May have Virus/Spyware/Aliens? or IE Hijacked

You appear to have a lot of nasties in there. I'm talking worms and stuff, not just a browser hijack.
So probably the best place to start is to go to http://www.trendmicro.com/download/dcs.asp and download sysclean, and this page http://www.trendmicro.com/download/pattern.asp for the latest pattern file.
Unzip the pattern file into the same folder as sysclean, then run sysclean. It will take a while but hopefully will remove some of those worms. Make sure it's in a user area with administrator priviledges.

It's me again. I did exactly what you said and downloaded Sysclean and the pattern file for it. I followed it's instructions to the letter and here are the results it gave me:

Pattern Version: 2.273.00
Release Type: Fix False Negative
Notes: TROJ_FUNWEB.A  (moved detection to Spyware pattern as ADW_FUNWEB.C)

November 30, 2004, 12:56:15 (GMT -08:00)

---------------------
New Viruses Detected:
---------------------
There are [25]new viruses detected by the pattern file.
All detail virus names please refer to the list below.

BKDR_BEASTDOR.A
BKDR_BLUEEYE.B  
BKDR_GOBOT.Y
HTML_WAMUFRAUD.A
TROJ_ADCLICK.AU
TROJ_BANCOS.EO
TROJ_BANCOS.ZG
TROJ_BANCOS.ZI
TROJ_INSERVI.A
TROJ_LEMIR.DM
TROJ_LEMIR.DR
TROJ_LEMIR.HW
TROJ_LEMIR.JL
TROJ_LEMIR.JN
TROJ_LEMIR.QW
TROJ_MSNFLOOD.B
TROJ_NETSNAKE.B
TROJ_QQSHOU.G
WORM_SDBOT.AES
WORM_SDBOT.CAL
WORM_SPYBOT.JO
WORM_SPYBOT.JP





-------------------
Virus Name Changed:
-------------------
Old Virus Name          New Virus Name
--------------          --------------


-------------------------
Virus Signature Modified:
-------------------------      

BKDR_AXN.A     
BKDR_BANCODOR.K 
BKDR_BEASTDR.AA
BKDR_BLASTIT.C  
BKDR_SMALL.D    
TROJ_ADCLICKER.A
TROJ_BANBRA.Q    
TROJ_DELF.AF 
TROJ_DELF.AR 
TROJ_DELF.C  
TROJ_DELF.DK 
TROJ_LEMIR.BR
TROJ_LEMIR.CD
TROJ_LEMIR.CJ  
WORM_RBOT.ACX



------------------------
Virus Signature Dropped:
------------------------
TROJ_FUNWEB.A    


[FONT=Comic Sans MS]The last part said it cleaned all of them out, but I wasn't so sure so I ran Sysclean again. At the end of it it said 0 viruses. I'm still not so sure. When I restarted my comp and connected to the internet, IE did the same hting it had been doing....connecting to sites all by itself. It also left those blue application boxes behind again. Here is the list of websites:[/FONT]

[url]http://216.117.190.175/momsex.html[/url]

[url]http://home.no/sopo/loud.html[/url]

[url]http://home.no/sopo/pussy.html[/url]


[FONT=Comic Sans MS]IE is still running slowly. I ran Spyware Doctor, Ad-Aware 6.0, AVG Anti Virus, and Hijack this. Here is the current Hijack This log:[/FONT]

Logfile of HijackThis v1.98.2
Scan saved at 12:37:33 AM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spoolcsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\syswin32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svcload.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
c:\gmsex.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://www.yahoo.com/search/ie.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/yie6/*http://www.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yie6/*http://www.yahoo.com/search/ie.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sp/yie6/*http://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yie6/*http://www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = [url]http://ms101.mysearch.com/sa/srchlft.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/yie6/*http://www.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: [url]http://www.daniweb.com[/url]
O15 - Trusted Zone: [url]http://www.spywareinfo.com[/url]
O15 - Trusted Zone: [url]http://securityresponse.symantec.com[/url]
O15 - Trusted Zone: [url]http://*.tomcoyote.org[/url]
O15 - Trusted Zone: [url]http://www.trendmicro.com[/url]
O15 - Trusted Zone: [url]http://www.uproar.com[/url]
O15 - Trusted Zone: [url]http://deskwx.weatherbug.com[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101714994263[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13
O17 - HKLM\System\CS1\Services\Tcpip\..\{20690A7B-6C21-4DB4-BF37-5763289732AC}: NameServer = 166.102.165.11 166.102.165.13

I have no idea what any of this means. I am so frustrated and tired and angry with all of this. What else can I do? Besides throwing this thing into an old well??

