Internet Explorer-OUT OF ORDER + More

fragmented_user.

Hi and welcome to Daniweb :).

First up, I cannot read that 'cos the text is too small :). Please just paste your log in normally on your next post.

Secondly, I need the hijackthis log to be done in normal mode as not all items will be listed.

Please go here and download Find_qoologic.zip by baskar1234. Unzip the folder and go to the new qoologic folder and doubleclick on qoologic.bat to run it. It will take a few minutes to scan your drive so be patient. When it has finished, open My Computer, doubleclick on C: and copy and paste the contents of the below logs in this thread.

C:\log.txt
C:\win.txt
C:\start.txt

-

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder.

Reboot in Safe mode.

Doubleclick rkfiles.bat
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

To save some time, could you please have all the files that rkfiles finds uploaded for an online scan here;

http://virusscan.jotti.org/

Post the contents of C:\log.txt in your next reply.

Thank You Crunchie for such an immediate response; I greatly appreciate it.I performed all the tasks that

you have required of me and listed all logs below including all originally posted logs(in increased font

size :-| -sorry about the small size ) :)

these are the logs recorded succeeding the 'qoologic' scan

[log.txt]

C:\Documents and Settings\boe2206\My Documents\Mine!\Other than

Rhino\Downloads\msnmes\q\findqoologic

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE

LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS

LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\d3dx9d_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\MRT.exe: (ASPack)
C:\WINNT\system32\MRT.exe: ASPack 1.61
C:\WINNT\system32\MRT.exe: ASPack 1.084
C:\WINNT\system32\MRT.exe: ASPack 1.083
C:\WINNT\system32\MRT.exe: ASPack 1.08.02b
C:\WINNT\system32\MRT.exe: ASPack 1.07b
C:\WINNT\system32\MRT.exe: ASPack 1.05b
C:\WINNT\system32\MRT.exe: ASPack 1.02
C:\WINNT\system32\MRT.exe: ASPACK

Files Found in all users startup Folder............
------------------------

[win.txt]

C:\WINNT\system32\d3dx9d_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\d3dx9_25.dll: D3DXUVAtlasPack
C:\WINNT\system32\MRT.exe: (ASPack)
C:\WINNT\system32\MRT.exe: ASPack 1.61
C:\WINNT\system32\MRT.exe: ASPack 1.084
C:\WINNT\system32\MRT.exe: ASPack 1.083
C:\WINNT\system32\MRT.exe: ASPack 1.08.02b
C:\WINNT\system32\MRT.exe: ASPack 1.07b
C:\WINNT\system32\MRT.exe: ASPack 1.05b
C:\WINNT\system32\MRT.exe: ASPack 1.02
C:\WINNT\system32\MRT.exe: ASPACK

---------------------------------------------------------------------------------------------------------------------------------------------------

below is the log recorded succeeding the 'rkfiles' scan
with inserted 'jotti-virus scan' results=*

[win.txt]

C:\Program Files\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE

LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS

LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINNT\system32\gpbpbri.dll: UPX!
*Found Trojan-Downloader.Win32.Qoologic.q
C:\WINNT\system32\eliteckt32.exe: FSG!
*Found Trojan.Win32.StartPage.nk
C:\WINNT\system32\elitehxc32.exe: FSG!
*Found Trojan.Win32.StartPage.nk
C:\WINNT\system32\dfrg.msc:

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213
*Found nothing
C:\WINNT\system32\DivX.dll: PEC2
*Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers

were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into

lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless.

Caution is advised, however.)
MD5 9b76cfec2236efbd731b65155f24a7a0
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Scanner results
Found nothing

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
Finished
bye

-----------------------------------End of Requested Scan Logs---------------------------------------

I am Posting most of the Previously posted logs in the following order: HJT Log, Ad-Aware SE, and

XOFTSPY (All scans except for the 'HJT Log' were done in "safe mode")
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
HJT Log:
-------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 9:46:38 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than

Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\nrarap.exe reg_run
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKLM\..\Run: [wiphadt] c:\winnt\system32\dlvxkqp.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

-------------------------------------------------------------------------------------------------------------------------------------------------------------------

I hope these help - Thank You for everything you're doing :)

-With Much Gratitude
Y. H.

