Posts by kylethedarkn

First of all, move HJT to a permanent folder such as C:\HJT or something similar.
Now, Run HJT and check the following.
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
Now close all other windows and click fix checked.

Next download and install ewido from here.

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click …

Download HiJackThis from here.

Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the notepad file in your next reply.

Run HJT and post a new log plz.

Plz don't piggy back off someone else's thread plz post a new thread with a title like plz help, cant change homepage or something similar.

Tayspen still has old ewido instructions here are the new ones.

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted …

Tayspen has still got the old ewido instructions here are the new ones.

Please download and install ewido anti-spyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under …

Ok First run HJT and check the following.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\C\system32\hp101.tmp
O4 - HKLM\..\RunOnce: [Remove at boot] C:\DeleteAtReboot.bat
O20 - Winlogon Notify: winmmt32 - C:\C\SYSTEM32\winmmt32.dll
Close all other windows and click fix checked.

Now go to Jotti's online scanner and upload and scan the following file and post the results back here.
C:\C\SYSTEM32\byxutrs.dll

Next reboot to safe mde by tapping F8 during start up and delete the following files.
C:\C\system32\dcomcfg.exe
C:\C\system32\atmclk.exe
C:\C\system32\hp101.tmp
C:\DeleteAtReboot.bat
C:\C\SYSTEM32\winmmt32.dll
After that reboot to normal mode and run HJT again and post a new log here along with the jotti's results.

Your Welcome and if your not expiriencing any problems you can mark this thread as solved.(there should e a link at the top of the page)

Well are you sure Top Text is on your computer. If it is you might see black text highlighted with yellow and underlined. If you don't see these than the internet cleanup thing might just have a problem. also you can check in add/remove program for the following and uninstall them.
TopText, TopText ILookup, HotText, or ContextPro
These may not exist so if they don't don't worry.

Ok first download Ewido Security Suite from here.

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait Ewido will open main screen automatically.
• Wait again a few minutes and Ewido Should Auto update itself. If it doesn't click update at top of screen.
• This in very important to get updates
• When updating has finished. Close Ewido.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE

  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while ewido performs its scan!

• Open Ewido
• Click on scanner top of Ewido sceen
• Click on Settings
• Under How to Act click on Recommended Action choose Quarantine
• Under How to scan all boxes should be selected
• Under Possibly unwanted software all boxes should be selected
• On right side under Reports: …

Hmm I'll look into that, Thx.

Ok first of all run HJT and check the following
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123
The following is optional but is a resource hog and is not of much use.
O4 - HKCU\..\Run: [StatBar] D:\Program Files\Globe Software\StatBar\StatBar.exe\
Close all other windows and click fix checked.

Also about those files try reboot to safe mode by tapping F8 during start up and deleting them.
Post your new HJT log and tell me the problems that still exist.

DMR are you considering Viewpoint manager to be malicious, because its in his log just so you know.

Yeah there nice once in a while. Casmax you can mark this thread as solved.

Well from that log I only see one thing. So run HJT and check the following.
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
Close all other windows and click fix checked.

Post the new HJT log from normal when your done.

THis log looks a little bit lacking. Were you in safe mode when you ran HJT? If you were reboot to normal and run HJT on normal and post the new log here.

Ok go here and download the Purity Scan uninstaller and run it tell me it that works.

Well this was one of those thinking out of the box problems, now wasn't it.

The reason the HJT lines weren't there is because you were in safe mode. Reboot to normal check and fix the HJT lines then reboot to safe mode run ewido and see if it deletes the apra.dll and the other thing.

If that doesn't work download Pocket killbox from here.

Open Killbox and select the delete on reboot option and click on all files.
Then click on the open folder symbol and navagate to the following.
C:\WINDOWS\system32\winyme32.dll
C:\WINDOWS\system32\arpa.dll
When you click on them press ok and then go to the next file.
Make sure that both files are located in the drop down box.
Now click on the kill button.(the red circle with a white x)
The computer should restart itself if it doesn't restart it manually.

Post the new HJT and ewido logs.

Ok i have one more idea. Some malware blocks itself from hijackthis.exe so change it to something else like scanner.exe and then run it and post a new HJT log.