Any help will be most appreciated.

Thank You,
Meredith
<snip>

You should probably boot into Safe Mode for this. Scan with HJT and have it fix the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKLM\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\RunOnce: [Win32s USB Drivers] spoolcsv.exe

After you've done that, go to C:\WINDOWS and delete:
GWMDMpi.exe

Then go to C:\WINDOWS\System32 and delete:
spoolcsv.exe
winxp2.exe
syswin32.exe
svcload.exe
NOTEPAD.EXE
winupd.exe

On the C drive, find this and delete it as well:
c:\gmsex.exe

Reboot normally, make sure all browser windows are closed, scan with HJT and post a new log.

You can Use Firewire, and Delete all IExplorer files, and registry keys. then Download IExplorer from the FireWire connection between the 2 PC's. Or you can Reformat. But no one wants that.
*I PREFER WINDOWS 2000*

Ok, here is my latest Hijack This log:
Logfile of HijackThis v1.98.2
Scan saved at 6:17:02 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NoAds\NoAds.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\WINDOWS\System32\syswin32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB

Things seem to be moving a lot better now, but a lot of webpages I go to load, but at the bottom on the bar it says "Done, but with errors on page." Some of the pictures on these pages don't show up. Their boxes have those little colored boxes in them.

And as I am writting this, Spybot S & D popped up a message saying this:

Spybot S&D

Category System Startup global entry
Change Value Added
Entry Windows Update
New Data slmss.exe

I went ahead and clicked "deny changes" because I didn't know what it was. If I should accept this please let me know.

I am going to run all of my spyware and virus scanning things and see if anything else pops up and I'll post my results in a bit.

Is there anything else I should delete or change? It still doesn't seem quite right.

Thanks for all your help!!

:D Meredith
(mereannjen@yahoo.com)

You still have virus/trojan/etc. infections. Also- from some reports I've read, the NoAds program you installed seems to be questionable. It appears that it may have some "hidden nasties" of its own; personally, I would uninstall it.

1. Have HijackThis fix the following:

O4 - HKLM\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O15 - Trusted Zone: http://www.uproar.com
O15 - Trusted Zone: http://deskwx.weatherbug.com

2. Turn off XP's System Restore function; instructions are here.

3. - Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders:

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Find and delete the following files:

spoolcsv.exe
syswin32.exe

- Delete the entire C:\Program Files\NoAds folder.

- Delete the entire content of your C:\Windows\Temp folder.

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Reboot normally.

lol, be cool like me and test your AV, lol. I unleased 89 viruses on my network, and i got them all. It was fun to because people complain about Norton, when norton, and Pc-Cillin are like the best.

Ok, I uninstalled No-Ads and deleted everything having to do with it that was left over. I also, did everything you suggested.

While trying to post this, I kept getting that dreaded error message, "Page cannot be displayed and temporarily unavailable" crap all over again when I hit reply. I've spent the last 6 hours trying to reply to your last instructions. No pics are showing up on this page at all. No smileys, no font, size or color box...nothing and I have that error on page message too. I hit refresh over 50 times and finally got some of this page to display properly.

When I start my comp up and Windows comes up, I am now getting an error message saying it can't find Spoolsv.exe. I know you had me delete this. Is it something important? Should I have not deleted it?

I am still getting 5 DSO Exploits everytime I run Spyware Doctor. What are these? I delete them, but they come back everytime. Also, it detects an IE Browser Plugin everytime. It says it's a Medium Security risk, but I go ahead and let it delete it. Yet it comes back everytime, too.

I am still getting those yellow triangles with the exclamation in them saying "Error on page" down where the bar says "Opening" and the web sites address. I came in here, and all of the pictures that would normally show, before I had these problems, had the box with the red X in them. I right clicked on them and chose "show picture" and the red X changed to the box with the colored square, circle and triangle thing. Not sure about this. That's never happened until I started having these problems.

