Thanks.

heh, zoned, I wish it was that easy.

Let's start by downloading FindQoologic-Narrator. Extract(unzip) the files into their own folder. Browse to where you saved them. Double-click the Find-Qoologic2.bat file to run it. A text file will open. Copy and paste the contents of the file into your reply along with a new HijackThis log please.

After fixing Qoologic, we'll fix the other entries in the log.

Thanks, and by the way, this might take a little bit to fix.

Ya, the log looks clean to me. Outta curiosity, do ya happen to still have the Ewido or SpySweeper logs? Ya didn't happen to post them...

Lastly, are ya still having problems?

Thanks.

All's good, except for number 6. Instead of finding that specific file inside Prefetch, ya can just clear the entire folder... Legit programs put themselves back inside tehre automatically, and sometimes spyware just sits around in there.

So, for number 6, clear out the entire prefetch folder, but leave the folder itself.

Thanks.

Hah alrite great, thanks. Begin by checking the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

But other then that, I don't see too much. Are ya having problem, or this jus a regular checkup?

Thanks.

ALrite awsome. One more thing to do.

Start by rebooting into safe mode. Then, nce in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

No worries tho, ya can always put it back.

Thanks.

Sure thing. Check the following:

O1 - Hosts: localhost 127.0.0.1
O4 - HKLM\..\Run: [dmukh.exe] C:\WINDOWS\system32\dmukh.exe
O4 - Global Startup: clockmon.exe
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/gam...ts/y/dot4_x.cab
O16 - DPF: Yahoo! Fleet - http://download.games.yahoo.com/gam...s/y/fltt3_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/gam...nts/y/nt1_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud9.sports.sc5.yahoo.com/ja...lgcst1016_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/pote_x.cab

Also, check the O17 entries if ya don't recognize the IP there.

After doing this, restart the computer and install LSPFix. Run this and have it fix anything it finds.

After doing this, post back here with a new HJT log.

Thanks again.

Ok, first off, ya have a problem about where HJT is. Begin by creating a new folder in Program Files, and name it 'HJT'. Then, drag the HJT icon into this new folder, and run a new scan, posting the log.

Thanks again.

Ok, before we start, you have a problem. Create a new folder in Program Files, and name it 'HJT'. Then, drag the HJT icon into this new folder, and rerun a scan.

This may seem pointless, but it has it's uses.

Post with a new scan.

Thanks,

Ok, first off, you have a Vundo infection.

We're gonna do 3 things.

1) Ya need to move HJT into a permemant folder. Begin by creating a new folder inside Program Files, and name it HJT. Drag the HJT icon into this folder.

2) Download VundoFix to your desktop. Then double click the icon, and hit Scan for Vundo.

After scanning, click 'remove Vundo.

You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.

3) Download Ewido, and be sure to update definitions.

Post back here with a new HJT log, and the contents of this file:

C:\vundofix.txt

Thanks.

Alrite, great, begin by checking the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F3 - REG:win.ini: load=??u?
F3 - REG:win.ini: run=??u?
O1 - Hosts: 195.13.63.187 irc.westwood.com
O1 - Hosts: 195.13.63.187 servserv.westwood.com
O9 - Extra button: (no name) - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - (no file)
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/gam...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/gam...nts/y/et1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/gam...ts/y/pote_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} -
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.com...iof5_3_16_0.cab
O20 - AppInit_DLLs: pushow75.dll

After fixing these, download SpySweeper and Ewido (links for both can be found below). Update definitions for both, and then run scans for both, saving both.

Return here with a new HJT log, Ewido log, and a SpySweeper log.

Thanks

Ok, I'm new to the hardware issues.

Outta curiosity, why would ya think it to be a RAM problem?

Thanks.

Haha no worries, nothing in there was super deadly except mabe the messengerpro.

And ya, congrat's on 1000

*round of applause*

Ok, now you're gonna open up HJT, and check the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...rch/search.html
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/gam...inematycoon.cab

After checking these, be sure to close every other window, and hit 'fix checked'.

After doing this, download Ewido and SpySweeper (links both found in my sig below). After downloading, update definitions for both and run scans for both. Be sure to save the scan logs for each ones.

Then, reply here with a new HJT log, Ewido log and SpySweeper log.

Thanks.

Well, most of the time it depends on the program. Some programs (ie QuickTime) allow ya to manually prevent the icon from opening (its inside System preferences> advanced tab).

Other programs, however, open them on their own.

I'd reccomend going thru each individual program trying to find that option, cause most programs give that option to ya.