There's nothing in your log that indicates that ezula is on your computer, but I did find a couple things. Run HJT and check the following.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
Close all other window and click fix checked.

Also try running ewido security suite. You can download it from here.

• Install ewido security suite
• When installing, under "Additional Options" uncheck..
  • Install background guard
  • Install scan via context menu
• Launch ewido, there should be an icon on your desktop, double-click it.
• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click Update.
  • Then click on Start Update.
• The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display "Update successful"
• Click on Scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where …

Sorry I was at my friends house looking at his HJT log but i didn't want to keep switching programs so i was posting it here so that i could do everything using mozilla. You can ignore this I'm still using it but it will look like something weird to everybody else considering I gave his updated log instead of him.

wooohooo a new one

Logfile of HijackThis v1.99.1
Scan saved at 10:16:32 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\AOL\1128546654\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Yahoo!\Usernames\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec …

and yet updated even more.

Logfile of HijackThis v1.99.1
Scan saved at 6:45:29 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\RGF2aWQgUHJvdHo\command.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\AOL\1128546654\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Usernames\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Yahoo!\Usernames\ewido anti-spyware 4.0\ewido.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - …

heres your updated log.

Logfile of HijackThis v1.99.1
Scan saved at 6:33:45 PM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\RGF2aWQgUHJvdHo\command.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Common Files\AOL\1128546654\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Cookie Washer\aolwasher.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Yahoo!\Usernames\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Yahoo!\Usernames\ewido anti-spyware 4.0\ewido.exe
C:\HJT\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.emachines.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 …

The shorcuts on my desktop have grey backgrounds. Its probably not malware related because i couldn't find anything wrong with my log, but anyway here's a screen shot and my HJT log.
[IMG]http://img509.imageshack.us/img509/7039/screenshot8rm.jpg[/IMG]
heres my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:34:10 AM, on 6/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
E:\AVG\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
E:\AVG\avgamsvr.exe
E:\AVG\avgupsvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG7_CC] E:\AVG\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Yahoo! …

Download HiJackThis from here.

Make a new folder called HJT in the C: directory(C:\HJT) Extract the zip contents to that folder. Run HJT and select the scan option. After it finishes scanning there should be a save log button. Once clicked it should open up a notepad file with the log. Copy and Paste the contents of the note pad file in your next reply.

If you dont use it anymore i would check the following HJT line and fix it because its been known to cause problems.
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab

After fixing that line see if anything works.

Well download process explorer and see if there are any processes showing that are not in task manager and we will go from there.

Do you have Trend Housecall Antivirus on your computer?

After extracting HJT to C:\HJT run it and check the following.
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\System32\nodeipproc.dll
O4 - Global Startup: GStartup.lnk = C:\Program Files\Common Files\GMT\GMT.exe
O4 - Global Startup: WebSecureAlert.lnk = C:\Program Files\WebSecureAlert\WebSecureAlert.exe
There are some optional ones.
You have two firewalls running Mcafee's and AOL's if you would rather have Mcafee's running then check the following.
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1137010996\ee\services\sscFirewallPlugin\ver1_10_3_1\SSCRun.exe
Also did you install the Alexa program? If you didn't check the following.
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
After checking those close all other windows besides HJT and click fix checked.

Reboot to safe mode for the following.
Using My Computer navagate to the following files and folders and delete them.
C:\Program Files\WebSecureAlert\WebSecureAlert.exe
C:\WINDOWS\System32\nodeipproc.dll
C:\Program Files\Common Files\GMT\GMT.exe
C:\Program Files\Common Files\GMT
If you didn't install Alexa delete the following.
C:\WINDOWS\web\related.htm
After deleting those reboot to normal and do a new HJT scan.

Post the new HJT log here and tell me if you GF can still see what your doing.

Are you still having problems?

Ok then lets do a couple things.
First download Ewido's Security Suite from here.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Open up Ewido
• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.
• Close ewido anti-malware.

…

You could transfer the files with a CD or Memory Stick.
If you dont have both hard drives hooked up already you could connect them at the same time and transfer the files in safe mode.