Download Killbox v2.0.0.175 and unzip the file to your Desktop and have it ready to use.

-

Save all the below files to a text document (notepad) to be used shortly.

C:\WINNT\system32\gpbpbri.dll
C:\WINNT\system32\eliteckt32.exe
C:\WINNT\system32\elitehxc32.exe
C:\WINNT\System32\nrarap.exe
c:\winnt\system32\dlvxkqp.exe

-

Reboot into safe mode following the instructions here.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\nrarap.exe reg_run
O4 - HKLM\..\Run: [wiphadt] c:\winnt\system32\dlvxkqp.exe r

Open the text file you saved previously and right click and drag your cursor over the files to highlight them and then use Control+C to copy them to the clipboard..
Open KILLBOX and go to File...."Paste From Clipboard". All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there) . Then checkmark the "Delete on Reboot" box..and click the red X. You will get a message saying "File will be deleted on next reboot" , Process and Reboot now?" Click "Yes" and post a new log when you have rebooted.

Dear Moderator Crunchie,

First off, I apologize for posting such a large quantity of info when you did not expressedly request it. I simply was unsure of whether you needed it or not, and wanted to resolve the issue in as few posts as possible which is why I posted them; just in case. :)

Secondly, I performed most of the actions that you required of me, the exception resulting because the file paths:C:\WINNT\System32\nrarap.exe and c:\winnt\system32\dlvxkqp.exe are seemingly nonexistent(I checked the path both manually-explorer- and automatically-search-to no avail) I then performed a 'Xoftspy' scan and recieved notification of the following: :?:

<ScanningRegKeys>
</SW>
<SW NAME = "EliteBar">
<REGKEYFOUND NAME = "SOFTWARE\LQ"/>
<REGKEY NAME = "EliteBar SOFTWARE\LQ"/>
</SW>
<SW NAME = "AFAEnhance">
<REGKEYFOUND NAME = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
<REGKEY NAME = "AFAEnhance SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
</ScanningRegKeys>
<ScanningRegValues>
</SW>
<SW NAME = "EliteBar">
<REGVALUE VALUE = "EliteBar software\microsoft\windows\currentversion\run\checkrun"/>
<REGVALUEFOUND NAME = "software\microsoft\windows\currentversion\run\checkrun"/>
</ScanningRegValues>
<ScanningRegValuesChanged>
</ScanningRegValuesChanged>
<FILE PATH = "180Solutions C:\WINNT\salmbundle.exe"/>
<FILE PATH = "C:\WINNT\salmbundle.exe"/>
<FOLDER PATH = "BookedSpace C:\WINNT\bsx32"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASI2.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASI50.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASICLRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASICLV.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIEPRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIEZ.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIMBC.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASIRCPRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASISS2RE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ASISSRE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPC.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPD.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPE.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPF.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFAM.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFI.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPFIN.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPG.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPH.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPHL.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPJ.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPM.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPMTV.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPN.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPR.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPS.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPSHOP.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPSP.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\TMPW.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\WEBS1.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\WEBS2.bsx"/>
<FILE PATH = "BookedSpace C:\WINNT\bsx32\ZNETGP.bsx"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml\categories"/>
<FOLDER PATH = "EliteBar C:\WINNT\EliteToolBar\xml\images"/>
</Scanning>

</Scanning>

Posted below is my new HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:31:28 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe

Oh, and one more thing- Internet Explorer still cannot open in its default window (only through outlook) and there is a proccess or program named 'Sample' that repeatedly (though not constantly) refuses or is unable to close whenever I perform 'Windows Shutdown.' I must select 'end now' in order to have the computer Shut Down.

