Posts by dlh6213

First right-click on your desktop and select New, Folder; give the new folder a name like HJT, and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://tidbitsmedia.com/members/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
O21 - SSODL: bestreak - {874443fe-aa33-4ebf-a6ac-73208787e62d} - C:\WINDOWS\system32\viruxz.dll (file missing)

Close any open browser windows before hitting the Fix button.

Go to C:\WINDOWS\system32 and delete viruxz.dll if present.

Get and run CCleaner (go to the 'Cleanup' link in my signature block below).

Update AVG and run a full system scan.

Let us know if you still have problems.

I have 30-some computers at home, but I'm not a geek, I'm a guru :)

Have you tried contacting Toshiba to see if they can help?
http://www.toshibadirect.com/td/b2c/customerservice.to

Hi darkline, welcome to DaniWeb :D

Please follow the instructions and recommendations in the links below. When you get to the Infection Removal thread, please follow the instructions in post #6.

When you've finished, close any open browser windows, scan with HJT, and post a new log please.

Looking better :)

Go to Add or Remove Programs in your Control Panel and remove WildTangent (if present).

Scan with HJT and have it fix:

O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540002} (CInstall Class) - http://www.wildtangent.com/webdrive...ave/Install.cab

Do you want to have PartyPoker on your system? If not, do the following as well:

Go to Add/Remove Programs and remove PartyPoker (if present)

Scan with HJT and have it fix the following entries:

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe

Be sure to close any open windows, other then HijackThis, before hitting Fix checked.

Go to C:\Program Files and delete PartyPoker.net (or PartyPoker)

Empty your Recycle Bin and reboot.

Let us know if you have any more problems.

Hi Tomac_1, welcome to DaniWeb :D

You have quite a bit of cleaning needed there; please start by following the recommendations and instructions in the links below.

When you get to the Specific Infection thread, get the latest version of HijackThis and make sure it is installed in a permanent folder (instead of a Temp as it is now), and then go to post #4 -- the instructions there should get rid of that virus.

When you've finished, close any open browser windows, scan with HijackThis, and post a new log to clean up any remaing items.

Well, it looks like Ewido cleaned up quite a bit of junk there. Be sure to keep your Temporary folders, Cookies, etc. cleaned up; you can find help doing this in the Cleanup link below.

Crunchie pointed out something that I've been overlooking in your HJT logs, so you should scan with HJT and have it fix, if present:

O4 - HKLM\..\Run: [MyVBApp] C:\iexplorer.exe
(It's spyware, but Ewido may have fixed it already)

Set a System Restore Point.

Then go to C: and delete iexplorer.exe. MAKE SURE you delete iexplorer.exe, and NOT iexplore.exe (note the extra 'r').

Empty your Recycle Bin and reboot.

You should be okay now; let us know if you're still having problems.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Download Ewido --
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1

Boot into Safe Mode and do a full system scan with Ewido, allowing it to fix whatever it finds. Post the Ewido log with your next reply.

Reboot normally and post the Silent Runners and Ewido logs please.

You're right about that link, it doesn't work for me either, though I'm not sure why. But it doesn't really matter; you apparently had a different problem anyway.

You can have HJT fix this entry:
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

I don't see anything else in your log.

You might want to try uninstalling and reinstalling your firewall.

And you can try an in-place upgrade (aka repair installation) to possibly resolve the other problem; instructions can be found here:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

Looks good to me :)

I've seen this type of behavior from a virus before (one example here -- http://www.daniweb.com/techtalkforums/thread30990.html), so we should try to determine if that is the problem first by scanning with HijackThis and posting the log.

Don't reboot your system until instructed to do so.

I generally recommend having HJT 'fix' all O16 entries simply because it is easier then researching all of them individually and doesn't hurt anything -- any legit entries will come back next time the site is visited. Doing this can sometimes make a big difference in the length of a log as well.

The poker programs often come with a lot of adware (and sometimes spyware), and users usually aren't even aware they are installed on their systems. As long as your mother is aware of the risks, and doesn't mind the ads, there should be no problem.

You may want to do a search here on DaniWeb for comments about Limewire.

Your log looks clean to me now, happy computing :)

I'm not sure how you deleted the poker programs, but there are still traces of them in your log, so please do the following...

Go to Add/Remove Programs in your Control Panel and remove (if present):

PartyPoker
LadbrokesMPP (or something similar)

Then scan with HijackThis and have it fix:

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
And this one that I overlooked last time --
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Olivia\Start Menu\Programs\IMVU\Run IMVU.lnk

Remember to close any open windows before hitting Fix checked.

Now go to the following locations and delete the highlighted file and folders:

C:\Documents and Settings\Olivia\Start Menu\Programs\IMVU\Run IMVU.lnk

C:\Program Files\PartyPoker
C:\Program Files\ladbrokesMPP

If any of these could not be deleted, try booting into Safe Mode first.

Empty your Recycle Bin, reboot (normally), close any open browser windows, scan with HJT, and post a new log please. And let us know if you're still having the Winfixer problem.

