Pc is just crawling!

[Joe]

Something has really gone wrong. It takes about ten minutes to reboot and everything is in slow motion. I've dome 3 or 4 different virus and ad scans to no avail. Thanks for your help, Joe

Code:

Logfile of HijackThis v1.99.1
Scan saved at 6:57:34 PM, on 6/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\ups.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O8 - Extra context menu item: Spell Chec&k... - res://C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll/ContextMenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Spell Check - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra 'Tools' menuitem: Spell Chec&k... - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O18 - Protocol: x-atng - {7E8717B0-D862-11D5-8C9E-00010304F989} - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Ruby]

Welcome to HijackThis.de @ Joe

Please post your Logfiles in vB Code!
Note: Announcement....

Please print out this instructions of safe it as a textfile (*.txt).

1
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2
Reboot.

3
Turn System Restore Back On.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK

4
Reboot.

5
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

6
Reboot.

7
Please load down the ccleaner.
Put a Checkmark next to all itmes under "Windows", "Applications" and "Issues".
Have a look to the screenshots.
Press th button "Run Cleaner".

8
Run a Full System Scan by Panda ActiveScan.
It will last 2-3 hours. You will have to allow ActiveX.
Save the logfile.
Reboot the system when the scan is finished.

9
Configure then the IE with these Settings.

10
Run HijackThis once more. Have it save a new Logfile.

Post the Logfile of Panda ActiveScan.
Post the new HJT-Logfile.

[Joe]

Ruby,
Sorry I didn't know how to add to the thread I started yesterday. Did all the thing you told me. Did Ccleaner and the Panda Active scan. I downloaded some music files and must have got the 'bug' there. Active scan cleaned @ 850 files. I know you said send the report of the Ccleaner scan but it is so loooong!
I can still send it if you need it. Here is my new hijack this. Systen now boots in 6 minutes rather than the 15. Thank you so much, Joe

Code:

Logfile of HijackThis v1.99.1
Scan saved at 4:24:49 PM, on 6/27/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\ups.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O8 - Extra context menu item: Spell Chec&k... - res://C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll/ContextMenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Spell Check - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra 'Tools' menuitem: Spell Chec&k... - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O18 - Protocol: x-atng - {7E8717B0-D862-11D5-8C9E-00010304F989} - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Ruby]

Hello Joe

You did not do what I asked you to do.
You don't use vb-Code.
You didn't post the Logfile of Panda-Scan what I need to go on helping you.
Now, by the moment it has no sense to go on helping you.

[Joe]

I apologize for my ignorance but I do not know what VB code is.
I tried to send the file in the box that I think to be VB Code but it is too large
and a get a fatal error. Max time of 90 seconds. Line 1140. I saw that I could attach a file so I am trying that. It was too large to send as a txt file so I had to zip it. If none of this works I appreciate your patience and other helpful suggestions. Joe

[Ruby]

Hello Joe

You will want to copy the text from this post and save it as a text file (*.txt) or print it because you will be working offline (in safemode) to resolve your problem and not have access to this forum.

Follow these STEPS.

STEP 1
You must turn off System Restore during this process. You will keep it off until we are done fixing your system.

STEP 2

1. Download mwavscan (It is free), if you don't have a zip-tool we suggest zipgenius (It is free).
2. You MUST Unzip mwavscan to 'C:\bases' (case sensitive, any other folder and it won't work properly)
3. After installing some systems automatically start up the program, if this happens close it, you don't want to run it now.
4. Open 'My Computer'
5. Double click on 'C:'
6. Double click on the folder 'bases'
7. Now in that root folder look for 'kavupd.exe' and double click on it. (We are updating mwavscan to the latest definitions.)
8. NOTE: Occasionally users receive an error that 'signatures are more then 30 days old'. If you receive this keep trying to run kavupd.exe, it means the definition server is busy, but you will eventually get through.