Thanks.

Yep, zoned's right, and I'll get there in a sec.

After doign what tayspern mentioned, begin by Uninstalling anything having to do with MessengerPlus3 using the Add/Remove programs list.

After doing that, check these in addition to what tayspern mentioned:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O20 - AppInit_DLLs: Runner.dll

After fixing these, reboot into start mode and delete the following folder:

C:\Program Files\MessengerPlus! 3

After doing this (after tayspern's instructions), post a new log please.

Thanks again.

Yes, by the way welcome to Daniweb. Lets begin by installing HijackThis , a type of diagnostic software. Before downloading, create a new folder in Program Files.

To do this, open up My Computer > Local Disc > Program Files. While in here, right click, and enter a new folder, naming it 'HJT'. With this still open, download HJT, and drag the HJT icon into this new folder. After doing this, open up HJT and click 'scan only'.

After running a scan, save the log. Copy this log into a reply here, and we'll take a look at it.

Thanks again.

Ok, I don't see anything else in the log. I want to see something else tho.

While inside HJT, click 'Config', then 'Misc Tools', then 'Generate StartupList log'. This should open a notepad file. Copy this notepad file into a response here.

Lastly, download SpySweeper (found in sig below). With luck, this will find the problem. If not, you might have a rootkit.

Post back here with the StartupList log, and the SpySweeper log.

Zoned, outta curiosity, what makes ya think its a rootkit?

Hmm, with the firewall issue, we'll leave that for after the cleaning. Lets begin by trying to uninstall anything having to do with PartyPoker in the Add/Remove Programs list. Then, follow this up by checking the following in HJT:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - http://www.sentara.com/cabs/wficat2.cab
O18 - Filter: text/html - {994D478A-45D0-4DB4-AE77-288B1E346E99} - (no file)
O20 - AppInit_DLLs: Runner.dll
O20 - Winlogon Notify: iexplore - dm3dm.dll (file missing)

After doing this, reboot into safe mode (continoiously hit F8 while booting up). While in safe mode, delete the following folders:

C:\Program Files\PartyPoker
C:\Program Files\FCAdvice

After doing this, reboot into normal mode, and download Ewido (link found in sig below). Update definitions and run a scan, saving the log.

AFter doing all of this, post back with a new HJT log, and the Ewido log.

Thanks.

Alrite, several more things to check:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

These are the necessary things that need to be fixed. If you're also looking to speed up your computer, however, I would recommend several things.

1) Download CCleaner (link found in my sig. below) Be sure to update defintions, and run scans in both 'Issues' and 'Cleaner', fixing everything you find.

2) Have ya tried defragmenting?

3) On a personal level, I feel most Norton products are junk. I was a Norton fan before I knew much, and now after learning alot about it all, Norton isn't one of the better scanners. Also, the program on a whole uses MUCH of the hard drive. And that's Norton AV alone--you have about 5 differnet norton products installed.

If this was me, I would uninstall the products and install AVG or something similar instead.

Links for other AVs and firewalls: http://www.daniweb.com/techtalkforums/thread27519.html

After following thru with this, post a new log, and tell me of your plan of action.

Thanks again.

Well lets start from the top. First off, it appears that you have a completely 'virgin' form of XP; in other words, you havnt installed any security updates yet. I would STRONGLY recommend doing this AFTER we fix your computer.

Secondly, I see that HJT is saved in a temporary folder. What you need to do is create a new folder in Program Files, named 'HJT'. Move the HJT icon into this folder.

Lastly, download Ewido and SpySweeper (both are found in my sig below). Update definitions for both programs, and then run scans with both, saving the logs for both.

When ya come back, I want 3 things, a new HJT log, an Ewido log, and a Spysweeper log.

Thanks.

Arg, I hate to sound mean, but you're running from a temporary folder. If ya could, create a new folder in Program Files, titled 'HJT'. Now, move the current HJT program and icon and all into this folder and run a new log.

There are 2 purposes for this

1) A run from a permenant folder will occasionally find hard-to-find files that are associated with spyware.

2) Changes in HJT can be backed up in cause of a screw up.

Heh sorry for sounding mean.

Thanks.

Arg, I apolegize. I meant for ya to post the StartupList log, not a normal HJT log.

If ya could do that, it would be incredible.

Thanks.

Alrite great, ya have a SpyAxe infection.

