Posts by 'Stein

Haha no worries, use ahead. If ya want, post back and ill send ya some other canned msgs. i use (Spyaxe fix, L2me Fix, Vundofix, Nail fix, resetting system restore, reinstalling IE, etc...)

Ahh great, thanks alot :)

Ok, this'll be my last post for teh nite--gotta go study for tmr, but ya, post all of the scans, and Ill take a look at them tmr sometime (prly around 8pm) and get back to ya.

Thanks.

Hmmm, did Mcafee prevent ya from dling and running the program?

Cause the scan from the program itself is a fair amount more thorough.

If ya can get it to dl and run, it'd be incredible. If not, it's ok.

Still looking forward for that SpySweeper scan log.

Thanks.

Yep, if ya could do that, it'd be great. Ya might have a few problems tho--often times, AVs are known for having bloody uninstallers.

If it gives ya a ton of problems, then just ignore it and continue on with the fix--we can always delete it at the end.

Thanks.

Hmm alrite. The log's clean, but I wanna run some other tests. And ya, it was expected that the startpages would be deleted. That should be easy to replace.

By the way, what is McAfee tellin ya in those beeps and popup screens?

Alrite, now, we're gonna download 2 programs, Ewido and SpySweeper (links can be found in my signature below).

Download both, update definitions for both, and run scans with both (normal mode, not safe mode, should be fine).

After running both, save both of the scan logs.

Post both of the scan logs back here, and we'll work from there.

Thanks.

Yes, you're fine as long as ya delete the contents of this file:

C:\Documents and Settings\<User>\Local Settings\Temp

All of the files in here are *.tmp

Lastly, I would rather ya use CCleaner in comparison then any other one, simply because I know how to use it, and I know it doesn't have imbedded spyware or anything similar.

After ya finish up with that, reboot into normal mode again (simply restart the computer), open HJT, and check the following:

Check the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop

After checking, close all of the other windows and hit 'fix checked'.

After doing this, restart the computer and post a new log.

Thanks.

Heh sorry for bein unclear.

Yes, download the program and then put in the custom folders.

After this, shut down the computer. Wait 30 seconds. Then, restart the comupter, constantly hitting F8 until a screen comes up. Choose 'Safe Mode', and let it open. Then, run CCleaner.

The only thing safe mode does is limit the number of startup processes that turn on.

After doing this, come back and i'll list what ya need to check in HJT.

Thanks.

Alrite great, first off, Ill let ya do this while we go thru the log: (NOTE: Be sure to run the scan in Safe mode)

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every …

Ok, great. I'll help ya with it all.

First, let's turn system restore back on.

Then, after that, download HijackThis, a diagnostic software. After downloading, move the icon from the folder to the desktop, and open it.

Run a scan and save the log.

Post the log back here and we'll help ya out.

Thanks.

Heh my apolegies ShadowPuterDude. By the way, are u enrolled at MRU, cause ure name sounds famailiar...

daddysla- glad we could help. It'd be incredible if ya marked the thread as 'solved'.

Thanks again.

Heh ya, we already tried that, with the LSPfix.

Thanks.

Ja, it looks all clean to me. However, before ya go, we need to rehide hidden folders:

We need to re hide system files. To do so, please follow the steps below:

1. Double-click My Computer.
2. Click the Tools menu, and then click Folder Options.
3. Click the View tab.
4. Put a check by "Hide file extensions for known file types."
5. Under the "Hidden files" folder, select "Show hidden files and folders."
6. Check "Hide protected operating system files."
7. Click Apply, and then click OK.

Lastly, are ya having any more problems?

If so, mention them here, and we'll work from there.
If not, mention that ya don't, and mark the thread as solved.

Thanks again.

Hmmm, I'm outta ideas too.

Let's clean some more tho.

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' …

Alrite good. It seems Ewido caught the Qoologic, so that's good. However, what I still see is CnsMin, another hard-to-kill infection.

We're now gonna try 2 things.

First,
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files".
9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

After this, see if this file exists:

C:\WINDOWS\Downloaded Program Files\CnsMin.dll

If you're able to, try to delete it.

Regardless if ya were able to delete or not, download SpySweeper (link in my sig below). Update definitions, and run a full scan, saving the scan log.

Post back here with the SS scan log, HJT log, and whether that file was present.

Thanks.

Hmm, well if this was me, I would completely uninstall eEye Digital Security, for
1) there's better programs on the market
2) I've never heard of it before, and for all I know, its dubious software.

My reccomendation is to keep your Symtanic products, keep Ewido, and download Microsoft Defener, and uninstall eEye.

Link for Defender:
http://www.microsoft.com/downloads/details.aspx?FamilyID=435bfce7-da2b-4a6a-afa4-f7f14e605a0d&displaylang=en

O ya, and after doing all of those steps, post 1 more HJT log to verify uou're clean.