With Much Gratitude :)
-Y.H.

I have to say that I have little faith in xoftspy as they were listed on this site http://www.spywarewarrior.com/rogue_anti-spyware.htm

Getting somewhere now though.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteckt32.exe

Now, with all windows closed (including Internet Explorer) except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\winnt\system32\eliteckt32.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Let me know how everything goes.

-

Download the Hoster.
Run it and press "Restore Original Hosts" and press "OK". Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Dear Moderator Crunchie,

Wow, Thanks for that info, in fact, thanks for everything you're doing; I never really knew enough to
check the validity of anti-spyware itself (who would've thought, first they write the spyware programs, then they
produce false anti-spyware to make-sure no-one finds any of it -:lol: ). Unfortunately though, The following
quote from the same site you posted led to confuse me:

"Over the past few months, XoftSpy has taken aggressive steps to reign in its affiliates (who were primarily
responsible for the unsavory advertising), revised its license text, and released a new version of XoftSpy
(version 4.0) that addresses our concerns with false positves. Given these changes we can no longer regard
XoftSpy as "rogue/suspect" anti-spyware."
Found in its original context at: http://www.spywarewarrior.com/rogue_anti-spyware.htm#xos_note
listed under 'xoftspy note'

I can't blame you if you didn't see it, it was kinda hidden. :)
None-the-less, could it be possible, that the very fact it was ever regarded as a "Rogue/Suspect", now classifies
it as ineffective? (just asking if that was your motive for declaring mistrust in xoftspy or did you just, not see the
note?) I am considering uninstalling xoftspy, and I'd like to know if I should. :confused:

On account of what I saw, I deem there's a possibility you might develop trust in xoftspy's free
downloadable scanner, and so, in the event that, that does happen I posted the results from the last xoftspy scan I performed, for you to consider: :?:

excerpt from XoftSpy '4.13' Log:

<ScanningRegKeys>
</SW>
<SW NAME = "EliteBar">
<REGKEYFOUND NAME = "SOFTWARE\LQ"/>
<REGKEY
NAME = "EliteBar SOFTWARE\LQ"/>
</SW>
<SW NAME = "AFAEnhance">
<REGKEYFOUND NAME =
"SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>
<REGKEY NAME = "AFAEnhance
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WAFAIE"/>

In any event, I performed all the tasks you requested of me except I did not find that one file you requested that I
delete. However, I did find and delete the following folders:C:\WINNT\EliteToolBar, C:\WINNT\bsx32
and files:salmbundle.exe, bdoscandel.exe (I deleted the folders only AFTER I recorded the HJT Log you
requested- posted below) besides for that everything ran smoothly. The instructions you gave were great! :)

Logfile of HijackThis v1.99.1
Scan saved at 9:59:23 AM, on 6/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than
Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New
Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works
Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe
/title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than
Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -
http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) -
http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk
Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program
Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My
Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program
Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia
Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation -
C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client
Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec
Client Security\Symantec Client Firewall\SymSPort.exe

Oh, and one more thing- Internet Explorer still cannot open in its default window (only through outlook) and there
is a proccess or program named 'Sample' that repeatedly (though not constantly) refuses or is unable to close
whenever I perform 'Windows Shutdown.' I must select 'end now' in order to have the computer Shut Down. I
understand that there is a seperate forum for web browsers. However, I am at this point, inclined to think, that
my web browser's loss of functionality was caused by an infected program/process/registry key.

-With Much Gratitude
Y.H. :)

The reason I do not have any faith in Xoftspy is because of it's history. I personally will not recommend it because of that :).

Did you try the Hoster?

Click here to download IEFIX and save it to your desktop. This will restore the MS default home and search pages. After it is downloaded, close all Internet Explorer windows and doubleclick on the file. When it asks if you want to merge to the registry say yes. Restart Internet Explorer and see how it is after that.

-

Go here and download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.
If you have a script blocking program, please allow the file to run. It is not malicious.