Begin by trying to uninstall these programs from the Add/Remove Programs list:

MyWebSearch
WinFixer 2005

After doing this, reboot your computer, and open up HJt. Begin checking the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by OptusNet
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: Nothing - {7a932ed2-1737-4ab8-b84d-c71779958551} - C:\WINDOWS\System32\hp57C7.tmp
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKCU\..\Run: [WinFixer 2005] C:\Program Files\WinFixer 2005\uwfx5.exe /scan
O4 - HKCU\..\Run: [WinFixer2005] "C:\Program Files\WinFixer 2005\uwfx5.exe" /min
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZSYYYYYYYYAU
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...tup1.0.0.15.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/act...l_v1-0-3-24.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After checking, close out every window besides HJT and hit 'fix …

Heh sry I wasn't more specific. But yes, I meant a multimedia file, which ya assumed :) .

Ok, lets try something else.

Inside HJT is something called 'Generate StartupList Log'. We are going to do this.

Open up HJT, click 'Config' > Misc Tools. Then, before hitting the 'startuplist' button, be sure to check both boxes next to it. Run a full scan and throw it back at me in here.

Thanks again.

Hmm alrite, your HJT log looks clean, and I like what I see in the SpySweeper log --just cookies, which is good.

That still leaves us with the problem tho. Lemme ask a couple more quesitons. Is it JUST IE/Firefox having problems, or is it other programs also? Ya might also wanna try it with some graphics and see how those work out.

After that question, we'll go from there.

Thanks.

Alrite,, let's begin with HJT. Download HijackThis from here, and be sure to save it in a permenant folder. In other words, create a folder in Program Files, and name it HJT. Extract HJT into its own folder, and run it from there.

Thanks.

Hey, welcome to daniweb noob.

Ok, to begin, your HJT folder is in a temporary location. Begin by creating a new file in Program Files, and title it HJT. After doing this, place the entire HJT application in here and rerunning a scan.

Sorry for the hastle, but oftentimes, it'l find more problems, and also will allow you to back up if ya make a mistake.

Thanks.

Ahh sounds, good.

Thanks again.

Well, the replacing certain files and such (which ya just mentioned), is available, known more commonly as 'Repair'.

On the other hand, a fresh reinstall of XP would COMPLETLY swipe the hard drive, and everything on it.

NOTE: I intended this post to just be informative. If ya want more information on reformatting and such, just post back and we'll send ya more.

Thanks.

It could be another thing. Is the Ip 127.0.0.1 familiar to ya? If yes, leave it alone, if no, then rerun HJT and check this line:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

Also, since u've tried several other antispywares, download SpySweeper (link found in my sig below) and run a scan, saving the log.

After doing this, post back here with a new HJT log and the SpySweeper log.

NOTE: If, for some reason, the checking of the R1 line causes problems, ya can always go to the 'backup' tab in HJT and replace the entry back in.

Thanks.

Now that I look back, I believe ya might have a LOP infection -- hinted at with the MessengerPLus3. However, I'll wait for Demeneted before I go further with this.

EDIT: Follow the one above^^

Sure, we can help you. Welcome to Daniweb by the way :) Yes, in fact you have the W32/Kassbot-L worm, shown by the HJT line below.

You're going to begin by first checking this line in your HJT log:

O23 - Service: Windows XP Manager (Manager) - Unknown owner - C:\WINDOWS\msnmgr.exe

Then, after doing this, please reboot into safe mode (repeatedly hit F8 while starting up). While in safe mode, please delete this file:

C:\WINDOWS\msnmgr.exe

After doing this, reboot into normal mode, download both SpySweeper and Ewido (links for both can be found below), and be sure to update definitions for both. Then, run scans for both, saving both logs.

Then, after doing that, post back here with a new HJT log, Ewido log, and SpySweeper log.

Thanks.

Hmm, if that doesnt work, try uninstalling it, and download it again. There's a possiblity there was an error during that.

Along with that, post a new HJT log.

Thanks.

Hmm, have ya tried running it in safe mode?

How to get into safe mode: Repeatedly hit F8 while starting computer.

Try that.

Thanks.

Heh sry to add more to that long list, but after fixing this problem, I would strongly recommend changing browsers and using FireFox instead (link can be found below).

FireFox has less security flaws, more timely updates, etc., meaning less spyware on your computer.

Ah well, I think others here will agree with me on this.

Thanks.

Demented, sorry, alittle off topic, but have ya gone thru MRU?

Heh well I leanred the hard way, but would ya recommend doing it for further training (for me)?

Lastly, would ya say it helps ya overall?

Thanks.