Thanks.

Arg, typo up there, and too late to edit. It removed the ENTIRE infection, not half. My bad :mrgreen:

Thanks.

Alrite, it removed half the infection, but that happens sometimes. If ya could, rerun the entire process ya just completed, but right after ya finish step 7, don't restart and post a log.

Instead, after step 7, do the following:

1) Uninstall the following in the Add/Remove Program list:

Voboc
IncrediBar

2) Place checks next to the following with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Webflits
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {36DBB90D-A8C1-6F5F-8BB2-5816F0F90809} - C:\DOCUME~1\Eigenaar\APPLIC~1\BODYHO~1\WMASEND.exe (file missing)
O4 - HKLM\..\Run: [Oszmshpu] C:\Program Files\Voboc\Ouffys.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: IncrediBar - {023FA804-DCE1-4817-94ED-6BA4200F9AF2} - C:\Program Files\IncrediBar\bin\IBTBar.dll (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from …

Alrite great. As I said, ya have several infections, so we'll deal with 1 at a time.

Let's begin with the Aurora infection.

BEFORE BEGINNING, Please read completely through the instructions below and download the files from the links provided. You may want to save or print out these instructions for easier reference.

First, download Ewido Security Suite.

Next, download Lavasoft's Ad-Aware and the VX2 Cleaner Plug-in. Install Ad-Aware using the default options, then install vx2cleaner_inst.exe, taking all the defaults there as well.

Run Ad-Aware, update to the latest definitions, then click on Add-ons in the lefthand column. Select VX2 Cleaner V2.0 and click Run Tool. Click "OK", then, if something is found, click "Clean" as in the directions given. Click "Close", and exit Ad-Aware.

Reboot your PC and run Ad-Aware again. This time, click on the Start button in Ad-Aware, select "Perform smart system scan" and click Next. Once the scan finishes, click "Next" again. Select all objects found (right click anywhere in the list of found objects and click "Select All Objects"). Click "Next" one more time, then "OK" to confirm the removal.

You will be prompted to set Ad-Aware to run on reboot, click "OK". Exit Ad-Aware and restart your PC once again.

When Ad-Aware starts up, click on "Start", then "Next". Follow the steps above if anything is found, or click "Finish", then exit Ad-Aware.

For a final cleanup, please install …

Arg, alrite. We're now gonna try a LSPfix, although I don't think that's the problem.

Download LSPfix here, and run it.

Post a log if it gives it to ya.

After that, run a new HJT scan and post back here.

Thanks.

Sure thing. By the way, welcome to daniweb :)

First off, ya don't have the most recent version of HijackThis. Download it from here. Move the icon to your desktop, and run a new scan.

Ahead of time, I already see an Aurora/Nail infection, so just be ready for that.

Thanks.

Hmm, the log's clean. Do ya still not have internet access?

(Hint: It might be named 'spool32', but that's a guess.) :cool:

Hmm, well the log looks clean. Let's try this. Uninstall SpySweeper.

After doing this, run another Ewido scan, and if it just finds tracking cookies, then ya don't need to post it.

After that, to be sure it's clean, we'll run 2 online scans:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/

Run both, and post back logs here if they give them to ya.

Then, 1 more HJT log after it all.

Thanks.

Arg, ure right along that, but I wanna where the physical files are. Did ya try scanning with SpySweeper, or did ya jus look for the scan log?

The best thing to do would be to run a new scan, save the log, and post that, but if ya can't do that cause of membership restrictions, I understand too.

Lastly, fix the following in HJT:

O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab

After this, post a new HJT log, and the spysweeper log if possible.

Thanks.

Haha good, it all looks good. Just 1 more thing. Could ya post a new HJT log?

Thanks.

Hmm, alrite. We're gonna do several things. First off, outta curiosity, did ya recently uninstall Norton Antivirus, or is it still on your computer?

Other then several entries because of what was mentione above, your log is clean.

The next best thing to do is run a new SpySweeper scan and save the log, posting it here, even though you cannot delete the folders with SpySweeper. We'll do it manually.

Ok, so 1 thing in the nxt post: new SpySweeper log.

Thanks.

Alrite great. Let's begin with HijackThis, a diagnostic software that helps us determine the problem.

Download HijackThis]L], and move the icon out of the unzipped folder to your desktop. After doing this, run a scan and post a log back here. From that, we'll work from there.