Anyway, before I post my current Hijack This log, I wanted to ask some questions:

1) Is the Free Edition AVG Anti Virus a good program to use? I cannot afford to buy an anti virus program, so if you know of a free on that's really good, please let me know.

2) Should I install Windows SP2? I have heard many bad things about it.

3) Is there any other spyware/adware programs I can download for free besides Spy Bot S&D? I don't really care for this program. Everything I seem to do, I get an alarm from it asking me if I want to allow or deny some change it detected and since I have no idea what some of these changes are. It's was too confusing for me.

Ok, I think that's it for now. Here is the current Hijack This Log:
Logfile of HijackThis v1.98.2
Scan saved at 10:48:33 PM, on 12/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yie6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/yie6/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/yie6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/yie6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/yie6/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB

If I think of anything else, I'll let you know. Thanks for the help so far. My browser is moving a bit quicker for this site, but I haven't checked out any others yet.

If you can think of anything else after analyzing the latest Hijack This Log, let me know. I'm almost game for anything..LOL.

Cheers'
Meredith
(mereannjen@yahoo.com)

um... dmr said to delete spoolcsv.exe, not spoolsv.exe... Look in your recycle bin to see if it's still there. If spoolsv.exe is in your recycle bin then restore it.

DSO exploits can be ignored - it's a bug in spybot. there is a fix you can download but it's not worth it.

1) AVG is good
2) umm... I have it installed, but there isn't really a concensus of opinion on whether to go for it or not. In any case you need to get your spyware cleaned up first. I'm not sure why it's come back this time.
3)Ad-Aware from www.lavasoft.de is good. Normally I use it with Spybot though.

Let's try this:

alt + ctrl + del
end the following processes:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe

Then tick the following:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm

O4 - HKLM\..\Run: [Windows Update 2] winupd.exe
O4 - HKLM\..\Run: [Winupdate Service] winxp2.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [svcload] svcload.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [Win32s USB Drivers] spoolcsv.exe
O4 - HKLM\..\RunServices: [Windows Update 2] winupd.exe
O4 - HKLM\..\RunServices: [Winupdate Service] winxp2.exe
O4 - HKLM\..\RunServices: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\RunServices: [svcload] svcload.exe

O4 - HKCU\..\Run: [Win32s USB Drivers] spoolcsv.exe
O4 - HKCU\..\Run: [Windows Update 2] winupd.exe
O4 - HKCU\..\Run: [Microsoft WinUpdate] syswin32.exe

O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\Gateway\helpspot\RunExeActiveX.CAB

Basically we need to remove any instances of the following files:
winupd.exe, winxp2.exe, syswin32.exe, spoolcsv.exe and svcload.exe. So if you see them anywhere else in your log, tick them.

Then finally choose 'fix checked'.

Next reboot into safe mode by repeatedly pressing f8 during startup. It will give you a boot menu, so press safe mode when it appears.

to quote dmr

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

Delete the following:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe
C:\WINDOWS\System32\spoolcsv.exe

Go to start -> find -> files or folders and search for all those files again. You may find them in the prefetch folder, so delete them if they occur in there. You may also have to go under the advanced options tag and tell it to search system files etc.

Finally be careful that they are spelt right!

Dave is right, AVG and AdAware are both good programs and you need to have an antivirus program installed. Spybot is a good program too, hopefully it'll get easier to use once your system gets cleaned up. I don't know why all that stuff came back; hopefully Dave's way will work.

As for SP2, do not install it until after your system has been cleaned up, it will only magnify the problems. You should, however, make sure you have all the other critical updates. After your computer is clean, check this thread to help you decide whether or not to upgrade to SP2:
http://www.daniweb.com/techtalkforums/thread10031.html

Also, SpywareBlaster is another good program to have.

:rolleyes: Ok, I have a few questions:

you said to:
alt + ctrl + del
end the following processes:
C:\WINDOWS\System32\winupd.exe
C:\WINDOWS\System32\winxp2.exe
C:\WINDOWS\System32\svcload.exe
C:\WINDOWS\System32\syswin32.exe

and
Basically we need to remove any instances of the following files:
winupd.exe, winxp2.exe, syswin32.exe, spoolcsv.exe and svcload.exe. So if you see them anywhere else in your log, tick them.