Dear Moderator Crunchie,

The reason I do not have any faith in Xoftspy is because of it's history

Well, I can understand that then, since that's the case, I guess I just havent known about Xoftspy long
enough to distrust them the way you do.. but.. your a tech expert, so I'll just be smart and take your advice. :)
As for whether or not I tried Hoster, I definitely did. Not only does the program perform quickly and contain an
easy to use interface, but it also offered to perform a host of tasks that I never even knew I was able to
perform. (If only I knew what they all did, lol) Thanks a bunch.:)

Unfortunately though the original problem [Internet Explorer still cannot connect in its default window (only
through outlook) and there is a process or program named 'Sample' that repeatedly (though not constantly)
refuses or is unable to close whenever I perform 'Windows Shutdown.' I must select 'end now' in order to
have the computer Shut Down.] still exists so...

So here I am, and here is the log you requested (generated after I performed the IE registry fix). I sure
hope there's hope for my computer.lol

"Silent Runners.vbs", revision 39, [url]http://www.silentrunners.org/[/url]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"rdssfnqv.exe" = "C:\WINNT\system\rdssfnqv.exe" [file not found]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINNT\System32\ctfmon.exe" [MS]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"SynTPLpr" = "C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" ["Synaptics, Inc."]
"SynTPEnh" = "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" ["Synaptics, Inc."]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Gateway Ink Monitor" = ""C:\Program Files\Gateway Utilities\GWInkMonitor.exe"" ["Gateway"]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe" ["Symantec Corporation"]
"Microsoft Works Update Detection" = "C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" ["Microsoft® Corporation"]
"CorelDRAW Graphics Suite 11b" = "D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN" [file not found]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"MessengerPlus3" = ""C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"" ["Patchou"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
                                       \StubPath   = ""C:\WINNT\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
  -> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" [file not found]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office10\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}" = "Shell extensions for NetWare"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{52c68510-09a0-11cf-8daa-00aa004a5691}" = "Shell extensions for NetWare"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Audiodev.dll" [MS]
"{C81DCBCA-8AE2-41FC-9C39-78B160393210}" = "RhinoShExt"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\RhinoShExt.dll" ["Robert McNeel & Associates"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
  -> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! NavLogon\DLLName = "C:\WINNT\System32\NavLogon.dll" ["Symantec Corporation"]
INFECTION WARNING! Sebring\DLLName = "C:\WINNT\System32\LgNotify.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
qgkgkxnf\(Default) = "{3d699a55-6688-4b87-bbeb-49c32343e343}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\dcqcq.dll" [null data]
RhinoShExt\(Default) = "{C81DCBCA-8AE2-41FC-9C39-78B160393210}"
  -> {CLSID}\InProcServer32\(Default) = "C:\WINNT\system32\RhinoShExt.dll" ["Robert McNeel & Associates"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
Convert\(Default) = "{9f95ca1a-e80e-4c0f-acd1-4c9b7900b982}"
  -> {CLSID}\InProcServer32\(Default) = "D:\DirectX9 Plugins\Utilities\Bin\x86\TxView.dll" [file not found]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
InventorMenu\(Default) = "{6FDE7A70-351B-11d6-988B-0010B57A8BB7}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Documents and Settings\boe2206\My Documents\Mine!\Plug-ins\Flamingo\Inventor 9\Bin\DT.dll" ["Autodesk, Inc."]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
  -> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
NetWareUNCMenu\(Default) = "{e3f2bac0-099f-11cf-8daa-00aa004a5691}"
  -> {CLSID}\InProcServer32\(Default) = "nwprovau.dll" [MS]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
  -> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\WZSHLSTB.DLL" ["WinZip Computing, Inc."]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINNT\DCMALogo.bmp"


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "ssmyst.scr" [MS]


Startup items in "boe2206" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Microsoft Office" -> shortcut to: "C:\Program Files\Microsoft Office\Office10\OSA.EXE -b -l" [MS]