Scan with HijackThis and have it fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O1 - Hosts: 127.0.0.67 search.active-max.com
O1 - Hosts: 127.0.0.0 www.dialup2.com
O1 - Hosts: 127.0.0.80 maxexp.com
O1 - Hosts: 127.0.0.221 www.mp3search.com
O1 - Hosts: 127.0.0.217 www.rub.to
O1 - Hosts: 127.0.0.91 www.spawnet.com
O1 - Hosts: 127.0.0.220 www.mp3search.com
O1 - Hosts: 127.0.0.9 best.omega-search.com
O1 - Hosts: 127.0.0.217 www.omega-search.com
O2 - BHO: DAPBHO Class - {0096CC0A-623C-4829-AD9C-19AF0DC9D8FE} - C:\Program Files\DAP\DAPIEBar.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binar...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binar...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com...ver/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binar...er.cab31267.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) -

Please follow the instructions in post #11 of this thread -- http://www.daniweb.com/techtalkforums/thread28196.html

When you scan with HJT, have it fix the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: (no name) - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - (no file)
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Warn pile] C:\DOCUME~1\rodney\APPLIC~1\DOESHE~1\MOVE PHONE JOY.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNfox000
O10 - Hijacked Internet access by New.Net
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/M...bridge-c401.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/active...free/asinst.cab

Close any open windows and hit Fix checked.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double-click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will take a minute or two to scan your computer but it may appear nothing is happening, please be patient; notepad will then open with a log. Copy the contents of the log …

I only see a few minor things that should be fixed:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {702EA91C-1ACF-4772-8078-18F2B2EE1031} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

Just to clean up the log, you could have HJT fix all of the O16 entries, but I don't see anything bad there.

Do you want to have Party Poker on your system?

Hi OmegaStealth, welcome to DaniWeb :D

Before fixing anything with HijackThis, it needs to be in its own permanent folder. You can find help on doing this in the HijackThis link below, along with tips on some other things you can do yourself.

After moving HJT to a safe location, please post a new log.

Hi IdRatherGoHunt, Welcome to DaniWeb :D

You have quite a few things to fix there. Please follow the suggestions and instructions in the links below to begin the cleanup process.

When you finish the last one -- Specific infections -- follow the instructions in post #14 and then post a new log please.

Hi leviathan_49, welcome to DaniWeb :D

First of all, you have HijackThis in two locations (C:\DOCUME~1\CARESS~1\LOCALS~1\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe
C:\Documents and Settings\Caresse Garza\My Documents\download\HijackThis\HijackThis.exe). You should remove the one in the Temp folder so you don't accidently use it instead of the other one.

Then follow the suggestions and instructions in the links in my signature block below.

If you continue to have problems, try WinsockXPFix --WinsockXPFix

Run it, and click the Fix button; choose YES when asked if you want to proceed.

If it still doesn't work, try IEFix -- http://windowsxp.mvps.org/IEFIX.htm

Post a new HijackThis log and let us know the current status.

I didn't really do much, but you're welcome. Glad to hear everything is working properly now.

Please follow the recommendations and instructions in the links below and then post a HijackThis log as explained.

Download and run the PurityScan uninstaller:

http://www.purityscan.com/uninstall.html

Go to Add/Remove Programs in your Control Panel and remove (if present):

rdso
SurfSideKick

Scan with HijackThis and have it fix the following entries:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\klpds4.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
If you didn't put this in your Trusted Zone yourself, have HJT fix this O15 entry as well --
O15 - Trusted Zone: http://www.gsp.ro
O20 - AppInit_DLLs: repairs.dll
O20 - Winlogon Notify: RunOnceEx - C:\WINDOWS\system32\fascom.dll

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\system32\klpds4.exe
C:\WINDOWS\system32\fascom.dll
C:\WINDOWS\system32\iaslan.exe

C:\Program Files\SurfSideKick 3
C:\Program Files\rdso

Do a search for repairs.dll and delete any instances found.

If any of these files cannot be deleted, try booting into Safe Mode first.

Go to C:\WINDOWS\SYSTEM32\W?nSxS and right-click on notepad.exe, go to Properties, and give us whatever info you can on the file (Company, version, etc.)

Empty your Recycle Bin and reboot.

Close any open browser windows, scan with HJT, and post a new log please. Let us know if you're still having problems.

Okay, I can help you with this now :)

First, you need to be sure your system is set to 'Show hidden files and folders.' Open Windows Explorer, go to Tools, and then Folder Options; when the Folder Options window opens, click on the View tab. You should find these entries in the list under Advanced settings:
Select Show hidden files and folders
Deselect (uncheck) Hide protected operating system files.

If you're getting any popup messages, don't click on them, not even the 'X' to close them; either right-click and select Close, or use Task Manager (Ctrl-Alt-Del) and End Task.