1)What are these?
2)Why should I delete them?
3)Aren't they essential to Windows?

I'm a little nervous about deleting things after accidently deleting spoolsv.exe instead of spoolcsv.exe. I was very blurry eyed when I did it and they are all starting to look the same to me.

I looked in my recycle bin for spoolsv.exe and it's gone.

1) Is there somewhere I can download it to get it back?
2) If not, is it essential?

I have Ad-Aware 6.0 Personal. A friend sent it to me and it's been great. Is the one you mentioned better or are they the same?

My computer is running a lot better. My pages are loading without errors, pics are showing up, and I haven't had one instance of that dreaded "Page cannot be displayed. The page you are looking for is currently unavailable."

I found PC=cillin on Trend Micro's website. I'm thinking of running the free scan and then downloading the free evaluation version for future use. Good idea or not?

I haven't put system restore back yet. I was waiting until I know I'm nasty free. Good Idea or not?

I want to thank all of you for helping me. You people have been the best. You have been so patient with me. I know almost nothing about what I have been doing nor about viruses/trojans/spyware. I'm slowly learning that Nyquil will not cure these things..... :lol:

I would say I'm almost there. Things are better than they were when I first started this thread, so it looks like things are looking up and I have you guys to thank.

I'll check back later today and check out the answers to my questions. Then I'll do the next set of cleanup stuff that was suggested. I'm falling asleep here..... :lol:

One more thing. While typing this....Spybot detected that something called "Avenue A"----a know threat was trying to download. Spybot asked me if I wanted to block this and I said YES. This came up 5 times.

1)What is "Avenue A"?

Cheers'
Meredith
(mereannjen@yahoo.com)

lol they are virus files. Virus writers are now naming files to look like system files, which is probably why you're worried. Anyway, if you google them all, you come up with the following info:

C:\WINDOWS\System32\winupd.exe - created by the bagle worms.
http://www.sysinfo.org/startuplist.php?filter=winupd.exe
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.P
You might actually want to try Symantec's free removal tool: http://securityresponse.symantec.com/avcenter/venc/data/w32.beagle.mo@mm.removal.tool.html

C:\WINDOWS\System32\winxp2.exe
maybe http://sarc.com/avcenter/venc/data/pf/adware.showbehind.html
inany case other people are reccomending its removal: http://216.239.59.104/search?q=cache:sYrOJW9tix4J:www.techsupportforums.com/showthread.php%3Ft%3D25904+winxp2.exe&hl=en
http://www.google.com/search?hl=en&lr=&q=winxp2.exe&btnG=Search

C:\WINDOWS\System32\svcload.exe
http://www.google.com/search?hl=en&lr=&q=svcload.exe
if it was legit then LIUtilties would be top of the list. As it is there is simple a much reduced list and every time it occurs it is in a HJT log and marked to be removed. so...

C:\WINDOWS\System32\syswin32.exe
http://startup.iamnotageek.com/srch-syswin32.exe.html
http://computercops.biz/startuplist-5439.html

And spoolcsv.exe (though it's not a running process)
http://www.google.com/search?&q=spoolcsv.exe

I looked in my recycle bin for spoolsv.exe and it's gone.

1) Is there somewhere I can download it to get it back?
2) If not, is it essential

I think it's essential for printing. I will zip it and email it to you later when I get home, assuming you're happy to accept exe files from me!

I have Ad-Aware 6.0 Personal. A friend sent it to me and it's been great. Is the one you mentioned better or are they the same?

Same program, but the link I gave is to a newer version - they've changed the numbering system and gone to 1.05 for some reason. If you press the update button on your version it should tell you that. I think updates have been suspended on your version, so it might be a good idea to download the new version when you have time.

My computer is running a lot better. My pages are loading without errors, pics are showing up, and I haven't had one instance of that dreaded "Page cannot be displayed. The page you are looking for is currently unavailable."

I found PC=cillin on Trend Micro's website. I'm thinking of running the free scan and then downloading the free evaluation version for future use. Good idea or not

It is a very good idea. We usually recommend that you do the panda activescan as well.
http://www.pandasoftware.com/activescan/com/activescan_principal.htm

I haven't put system restore back yet. I was waiting until I know I'm nasty free. Good Idea or not?