Enabled Scheduled Tasks:
------------------------

"ISP signup reminder 2" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:2" [MS]
"ISP signup reminder 3" -> launches: "C:\WINNT\System32\OOBE\oobebaln.exe /sys /i /n:3" [MS]
"Low Battery Alarm Program" -> WARNING -- The file "Low Battery Alarm Program.job" is corrupt! (no executable)
"XoftSpy" -> launches: "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\xoftspy\XoftSpy.exe -t" ["ParetoLogic Inc."]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\nwprovau.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 30
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]


Miscellaneous IE Hijack Points
------------------------------

C:\WINNT\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):
[Strings]: START_PAGE_URL=http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Missing lines (compared with English-language version):
[Strings]: 1 line


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Adapter Switching, IntelRoam, "C:\Program Files\Intel\Switching\User\RoamSvc.exe" ["Intel Corporation"]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINNT\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
Autodesk Licensing Service, Autodesk Licensing Service, ""C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe"" [null data]
Client Service for NetWare, NWCWorkstation, "C:\WINNT\System32\svchost.exe -k netsvcs" {"C:\WINNT\System32\nwwks.dll" [MS]}
ewido security suite control, ewido security suite control, "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]
PrismXL, PrismXL, "C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS" ["Lanovation"]
RegSrvc, RegSrvc, "C:\WINNT\System32\RegSrvc.exe" ["Intel Corporation"]
RoamMgr, RoamMgr, "C:\WINNT\System32\RoamMgr.exe" ["Intel Corporation"]
Spectrum24 Event Monitor, S24EventMonitor, "C:\WINNT\System32\S24EvMon.exe" ["Intel Corporation "]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, ""C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe"" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec SecurePort, SymSecurePort, ""C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINNT\System32\wdfmgr.exe" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
  launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
  DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
  use the -supp parameter or answer "Yes" at the first message box.
---------- (total run time: 127 seconds, including 18 seconds for message boxes)

P.S. I didn't know tech support worked on holidays and weeekends.:) Well whatever, if they enjoy it, and we both benefit, it's all good. How was your Independence Day? I hope you had a blast. lol

P.P.S. I just finished burning the fourteenth CD to my new set of Debian (Sarge) OS-CD Package CDs.
I can feel it coming now...the freedom flowing towards me in a gentle breeze...surrounding me in deepening waters of a -virus shredding and glitch ridding- purification.. It won't be long now.... it won't be long.

-With Much Gratitude
Y.H.:)

Will take a closer look when I arrive home from work. Looks like there may be a couple of things there to fix.

Please go here and have this file scanned. Post the results back here.

C:\WINNT\System32\dcqcq.dll

To:Moderator Crunchie

I did as you insructed and invoked the following erorr message:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

With Much Gratitude,
Y.H.

To:Moderator Crunchie I tried the scan once more just to be certain, and recieved the following message:

Found: Trojan-Downloader.Win32.Qoologic.q

With Much Gratitude,
Y.H.

Run Pocket Killbox and paste the full file path of the below file in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you the file.

C:\WINNT\System32\dcqcq.dll

Reboot afterwards if the file is successfully deleted.

If the file is not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot.

-

Post a new hijackthis log when done.

I may be away for a couple of days, but one of the other guys should finish helping you :).

To: Moderator Crunchie

I'm sorry, I got caught up in something the last couple days so I didn't get a
chance to speak with any another tech that might have been told to help me
in your absence, though I do greatly appreciate your consideration, as to
assure me that I would be aided in your absence :)

In any event, I saw something posted by you today, and consequently
thought it was safe to assume that you have returned. I followed your
instructions, used killbox -to succesfully delete: C:\WINNT\System32
\dcqcq.dll. and I have posted My latest HJT Log below.