STEP 3

1. Now turn off your computer and remove the network cable/phone line from your machine.
2. Reboot your computer in Safe Mode

STEP 4

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Double click on 'mwavscan.com'
5. Now close all other windows, browsers, and programs other then Mwavscan before continuing
6. Checkmark: Memory, StartUp-Folders, Drives, All Local Drives, Registry and INI Files, System Folders, Services
7. Now select 'Scan All Files'
8. Finally, click on 'Scan Clean' (The program will take several hours to run)
9. When the scan is complete, click 'View Log' and Save it!

STEP 5

1. Reconnect your network cable/phone line
2. Reboot your system into normal mode.

STEP 6

1. Open 'My Computer'
2. Double click on 'C:'
3. Double click on the folder 'bases'
4. Find the log file in the directory.
5. Open it with an editor (Notepad will do fine)
6. Look for the files which are tagged as "virus" or "infected"
7. Copy&paste all these files tagged as "virus" or "infected" in a new document and save to your desktop

STEP 7
Run Hijackthis again and have it save a new log file.

Step 8

Post every file of mwavscan by looking for "infected" and "tagged as" to this thread:

It looks like this:

File C:\WINDOWS\sssasasb32.exe infected by "Trojan-Downloader.Win32.Agent.ig" Virus. Action Taken

File C:\Documents and Settings\Name\Local Settings\Application Data\Wildtangent\0F.dat tagged as not-a-virus:AdWare.WildTangent.b. No Action Taken.

Also post the total results:

=>Total Number of Files Scanned:
=>Total Number of Virus(es) Found:
=>Total Number of Disinfected Files:
=>Total Number of Files Renamed:
=>Total Number of Deleted Files:
=>Total Number of Errors:
***** Scanning complete. *****

Finally, post the new Hijackthis logfile!

[Joe]

Ruby,
I hope I got everything right this time. Thanks again for helping a REAL newbie! Joe

Code:

Wed Jun 29 17:56:55 2005 => **********************************************************
Wed Jun 29 17:56:55 2005 => eScan AntiVirus Toolkit Utility.
Wed Jun 29 17:56:55 2005 => Copyright © 2003-2004,  MicroWorld Technologies Inc.
Wed Jun 29 17:56:55 2005 => **********************************************************
Wed Jun 29 17:56:55 2005 => Version 4.4.7
Wed Jun 29 17:56:55 2005 => Log File: C:\bases\mwav.log

Wed Jun 29 18:18:36 2005 => Options Selected by User:
Wed Jun 29 18:18:36 2005 => Memory Check: Enabled
Wed Jun 29 18:18:36 2005 => Registry Check: Enabled
Wed Jun 29 18:18:36 2005 => StartUp Folder Check: Enabled
Wed Jun 29 18:18:36 2005 => System Folder Check: Enabled
Wed Jun 29 18:18:36 2005 => System Area Check: Disabled
Wed Jun 29 18:18:36 2005 => Services Check: Enabled
Wed Jun 29 18:18:36 2005 => Drive Check: Disabled
Wed Jun 29 18:18:36 2005 => All Drive Check :Enabled
Wed Jun 29 18:18:36 2005 => Scanning Type: Scan And Clean
Wed Jun 29 18:18:36 2005 => Folder Check: Enabled
Wed Jun 29 18:18:36 2005 => Folder Selected = C:\WINDOWS
 