Yes, very good idea!

I want to thank all of you for helping me. You people have been the best. You have been so patient with me. I know almost nothing about what I have been doing nor about viruses/trojans/spyware. I'm slowly learning that Nyquil will not cure these things..... :lol:

I would say I'm almost there. Things are better than they were when I first started this thread, so it looks like things are looking up and I have you guys to thank.

I'll check back later today and check out the answers to my questions. Then I'll do the next set of cleanup stuff that was suggested. I'm falling asleep here..... :lol:

We're all here to help. Well, mostly lol.

One more thing. While typing this....Spybot detected that something called "Avenue A"----a know threat was trying to download. Spybot asked me if I wanted to block this and I said YES. This came up 5 times.

1)What is "Avenue A"?

It's a tracking cookie I think, so it doesn't really matter. Spybot is well known for complaining about it.

Cheers'
Meredith
(mereannjen@yahoo.com)

One more thing. While typing this....Spybot detected that something called "Avenue A"----a know threat was trying to download. Spybot asked me if I wanted to block this and I said YES. This came up 5 times.

1)What is "Avenue A"?

As Dave said, it's a tracking cookie. You can set SpyBot to automatically block things like that without asking for confirmation each time:

Under the "Immunize" section of SpyBot's settings, put a check mark in the "Enable permanent blocking of bad addresses..." box and choose "Block all pages silently" from the pull-down menu.

:surprised Ok guys, here is the latest:

I ran Panda Active Scan and it found Sasser.B Worm. I used the link they gave me to update my Windows Security for that and all the other security updates as well. I figured why not since I was already there.

I also downloaded PQ Remote for Sasser.B Worm from Panda and had it remove it. It was in Windows/System32/lsass.exe. I just check and lsass.exe is still there. Should I delete it and all instances of it?

I then scanned my whole computer with Housecall PC-cillin. It found nothing.

I then scanned with Spyware Doctor and it found nothing. I also checked for updates for it and there weren't any yet.

I then scanned with Spybot S&D and it found 4 entries for "FunWeb Products". I did have Cursor Mania at one time, but uninstalled it. Looks like I might have some of it remaining. They are in a Recovery folder. I found it along with all of the DSO Exploits Spybot has ever found. It looks like this folder is for all the bad things Spybot has ever found. Should I delete the whole folder?

I then ran AVG and it found nothing. By the way, AVG never found the Sasser.B Worm.

I did another Hijack This and here is the log:

Logfile of HijackThis v1.98.2
Scan saved at 12:13:57 AM, on 12/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\svcnhost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Meredith\Local Settings\Temporary Internet Files\Content.IE5\SIYMAG98\WindowsXP-KB835732-x86-ENU[1].EXE
c:\5604a1a333c461e9f902f4d5cf8104\xpsp1hfm.exe
c:\5604a1a333c461e9f902f4d5cf8104\sp2\update\update.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS 1\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/yie6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcnhost] svcnhost.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [svcnhost] svcnhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://free.grisoft.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com

Everything is running great, but I'll wait until you analyze that log, before I put on system restore again. All the problems I mentioned in my first thread are all gone. No reoccurances either. You guys are the best. I'm telling all of my family and friends about you and DaniWeb!!!

Questions:

1) What do you think of Incredimail? I had it for about a year before all this mess started. I really loved it and never had any problems with it. Is it ok to use? Are there any nasties that might come with it?

Also, and this is a question from a friend...

1)Any free websites or downloads for free cursors that have no problem with nasties? He used Cursor Mania like I did and got a few spyware problems with My Web Search Toolbar that comes with it.

I think that's it. Thanks guys. ((((HUGE HUGS)))) Looks like I can keep my comp for a few more years. I didn't really want to have to throw it into a deep dark well. It was a Christmas present from a close friend.... :lol:

Thanks For All Your Help Dave, DMR, dlh6213, Sphyenx and Nexonflux....

Meredith
(mereannjen@yahoo.com)

Your log indicates that you still have problems, and those problems are not the same as the originals. You've either gotten further infections (not unusual) or the infections that you originally had have "morphed" (also not unusual).