-------------------------------------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:14:41 AM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINNT\System32\RegSrvc.exe
C:\WINNT\System32\RoamMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\QuickTime\qttask.exe
C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] D:\Languages\EN\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=052305 serial=DR12WTX-9999998-YSP lang=EN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\New Folder\MsgPlus.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\boe2206\My Documents\Mine!\Other than Rhino\Downloads\msnmes\q\ewido\security suite\ewidoctrl.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client Firewall\SymSPort.exe
-------------------------------------------------------------------------------------------

With Much Gratitude,
Y.H.

Congratulations! Your log looks clean - good work!

===============

Now that your PC is clean you need to follow these easy steps to keeping it this way:

Secure your Internet Explorer by going here and following the instructions there.

Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.

Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.

Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.

Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.

Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.

Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin.

For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig. Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.

Check the box labelled 'Turn off System restore'.

Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.

Note that all previous restore points will be lost.

===============

If you have any more problems, post back.

-

Happy surfing,

crunchie.

Dear Moderator Crunchie,

I thank you, for all the time you took out of your schedule to aid me. I also thank you for the additional tips you have given me to prevent re-infection. There is one last question I would like to ask though(I hope I don't sound ungrateful-you've already done so much), and that is: Where do you suggest that I should start a thread to help me regain functionality of Internet Explorer's Main Window( I can only start Explorer using Outlook). I ask that question because I'm assuming that I posted my problem in the wrong forum. I'm new to online forums and I can't tell the difference so, please be so kind as to advise on what to do to solve my IE problem,or where to correctly re-post it.

Note: I've already tried to uninstall and reinstall. but I can't figure out how to uninstall and I'm not sure I'd be able to reinstall.

With Much Gratitude,
Y. H.

Check this thread:
http://www.daniweb.com/techtalkforums/thread27924.html

Slightly different problem, but the same fixes should be tried. There is also a link to reinstalling IE.

My apologies Y. H. I had completely overlooked that problem. Try this as well;

1) find the ie.inf file located in Windows\Inf folder.
2) Right click the ie.inf file and click Install on the context menu.
3) Reboot the computer when the file copy process is complete.

That's it :).

Dear, Crunchie

After the amount of time that I was not able to use the main IE window, I truly regard it as a miracle, to see the IE
status bar read:

Opening Page--->loading:Completed,

As can be easily fathomed, I am writing this post using IE, and reveling in it. (To the greatest extent that one may
revel in IE :) lol ) And, in the spirit of goodness, if I ever come across someone with the same problem I have had,
I will pass onto them, the solution that you have provided me with.

I believe that every good technician would like to be aware of exactly how things run, in order that he or she
might learn, whatever there is to learn, from every procedure. For that reason I am providing you with all the
details of the prescribed procedure from start to finish:

1) I found the ie.inf file located in the (I have XP pro.) WINNT\Inf folder.
2) I Right clicked the ie.inf file and clicked Install on the context menu.
3) The file copy process completed.
4) I Received the following error message:
http://us.f3.yahoofs.com/users/428d72ecz223172b2/c063/__sr_/1783.jpg?phWIw1CB3XDm6yDN
5) I Left Clicked Cancel
6) I Rebooted the computer
7) Internet Explorer was ressurected from the dust (of my inf file).

To: Anybody who happens to read this post, days, weeks, or years from today:

If you have the same problem as me, and can't seem to solve it, follow Crunchie's directions as listed
in the post above this one. Don't be afraid to try it; it worked for me, and it just might work for you.

To: Crunchie

I could thank you a million times, but then I'd just sound like a moron (nevermind waste your time, and tire your
ears)
So..... I guess I'll just thank you once

Thank You Crunchie, You've been a great help. :)

Sincerely,
Joseph (a.k.a. Y.H.)

To: Moderator dlh6213

Thank you very much for the link you suggested; I found alot of useful info; and a great program which may prove very useful in the near future.:)

Best Regards,
Y.H.

Thank You Crunchie, You've been a great help. :)

Sincerely,
Joseph (a.k.a. Y.H.)

Joseph. You are extremely welcome :). I love it when things go well :D.

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.