Wed Jun 29 18:35:03 2005 => File C:\hp\bin\py152.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Wed Jun 29 18:34:57 2005 => File C:\gendel32.exe tagged as not-a-virus:Tool.Win32.Gendel.a. No Action Taken.
Wed Jun 29 19:31:28 2005 => File C:\gendel32.exe tagged as not-a-virus:Tool.Win32.Gendel.a. No Action Taken.
Wed Jun 29 18:35:05 2005 => File C:\hp\bin\WIN32ALL-125.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Wed Jun 29 18:49:21 2005 => File C:\P450 Drug Interactions\setup\gendel32.ex_ tagged as not-a-virus:Tool.Win32.Gendel.a. No Action Taken.
Wed Jun 29 19:12:57 2005 => File C:\Program Files\Microsoft AntiSpyware\Quarantine\42F1AE2A-A360-460C-AC11-26C231\8308BE26-691C-43C3-A2F2-CEE33D tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.i. No Action Taken.
Wed Jun 29 19:12:57 2005 => File C:\Program Files\Microsoft AntiSpyware\Quarantine\8AEF5DA6-5273-4711-B29B-2EC512\7D802C7E-6AD2-485B-87C5-C67299 tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.i. No Action Taken.
Wed Jun 29 19:31:33 2005 => File C:\hp\bin\py152.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Wed Jun 29 19:31:35 2005 => File C:\hp\bin\WIN32ALL-125.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Wed Jun 29 19:45:20 2005 => File C:\P450 Drug Interactions\setup\gendel32.ex_ tagged as not-a-virus:Tool.Win32.Gendel.a. No Action Taken.
Wed Jun 29 20:08:13 2005 => File C:\Program Files\Microsoft AntiSpyware\Quarantine\42F1AE2A-A360-460C-AC11-26C231\8308BE26-691C-43C3-A2F2-CEE33D tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.i. No Action Taken.
Wed Jun 29 20:08:13 2005 => File C:\Program Files\Microsoft AntiSpyware\Quarantine\8AEF5DA6-5273-4711-B29B-2EC512\7D802C7E-6AD2-485B-87C5-C67299 tagged as not-a-virus:AdWare.ToolBar.HotSearchBar.i. No Action Taken.
Wed Jun 29 22:04:07 2005 => File C:\WINDOWS\MVUNINST\App1\mvuninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
Wed Jun 29 21:16:54 2005 => File C:\WINDOWS\MVUNINST\App1\mvuninst.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Wed Jun 29 22:30:54 2005 => ***** Scanning complete. *****
 
Wed Jun 29 22:30:54 2005 => Total Number of Files Scanned: 93017
Wed Jun 29 22:30:54 2005 => Total Number of Virus(es) Found: 10
Wed Jun 29 22:30:54 2005 => Total Number of Disinfected Files: 0
Wed Jun 29 22:30:54 2005 => Total Number of Files Renamed: 0
Wed Jun 29 22:30:54 2005 => Total Number of Deleted Files: 0
Wed Jun 29 22:30:54 2005 => Total Number of Errors: 4
Wed Jun 29 22:30:54 2005 => Time Elapsed: 03:13:56
Wed Jun 29 22:30:54 2005 => Virus Database Date: 2005/06/30
Wed Jun 29 22:30:54 2005 => Virus Database Count: 137047
 
Wed Jun 29 22:30:54 2005 => Scan Completed.

Code:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:16 AM, on 6/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\FreeMem Standard\freemem.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\ups.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\HijackThis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/?u
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MskDetct.exe /startup
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [FreeMem Pro] "C:\Program Files\FreeMem Standard\freemem.exe" Startup
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: Spell Chec&k... - res://C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll/ContextMenu
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Spell Check - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra 'Tools' menuitem: Spell Chec&k... - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} - http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) - http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) - http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) - http://fdl.msn.com/public/investor/v13/ticker.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...09/mcfscan.cab
O18 - Protocol: x-atng - {7E8717B0-D862-11D5-8C9E-00010304F989} - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

[Ruby]

Hello Joe

Please post your Logfiles in vB Code!
Note: Announcement....


Please read these instructions carefully and print them out!
Be sure to follow ALL instructions!

Follow the numbers.

1
Using Windows XP: turn off System Restore.

2
Make sure you set windows to see the hidden files and folders.

3
Download and Instructions of Use

A. Download
one of these programs:
WinsockXPFix.exe,
Follow the instructions of use. Run it NOW.
If you get troubles with your Internet Connection,
run one of these programs,
reboot your system.

B. Download
New Version: Ad-Aware SE
Ad-Aware SE: install and update it

C. Download
--> ! New Version: Spybot Search & Destroy
Spybot Search & Destroy: install and update it

D. Download
Revome RTE
You may want to follow the instructions.

E. Download
CWShredder.

F. Download
about:Buster,
unzip to C:\aboutbuster, run it, and then:

1. Click "Update".
2. Click "Check For Update"

(If no new version is available, skip that.)
3. Click "Download Update", and wait for it to be installed.