I need to log off now, but hopefully one of our other members will pick up on this shortly. If not, I'll repost here tomorrow.

Don't delete Windows/System32/lsass.exe, the worm should be gone, you can scan with Panda again to make sure. Not all AV programs find everything; unfortunately PC's don't like to run with more then one AV installed, that's why the free online scans (like Panda and TrendMicro) are so useful.

If you haven't done so already, get SpywareBlaster (link in DMR's signature), update it, and have it 'enable all protection.' This may help prevent reinfections.

Wait for advice from someone else before deleting the Spybot folder you mentioned -- I'm not sure how Spybot works, but this may be where it keeps it's 'Immunize' files.

Don't turn System Restore back on just yet -- almost there though :)

It may have just been a coincidence, but I tried Incredimail once and immediately after that started having problems. (Oddly enough, that's what eventually led me to DaniWeb.) I know there are people that have used it for a long time though with no problems so I'm not going to tell you it's not safe.

I see you got the spoolsv.exe back :)

You need to empty all the Temp and Temporary Internet folders for all users on the computer.

Now for your log. Close all browser windows, scan with HJT and have it fix the following entries:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
O4 - HKLM\..\Run: [Microsoft WinUpdate] syswin32.exe
O4 - HKLM\..\Run: [svcnhost] svcnhost.exe
O4 - HKLM\..\Run: [Win32 SSL Driver] winssv.exe
O4 - HKLM\..\RunServices: [svcnhost] svcnhost.exe
O4 - HKLM\..\RunServices: [Win32 SSL Driver] winssv.exe

Reboot and then do a search for each of these:
syswin32.exe
svcnhost.exe
winssv.exe
svcnhost.exe
winssv.exe
If they're not gone, let us know where they are located in your next post.

I'm a bit curious about this: C:\Program Files\Windows NT\Accessories\WORDPAD.EXE because of the capital letters, the way I normally see it is C:\Program Files\Windows NT\Accessories\wordpad.exe, does anyone know if this is a problem?

Once again, make sure all browser windows are closed, scan with HJT, and post a new log.

They are in a Recovery folder. I found it along with all of the DSO Exploits Spybot has ever found. It looks like this folder is for all the bad things Spybot has ever found. Should I delete the whole folder?

What is the exact location of the Recovery folder you mentioned? If you can tell us that, we can tell you for sure if you should delete it or not.

:p Hello everyone! It's that time again....time to play What's In That HJT Log? Our lucky contestants today are:

The Marsupial Moderator
Dave

Let's see who get's to go first.....

Logfile of HijackThis v1.98.2
Scan saved at 2:28:02 AM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.1601.0\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.0002.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://free.grisoft.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) - http://www2.incredimail.com/contents/setup/downloader_sp1_t/incredimail_install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab

As for the rest of the stuff:

syswin32.exe----gone
svcnhost.exe---gone
winssv.exe----gone
svcnhost.exe-----C:/WINDOWS/Prefetch
C:/WINDOWS/system32


winssv.exe--C:/RECYCLER/S-1-5-21-842925246-813497703-1343024091-1004
C:/RECYCLER/S-1-5-21-842925246-813497703-1343024091-500
C:/RECYCLER/S-1-5-21-1801674531-436374069-854245398-1003
Recycle Bin

(I got this when trying to delete the winssv.exe: Error Deleting File or Folder Message: cannot delete file: Cannot read from the source file or disk.)

The other (svcnhost.exe) deleted easily. They went right into my trash bin.

Thanks for playing What's In That HJT Log? Winners will be posted tomorrow.....

Meredith
(mereannjen@yahoo.com)

Well Meredith, you're getting there slowly but surely. But tell me, what are you going to do for fun once you've got this cleaned? :)

Let's see if this can finish it up; first empty your Recycle Bin, and then reboot into Safe Mode.

Go to:
C:/WINDOWS/system32 -- delete svcnhost.exe
C:/WINDOWS/Prefetch -- delete svcnhost.exe

Empty the Recycle Bin

Do another search for svcnhost.exe and winssv.exe. Hopefully you won't find them this time, but if you do, go to their location, delete them, and empty the Recycle Bin.

Post the results along with another HJT log -- and the SpyBot folder as DMR requested.