Yeah it is it has windows 95 on it.

Then you can mark this thread as solved. There should be a link at the top that says mark as solved.

Ok download pocket killbox from here.
Run killbox and check the box that says delete files on reboot.
Then select the all files button.
Go to the folder icon and navagate to the apra.dll and TTrib~1.exe click ok. When you go to the drop down box you should see them there.
Close all other windows and click on the kill button.(red circle with white x) Killbox should reboot your computer. After its done post a new HJT log.

Move HJT to C:\HJT and try again.

Well kfreaptd.exe is still there so lets get rid of that.
Run HJT and check the following.
O4 - HKLM\..\Run: [dglllly] C:\DOCUME~1\craig\APPLIC~1\kfreaptd.exe -QuieT
Close all other windows and click fix checked.

After that go to my computer and click on Tools>Options
then go to the view tab and under hidden files and folders CHECK "show hidden files and folders" also UNCHECK "hide protected operating system files and folders"
Then see if you can find C:\DOCUME~1\craig\APPLIC~1\kfreaptd.exe
It is most likely in this folder
C:\Documents and Settings\craig\Application Data\
look there and delete it.

Plz download HJT from here.

Once downloaded, follow these instructions to install and run the program:

Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

Try an ewido scan. You can download it from here.

1. Install ewido anti-malware
2. When installing, under "Additional Options" uncheck..
   • Install background guard
   • Install scan via context menu
3. Launch ewido, there should be an icon on your desktop, double-click it.
4. The program will now open to the main screen.
5. When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
6. You will need to update ewido to the latest definition files.
   • On the left hand side of the main screen click update.
   • Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed.
   (the status bar at the bottom will display ("Update successful" )

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Open up Ewido
• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily.
• Close ewido anti-malware.

Reboot.

After reboot run …

Ok run HJT and check the following.
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB - (no file)
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8 - (no file)
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F - (no file)
O2 - BHO: (no name) - {665ACD90-4541-4836-9FE4-062386BB8F0 - (no file)
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKCU\..\Run: [shell] "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"
O4 - HKLM\..\Run: [dglllly] C:\DOCUME~1\craig\APPLIC~1\kfreaptd.exe -QuieT
Also the following are optional and are not malware, only resource hogs.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
Close all other windows and click fix checked.

Next reboot to safe mode by tapping the F8 key during start up and delete the following files and folders by navagating to them in windows explorer and deleting them.
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\DOCUME~1\craig\APPLIC~1\kfreaptd.exe(Most likely C:\\Documents and Settings\craig\application data\kfreaptd.exe)

After that go to Jotti's online scanner and upload and scan the following file.
C:\WINDOWS\System32\RUNDLL32.EXE

Post a new HJT log in your next reply along with any problems that still exist.

Because my friend has a very old laptop that does not have an ethernet jack or wireless card slots.

The Symantec Process is critical to the running of Norton Internet Security, but since Norton is one of the worst AV programs i suggest uninstalling it and downloading one of the AV programs in the stickys.
Btw I the problem with explorer.exe is not related to malware it is just Norton using explorer.exe to execute its commands. It is probably caused by low memory on your computer.

Well then isn't there an update driver option in the properties menu.
That might work.
and i think youl have to call the company that made the sound card not gateway.

Yes, but make sure your in safe mode while doing it.

That log looks clean.
Make sure when you run the scan with HJT you are NOT in safe mode.

Ok Run HJT and check the following.
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no
file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} -
C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser -
{17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program
Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) -
http://instantsupport.hp.com/update/...PChWrapper.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) -
http://www.popcap.com/games/popcaploader_v6.cab
Close all other windows and click fix checked.

Now reboot to safe mode and use add/remove programs to remove the following if present.
Viewpoint Manager

Now delete the following if present.
C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
C:\Program Files\MarketBrowser
C:\Program Files\Viewpoint\Viewpoint
Manager\ViewMgr.exe
C:\Program Files\Viewpoint

If your still having problems after this let me know in your next post.

:cheesy:Don't forget the HJT log:cheesy:

Just end explorer.exe its not a system process so it wont do any damage to end it and i think it will speed up the process