Posts by caperjack

So, do you think my computer is clean now?

Sorry ,yes you log is clean now .
Also these are recomended program to keep the spyware away .I have all 3 install on my computer and have not had any problems in about 6 mnt's !
After you get it all fixed and things are working good ,Download and install these three programs to help stop Spyware .

After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

IE-SPYAD

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

Check out what these guys did to get rid of it 'Simular to what you are doing here with a added program i believe .
http://forums.spywareinfo.com/index.php?showtopic=9134

first you log look good now ,
I think you should run this free online virus scan ,check auto fix before you run scan .do this on all computers in you loacal network
http://housecall.trendmicro.com/

HJT also presented an error #75 when he was starting to fix the checked files.

a search shows error #75 as some sort of nework error ,when running .EXE on a network or something like that !!

There's something called svchost bodering the spy sweeper. What is it?

Svchost is a generic name /for a process there could be 4 or 5 in the process list at the top of the hijackthis log ,all legit .Threre are trojans/viruses named simular to svchost.like ssvhoste,svcchst and so on and so on.
Im not familur with SpySweeper so i not sure what happening .I don't consider it a needed program as Spy-Bot and Ad-Aware are all you need to run .and they are free ,a lot of the ones that want you to buy them.will fake problems trying to get you to buy!:)

Firs I am going to suggest you uninstall MY WEB SEARCH via the add/remove program in control panel ,you might really lke this program but it is spyware and really not the best thing to have on your computer

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

NOTE: Please copy and paste this post into notepad and save to you desktop. or print a copy of these instructions because you will be working with all windows closed except HijackThis.

O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL

O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL

O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll

O2 - BHO: (no name) - {C1E58A84-95B3-4630-B8C2-D06B77B7A0FC} - C:\Program Files\NavExcel\NavHelper\v2.0.4c\NHelper.dll

O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe

O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot

O16 - DPF: {197AB1D7-A7DD-4C86-A938-1FCC0DB21B85} (DMProxyCtl Class) - http://dm.cometsystems.com/dm/dm_286.cab
nt

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://imgfarm.com/images/nocache/f...etup1.0.0.6.cab

O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} (Installer Class) - http://www.xxxtoolbar.com/ist/softw...0006_cracks.cab

Now reboot into safe mode and delete the following files and folders if found ."Fix Checked"...Reboot to SAFE …

You have 2 or 3 threads going on the same problem !!stick to one thread and stop creating a new one ,We get lost !!!
You get the email everytime we reply to your thread or when you reply to it !!
Just click on you Nicname in ths thread and go to view other post and you will find the one that Crunchie was working on with you ,and he will continue helping you .

The apropiate box is a little box in hijackthis right in front of the line that someone is telling you to fix.
The box would be right here in front of this line for example .O4 - HKCU\..\Run: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!1

Some items may be gone after running CWShredder .

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

NOTE: Please copy and paste this post into notepad and save to you desktop. or print a copy of these instructions because you will be working with all windows closed except HijackThis.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmyrequest.com/sp.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://prosearching.com/searchbar.html

O1 - Hosts: 64.237.45.18 pagead2.googlesyndication.com

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\questmod-1.dll

O2 - BHO: Elitum EliteBar - {FA6548E9-78F5-4025-9D7B-FC1367789C38} - C:\WINDOWS\EliteBar\EliteBar.dll

O4 - HKLM\..\Run: [WinTime] C:\WINDOWS\system32\wintime.exe

This one bother's me but if you know what it is and its something you use leave it ,if not fix it !
O4 - HKLM\..\Run: [NOUN BITS] C:\PROGRA~1\Store locks\Rdrtrans.exe

O16 - DPF: {11111111-1111-1111-1111-111111111237} - http://209.8.161.52/1/deaGB16.exe

Now reboot into safe mode and delete the following files and folders if found ."Fix Checked"...Reboot to SAFE mode to delete files ,How to start computer in safe mode

C:\WINDOWS\system32\wintime.exe......deleted file

C:\PROGRA~1\Store locks\Rdrtrans.exe...........deleted folder ,following advice from above

to delete the above files and folder you will need to do the following
go to Show hidden files & folders
"Fix Checked"...Reboot to SAFE mode to delete files

Run one more program then post back a new log !

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

Your welcome Glad it worked for you .Just in case you check back in ,do the following to help stop it from returning .

After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

Download the latest version of Ad-Aware at ADAWARE

Setup Ad-Aware !
After installing AAW, and before running the program, update reference files by using the bottom right button in the program, labeled "Check for Updates."

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed

try searching this in google --- sp.html#96676

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)

F0 - system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,

And this do you know what it is as i can't find any info on it ,if you don't know what it is fix and uninstall it .
O4 - HKLM\..\Run: [bits amen] C:\PROGRA~1\campcompscr\antilogo.exe

reboot and post a fresh log ,thanks

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

Your welcome ,glad it worked for you !

It been a long time since this happened to me but this help me ,this will stop msn messenge from starting when you load Outlook express

http://www.dougknox.com/xp/scripts/xp_hide_messenger.vbs

.it maybe because msn messenger is starting when outlook in booting .use dougs file to stop msn from starting .dougs stuff is safe i have used a lot of his fixes .
http://www.dougknox.com/

Okay,

When I shut down the other night, I got a message that said "Other users are still connected to this computer.

Thanks.