:cheesy: Ok gang,

I went into WINDOWS/System32 and looked for svcnhost.exe. Couldn't find it, so I did a search and it was never found.

I then went into WINDOWS/Prefetch and looked for winssv.exe and couln't find it either, did a search and it wasn't found.

As for the Spybot Recovery Folder, it's there and it's empty. I did a search and no FunWeb Products were found. Looks like they disappeared sometime.

Here is my latest HJT Log:
Logfile of HijackThis v1.98.2
Scan saved at 9:25:55 PM, on 12/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Documents and Settings\Meredith\My Documents\MY PROGRAMS\HIJACK THIS\HijackThis.exe
C:\PROGRA~1\INCRED~1\bin\ImNotfy.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Yahoo!
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.yahoo.com
O15 - Trusted Zone: http://www.daniweb.com
O15 - Trusted Zone: http://free.grisoft.com
O15 - Trusted Zone: http://www.spywareinfo.com
O15 - Trusted Zone: http://securityresponse.symantec.com
O15 - Trusted Zone: http://*.tomcoyote.org
O15 - Trusted Zone: http://www.trendmicro.com
O16 - DPF: {1223B679-3A38-4EB0-A170-A58F703ACCA5} (ImStarter Class) - http://www2.incredimail.com/contents/setup/downloader_sp1_t/incredimail_install.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1101714994263
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader_sp1/imloader.cab

I ran all of my virus, spyware and nasty finding programs and the only one that found anything is Spyware Doctor and it found and IE Browser Helper and Tracking Cookies. I went ahead and let it fix those.

Looks good guys. Thanks so much for all your help.

Let me know what else you find...

Oh, and by the way, to answer your question about what am I going to do when all is fixed? Looks like I'll be spending a lot of time checking out all the forums on DaniWeb and trying out Hints and Tricks....oh and keeping all of my virus, etc programs running 24/7......LOLOL!

Meredith
(mereannjen@yahoo.com) :mrgreen:

Congrats- your log looks clean to me. :)

You might want to wait until dlh6213, DaveSW, crunchie, or caperjack give a "second opinion" on my assesment.

this line seems odd:
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
Any one else have any opinions on it?
http://www.google.com/search?hl=en&lr=&q=%22739E8D90-2F4C-43AD-A1B8-66C356FCEA35%22

edit: btw did you get spoolsv.exe from someone else? I was about to send it Saturday and it was showing as running in your log... so I thought I'd check first!

this line seems odd:
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
Any one else have any opinions on it?

I agree, you should probably have HJT fix that. Other then that, it looks okay to me.
Now you can turn your System Restore back on :)
This would also be a good time to review this thread to help determine if you should get SP2 or not:
http://www.daniweb.com/techtalkforums/thread10031.html
And if you haven't done so already, get SpywareBlaster, have it enable all protection (and update it frequently).

Hey guys,

Thanks for reminding me about the spoolsv.exe. I forgot to mention that it came back on it's own. Weird, but fine with me.

I had HJT take care of that 16 problem and I am downloading Spyware Blaster as I type this. I turned on System Restore as soon as I saw your post dlh.

I'm still undecided on SP2 though. It looks to be about 50/50 on what people think about it. It sounds good in theory, but.....

Anyway, thanks guys. If you want me to post one more HJT log let me know here or in an email. I finally got my email program working.....yeehaw!! Time to hit the bed with sweet dreams of DaniWeb techs dancing through my head and if I don't get a chance, MERRY CHRISTMAS TO THE WHOLE DANIWEB TEAM!!!!

All My Best,
:cheesy: Meredith
(mereannjen@HotPOP.com)

and a virus-free Christmas to you too!

feel free to post another log just to be on the safe side! on the other hand.. do you really want to know? lol

this line seems odd:
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} -
Any one else have any opinions on it?

D-oh! I missed that one... yup, it should get the axe.

Does it make any difference when it just shows the number, not the description or address? e.g. do a google search for that number and it has a description and an address, whereas here it has neither... Also one of my pcs shows all the dpf entries without the descriptions/address. Just wondering... ;)

SP2 is good, in my opinion best installed on a fresh install of windows from the free disk that microsoft sent me !
But i have installed it on a old install with out any problems.