G. Download
If you don't have a zip-tool we suggest zipgenius (It is free).

H Download
host.zip
Press 'Restore Original Hosts' and press 'OK'
Take a look to the instructions

I Download
CCleaner

J Download
Disk Cleaner

K Download
RegClean 4.1a

L Download
Load down the KillBox safe it to your desktop

4
Don't use the programs now.

5
Run the Killbox

o browse the files of every entry into the killbox:

C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe

o activate "Replace on Reboot"
o activate "Use dummy" - then click at the red X
o "YES"
o "NO" by the question if you want to reboot ...

... reboot as you got the last file into the killbox.

6
Disconnect to the Internet.

7
Turn to safe mode. Stay in safe mode until you read that you may turn to normal mode!

8
Close down all windows including Internet Explorer.
Run Hijackthis, click scan, and put a checkmark next to each of these items.
Then click the Fix Checked button:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hzzp://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hzzp://srch-us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = hzzp://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hzzp://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hzzp://finance.yahoo.com/?u
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hzzp://srch-us4.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = hzzp://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hzzp://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hzzp://finance.yahoo.com/?u
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hzzp://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = hzzp://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O8 - Extra context menu item: Spell Chec&k... - res://C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll/ContextMenu
O9 - Extra button: Spell Check - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O9 - Extra 'Tools' menuitem: Spell Chec&k... - {EB5E83E1-E8DE-11d3-9A63-BF95FEF19D7F} - C:\Program Files\REDHOTIP.COM\Hot Lingo\hotlingo.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - hzzp://us.dl1.yimg.com/download.yah...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - hzzp://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O18 - Protocol: x-atng - {7E8717B0-D862-11D5-8C9E-00010304F989} - C:\Program Files\Fidelity Investments\Fidelity Active Trader\System\atngprot.dll

Click on Fix Checked and exit HijackThis.

9
Stay in safe mode
run Ad-Aware SE (Adaware SE 1.05 Tutorial)

Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Take a full system scan.
Delete the content of all Ad-aware SE folders and the Quarantine box when the scan is finished.
Safe the logfile.

10
Stay in safe mode
Run Spybot Search & Destroy once more
Turn on Advanced Mode. Go to "Tools" and put a checkmark into the box of ActiveX.
Scan your system. Let Spybot Search & Setroy delete everything it finds.
Take the immunication for your system.

11
Stay in safe mode
Run Revome RTE

Click the "Kill Elite Toolbar" button and wait until it will finish its work.
Occasionally a DOS box could face-up to asking your permission in deleting some files inside the temporary Windows directories. You must accepting the deletion of them to be sure to fisically removing the malware!
Save the logfile.

12
Stay in safe mode
Run CWShredder
press the *fix,* not the scan button
allow it to clean the infection.
Close all browser and explorer windows before hitting the fix button.

13
Stay in safe mode
Run about:Buster
4. Click "Start".
(Wait for the initial ADS scan to complete.)
5. Click "Exit".

14
Reboot your system into normal mode.

15
Run the CCleaner
Put a Checkmark next to all items
under "Windows", "Applications" and "Issues".
Have a look to the screenshots.
Press the button "Run Cleaner".

16
Empty your "Recycle Bin"
Go to START > run and type: cleanmgr and click ok.
Let it scan your system for files to remove.

17
Run the Disk Cleaner
Set a checkmark to every item you want to clean.
Temporary Internet Files and Temporary System Files, Cache, History and Prefetch must be cleaned.
Clean as much folders as you can clean.

18
Run RegClean
Allow the program to delete all it finds.

19
Configure then the IE with these Settings.

20
Run HijackThis once more.
Have it save a new Logfile.

-> Post the Ad Aware SE Logfile
-> Post the RTE Logfile
-> Post the About:Buster Logfile
-> Please post the new HJT-Logfile.

[Joe]

Ruby,
Things are so much better. Here are the logfiles you requested. It seem that Hot Lingo was causing some of my problems. I am such a bad speller I need a spell checker. If Hot Lingo is not good for my system, do you know of another addin I can use?
Thank you again so much. Joe

[Ruby]

Hello Joe

Please post all these logfiles, don't hang it on.
Thanks.