Thanks.:)

Alrite, a couple things. First, could ya post the contents of this file in your nxt post:

C:\Look2Me-Destroyer.txt

Then, fix the following in HJT:

O4 - HKCU\..\Run: [Taae] "C:\DOCUME~1\Daddy\APPLIC~1\RACLE~1\winlogon.exe" -vt rbnd
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v5.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{E35CB13D-8054-4E07-8758-94AD785FFE83}: NameServer = 24.29.103.10,24.29.103.11

Ok, time for Killbox. The ~ in the file name show that the computer cannot read exactly what the name is. Therefore, we sorta have to guess in a sense which folder it is based on the letters we know.

Therefore, I'm pretty confident the initial folder is Doc & settings. So we know so far it's this : C:\Documents and Settings.

The nxt word is intact, so we know its here:
C:\Documents and Settings\Daddy

The nxt folder appears to be 'Applications'. So we now have this:
C:\Documents and Settings\Daddy\Application Data

After this step, it's becomming alittle difficult. Go to this spot so far (to get here, u'll prly need to unhide folders). Inside 'Application Data', look for a folder with the first letters being 'Racle' . Also, the file might just be 'Oracle'. After finding files, post back here the names of them, and we'll work from there.

Thanks.

Ahh, alrite great, that's good news.

I apolegize for that little scare there, I jus wanted to be sure Haxdoor was all gone.

If ya could mark the thread as 'solved', it would be great.

Thanks.

larbec, if ya could, simply start a new post. Although the topics may seem similar, they're generally more different then they appear.

So, if ya could start a new topic, it'd be great.:D

Thanks.

True, but do ya think it's safe to assume that that's the only part of it on the system? I was jus gonna run blacklight and verify it wasn't there.

Whaddya think? (heh ure the one with more experience, so its up to ya)

Arg, I wouldn't be so certain you're clean jus yet. For 1, ewido found a Haxdoor variant in its scan. Haxdoor is a very bad form of malware. It steals financial passwords and sends them to hackers.

However, I'm not saying this is the case; it's just a possibility. And with luck, DMR'll step in soon :)

Until then, lets download Blacklight:

http://www.europe.f-secure.com/exclude/blacklight/blbeta.exe

Post back here with the blacklight log and a new HJT log.

Thanks.

Alrite, a couple more things:

O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll

Alrite, Ewido is also rated to find, but won't always delete it. SOO, here's wat were gonna do.

Download Ewido (link found in my sig below). After downloading, update it's definitions, and run a scan. BE SURE to save a log.

After running the scan, post the scan log back here, along with a new HJT log.

Thanks.

EDIT: Haha forget it, you're clean enough lol

Alrite, let's fix the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/gam...aploader_v6.cab
O23 - Service: Network DDE DSMA (NetDDEdsma) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Alrite, after doing this, reboot into safe mode. While in safe mode, delete the following file if it's there (I jus wanna double check it's not still there):

C:\WINDOWS\svchost.exe

After fixing these, download Ewido (link in my sig. below). Download it, update its definitions, and run a scan. Be sure to save the scan log.

Post back here with a new HJT log and the Ewido log.

Thanks.

Alrite, sorry this is alittle delayed, but let's begin with a little safeguard.

Open Program Files, and create a new folder there, and name it 'HJT'. Then, drag the HJT icon into this newly-created folder, and run a new scan.

We'll work from this new log.

Thanks again.

heh, zoned, I wish it was that easy.

Let's start by downloading FindQoologic-Narrator. Extract(unzip) the files into their own folder. Browse to where you saved them. Double-click the Find-Qoologic2.bat file to run it. A text file will open. Copy and paste the contents of the file into your reply along with a new HijackThis log please.

After fixing Qoologic, we'll fix the other entries in the log.

Thanks, and by the way, this might take a little bit to fix.

All's good, except for number 6. Instead of finding that specific file inside Prefetch, ya can just clear the entire folder... Legit programs put themselves back inside tehre automatically, and sometimes spyware just sits around in there.

So, for number 6, clear out the entire prefetch folder, but leave the folder itself.

Thanks.

Well lets start from the top. First off, it appears that you have a completely 'virgin' form of XP; in other words, you havnt installed any security updates yet. I would STRONGLY recommend doing this AFTER we fix your computer.

Secondly, I see that HJT is saved in a temporary folder. What you need to do is create a new folder in Program Files, named 'HJT'. Move the HJT icon into this folder.

Lastly, download Ewido and SpySweeper (both are found in my sig below). Update definitions for both programs, and then run scans with both, saving the logs for both.

When ya come back, I want 3 things, a new HJT log, an Ewido log, and a Spysweeper log.

Thanks.

Now that I look back, I believe ya might have a LOP infection -- hinted at with the MessengerPLus3. However, I'll wait for Demeneted before I go further with this.

EDIT: Follow the one above^^

Sure, we can help you. Welcome to Daniweb by the way :) Yes, in fact you have the W32/Kassbot-L worm, shown by the HJT line below.