Is you computer setup with just one user account or multiple accts ,I have 3 users and if one ,besides me is signrd on i will get this message when i go to shut down ,If you just have one user you may have had the admin acct opened ,that is why you got the message 1

ehh I just need fast help, but fine...

So if you just need fast help how come you didn't post your log in you own thread yet .

You need to post the log from dllfix ,also

And this program.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

F0 - system.ini: Shell=Explorer.exe D:\WINDOWS\services.exe

F1 - win.ini: load=D:\WINDOWS\serv ices.exe

F1 - win.ini: run=D:\WINDOWS\servi ces.exe

Reboot and dun hijack and post new log .

The 04's in the hijack log are all of what would be in Msconfig /startup and its not there !!

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

O4 - HKLM\..\Run: [SNP32M] C:\WINDOWS\SYSTEM\SN P32M.exe

A couple of rescource hoggs ,not need at startyp.fix them

O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFA ST.EXE

O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

this is not need at startup'
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPIC K.EXE

Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\SYSTEM\SN P32M.exe ...delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Hi there thanks for the tips

but i dont hva eie listed in add rmoved programs so cant repair it

It is in add remove programs ,in the left colum click on Add remove windows components ,there you will find IE

Your welcome .glad to have helped !

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

Your log looks good just these 2 they are not needed in startup,and are rescorce hogs and suggested fixes .

O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE

O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE

Also check How I got infected ,in my signature and use the suggested programs .I use all 3 myself .great results .

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

I will post the fix here also incase others read this and need the fix ,You didn't really need to start another post just because it was getting long.

run hijack again and fix this .
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG

this is a quote from anothe fourm :That is a startup item for some tutorial for the audigy sound card. It only seems to affect Dell computers. It was common some months ago.

I didn't think it was reccommended to run at the highest resolution for a long periods of time !

Norton reports a virus when i click on the reply /quote to XXplosive's post above ,Be careful .

I would check Netscape help and see if you can find any info on others haveing the same problems .

Your welcome ,glad I could help!

not familiar with that dll, and a search of it goes no where .
sorry to hear about the laptop
You latest log look good now.

Actually my security settings are to high to go to either link!

Thanks,Crunchie .I forgot there was one !!

Also a trip to windows updates is needed for critical updates and SP1's
WINDOWS UPDATES

Any reason why you didn't fix this as suggest in early post or did you fix and did it return'
O4 - HKCU\..\Run: [Ltho] C:\Documents and Settings\Owner\Application Data\ootr.exe

Yeah fix this '
O4 - HKCU\..\Run: [WNSC] C:\WINDOWS\System32\wnsintsu.exe
Then reboot and delete this file '
C:\WINDOWS\System32\wnsintsu.exe

Quote from another source .
Task which is dropped onto your PC when you run the free “hidden pornography scanner from PuritySCAN.com. At the time of writing, 9‑May‑2004, PuritySCAN.com purports to scan your PC for hidden pornography and help you remove it. For a start, at the time of writing, 9‑May‑2004, the scan for pornographic content is a total scam and downright dangerous.

...........Diddo!!

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\System32\SearchBar.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://preview.sweetcelebnudes.com/d4.phtml?ip=10734

This one looks suspisous ,I can't find anything on it ,that usually means fix it .do you know what it might be ,perhaps do a search for wineg32.dll ,and check its preferences to see who ownes it !If its Microsoft leave it alone .If you find it and think it is a bad file delete it !!
O2 - BHO: . - {D34F08C5-4F18-477c-86CB-1A9BEECFE37B} - C:\Documents and Settings\Owner\Application Data\wineg\wineg32.dll

this one is a resource hog nad not needed in startup.
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: updater.lnk = C:\Program Files\Common Files\updater\wupdater.exe

Now reboot into safe mode and delete the following files and folders if found .

C:\Program Files\Common Files\updater... delete folder

C:\WINNT\System32\SearchBar.htm...delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

Important: Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT.
Unzip HijackThis into this folder. When you run HijackThis from this folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary.

Might I suggest Ad-Aware and Spybot

Download the latest version of Ad-Aware at ADAWARE

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

reboot computer and post a new log

I think it is possiable that the 2 OS were sharing some file ,and now that it only copied xp. it left the shared files behind ,
did you partition the new drive before you got the program to copy the OS's.
if yes ,then maybe all you need to do is run the program again an see if you can get it to copy win98 .
If you still have the old drive still intact, format and partition the new drive and try copying it again!

and Spybot

Download SPYBOT

How to setup Ad-Aware and Spy-Bot S&D
http://www.zerosrealm.com/scanning.php

And after that, please do the following:

Run the First ,free online viruse scan in my signature ,check auto fix .

Reboot and post fresh log ,thanks .

You are right you do havea lot going on lets start with these programs .

You Have A Variant of the CoolWebSearch Trojan.

Please Download CWShredder from HERE and run the Program in safe mode . Press the "Fix Button" Let it fix all variants. Next, Close the program and all windows and IE windows and run hijackthis and Post a Fresh log.

Reboot to SAFE mode to run swshredder

How to start computer in safe mode

After you get it all fixed and things are working good ,Download and install these two programs to help stop Spyware .

Spywareblaster

SpywareGuard

Keep Up-to-Date!
The most important key to maintaining a secure computer is keeping your protection up-to-date.

also check how i got infected in the first place .

http://www.computercops.biz/postlite7736-.html

check the !!please read in Crunchies signature

Looks clean to me .
Check how i got infected in the first place in my signature below.

IE,tools /internet options/temp internet files/delete files