You're going to begin by first checking this line in your HJT log:

O23 - Service: Windows XP Manager (Manager) - Unknown owner - C:\WINDOWS\msnmgr.exe

Then, after doing this, please reboot into safe mode (repeatedly hit F8 while starting up). While in safe mode, please delete this file:

C:\WINDOWS\msnmgr.exe

After doing this, reboot into normal mode, download both SpySweeper and Ewido (links for both can be found below), and be sure to update definitions for both. Then, run scans for both, saving both logs.

Then, after doing that, post back here with a new HJT log, Ewido log, and SpySweeper log.

Thanks.

Demented, sorry, alittle off topic, but have ya gone thru MRU?

Heh well I leanred the hard way, but would ya recommend doing it for further training (for me)?

Lastly, would ya say it helps ya overall?

Thanks.

Yes, you are. Now, run HJT, 'Scan Only', and place checks next to the following:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O15 - Trusted Zone: http://*.windowsupdate.microsoft.com
O15 - Trusted Zone: http://*.windowsupdate.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After placing checks, close all windows and hit 'Fix Checked'. Then, restart your computer.

After the restart, download SpySweeper (link found in sig. below). Be sure to update definitions. Run a full scan, and post the scan log back here, along with a new HJT log.

Thanks.

Heh, ya kno what? Just post them all together.

Thanks.

Hah you have a small amount of infection, but we can all fix it here. Begin by trying to uninstall anything having to do with Empire Poker or Party Poker

After doing this, check these in HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe

After doing this, reboot your computer into safe mode. While in safe mode, find these files and delete them:

C:\Program Files\EmpirePoker
C:\Program Files\PartyPoker

After this, reboot into normal mode. While here, download Ewido and SpySweeper, (links for both can be found below). After updating definitions for both, run scans with both, saving both logs.

Next, post back here with an Ewido log, SpySweeper log, and …

Good good,, that's a good sign that all Ewido/SpySweeper caught were tracking cookies..
Now to the log. Check the following boxes in HJT:

O4 - HKCU\..\Run: [RealPlayer] "F:\Program Files\realplay.exe" /RunUPGToolCommandReBoot
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE (file missing)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After this, post back with a new log.

Hmm, well I don't see anything spyware related-ish in the HJT log. The Ewido and SpySweeper logs had what you'd expect--just cookies, so that's good. Heh and I apolegize, but that's where my computer knowledge really ends. I'd really recommend reposting a new thread in both the 'Windows NT/2000/XP/2003' forum and in the 'Windows tips n tweaks' forum, saying in both that it's been checked by us and is spyware free.

After that, I wish ya good luck with the problem.

Thanks.

Heh it really is fun. To tell ya the truth, I'm just like you, wanted to learn how to read it, and just learned..with the help of some websites. I must say tho, most contributing members here *cough Tayspern, Demented, DMR, cough* are IT guys.

Well here are the sites I used to learn how to read it. (Ill explain each one)

1) the best site I use is CastleCops . Generally, it explains each entry (O2, O3, etc), and what each means. I have this linked to my desktop.

2) The next best site I use is also CastleCops, but it's where it explains virtually every process there is for O2, O3, O4, O9, O10, O16, O18, O20, O21, O22, and O23 (basically, all the important Os). This is where I manually check each process to be sure its spyware free. here You choose the O-type in the pull-down menu in the top left.

3) The 3rd best site I use is sorta a computer checker--basically ya copy/paste the log into the box, and a computer goes over it. HOWEVER, double check each entry here, for there are MANY false positives and negatives. The best option is to double check the entries with Castle Cops (#2).

In general, ya learn by doing it the hard way and taking a log (preferably from this site) and checking over process by process, and eventually ya learn all of the common, …

Alrite, about the nwiz entry. Haha, I'll agree, it looks real suspicious, but its in nearly every log I've looked at. Also, I double checked this with CastleCops (the best in the business), and they confirmed,, its part of an NVidia graphics card.

Other then this though, I don't see anything in the log. IF you're still having problems, download SpySweeper (found in the sig. below). Update definitions and run..saving the log and posting it back here with a new HJT. We'll go from there.

Hah jeez, thats not good, welcome to Daniweb by the way. Ok, begin by trying to uninstall

MessengerPlus! 3

This program is FILLED with spyware. Next, begin by checking these entries in HJT:

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After this, download SpySweeper, Ewido, and CCleaner from my signature below. Update the definitions for each one, but dont run them yet. Next, reboot into safe mode and start by deleting this file:

C:\Program Files\MessengerPlus!3

Next, run Ewido, Spysweeper, and CCleaner, saving the Ewido and Spysweeper logs.

Then, reboot into normal mode again, and post the 2 logs, along with a new HJT log.

Thanks.