Reboot into Safe Mode, scan with HijackThis, and have it fix the following entries:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://dnaads.com/servlet/ajrotator...L?zone=enternet
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliterdj32.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0803] "C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWFX5LP_0001_0803NetInstaller.exe"
O4 - HKLM\..\Run: [System service63] C:\WINDOWS\etb\pokapoka63.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/DownloadAccess/ie/bridge-c9.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123761054546
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.CAB

Hi ninja_pirate, welcome to DaniWeb :D

I don't have time to go through your log at the moment, but this thread should help you get started:
http://www.daniweb.com/techtalkforums/showthread.php?t=30034&highlight=yupsearch

Sorry I missed the stb.exe; I saw it there but forgot to include it I guess.

If qlink32.dll comes back again, follow the instructions in post #6 of this thread:
http://www.daniweb.com/techtalkforums/thread28196.html

If it remains after that, try the removal instructions here:
http://www.symantec.com.br/avcenter/venc/data/adware.linkmaker.html
(Be sure to backup the registry first as recommended.)

Sorry you've been getting overlooked :(

Go to Add/Remove Programs in your Control Panel and remove (if present) SurfSideKick (or something similar).

Reboot into Safe Mode.

Run a full system scan with Ewido, allowing it to fix whatever it finds (note: you will be posting the log from this scan with your next reply).

Still in Safe Mode, scan with HijackThis and have it fix the following entries:

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\WINDOWS\system32\qlink32.dll
O3 - Toolbar: COMMUNICATOR - {4E7BD74F-2B8D-469E-8DBC-A42EB79CB428} - C:\WINDOWS\system32\communicator.dll
O4 - HKLM\..\Run: [SysStart] C:\WINDOWS\system32\rsyszx2d.exe DO0605
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rsyszx2d.exe
O4 - Startup: Zstart.lnk = C:\Documents and Settings\shane\Local Settings\Temp\zxinst12.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/W...e/bridge-c3.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.shopathomeselect.c..._ap1001_sp2.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows...b?1122254108140
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/active...free/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/i...561/mcfscan.cab
O20 - AppInit_DLLs: repairs.dll

Close any open windows, other then HijackThis, and hit Fix checked.

Delete the C:\Program Files\SurfSideKick 3 …

I don't know if it will help with your problem, but there are a few things that should be fixed there.

Go to Add/Remove Programs in your Control Panel and remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).

Scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us8l.hpwis.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us8l.hpwis.com/
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Close any open windows, other then HijackThis, and hit Fix checked.

Go to C:\Program Files, and delete the Viewpoint folder.

Empty your Recycle Bin, reboot, close any open browser windows, scan with HJT, and post a new log; let us know if there's any improvement.

Note: I deleted your thread in the other forum because all HijackThis logs are to be posted in this forum.

There has been an update to Spybot that will fix the bug it contains regarding the DSO exploit; make sure you have the latest version of Spybot (1.4) -- you can get it from here:

http://www.download.com/3120-20_4-0.html?qt=spybot&tg=dl-20&search.x=17&search.y=6

What kind of problem are you having?

Please run option #2 of the lm2fix.

Then run the following tools to assist in removing this infection:

WinPFind
Right-click the Zip Folder and select "Extract All"
Extract it somewhere you will remember (like your Desktop)
Don't do anything with it yet!

Track qoo
Again, save it somewhere you will remember, like your Desktop

Reboot into Safe Mode.

Doubleclick WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient.
Once the scan is complete, go to the WinPFind folder and locate WinPFind.txt;
Place those results in the next post.

Reboot back to Normal Mode.

Double Click on "Track qoo.vbs"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Window asking you what to do. Allow this Entire Script to run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in your next post along with the results of WinPFind.

Any O16 entries are safe to fix with HijackThis, the legitimate ones will come back next time the site is visited. I generally prefer to have HJT fix all of these just to clean up the log :)

Go to Add/Remove Programs in your Control Panel and remove:

Viewpoint (or Viewpoint Manager, ViewMgr.exe or something similar)

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie...//www.yahoo.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O16 - DPF: {00C0A1F2-D492-4DBA-A8E2-76CB1B791724} (TNPLDownloader Control) - https://dtwx2.accuweather.com/tnpl_...LDownloader.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...467&clcid=0x409
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1096081851429
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab

Close any open windows, other then HijackThis, and hit Fix checked.

Go to C:\Program Files and delete the Viewpoint folder.

Empty …

Hi Quezl, welcome back :D

Please follow these instructions to remove root.exe:

http://securityresponse.symantec.com/avcenter/venc/data/codered.removal.tool.html

http://securityresponse.symantec.com/avcenter/venc/data/w32.gruel@mm.html

And here for wpa.exe:

http://securityresponse.symantec.com/avcenter/venc/data/w32.esbot.b.html

FireDaemon.EXE is a legitimate program that allows you to run any program as a service. If you didn't install it yourself, it's possible that somebody with malicious intentions installed it to take control of your PC (or to spy on you).

Follow the recommendations and instructions in the links below to help protect your PC (Windows Update), clean your system up a bit, and give you some info on HijackThis.

When you've finished all that, close any open browser windows, scan with HJT, and post a new log please.

Glad you got it figured out, and thanks for letting us know what the problem was, it may help someone else out :)

Personally, I wouldn't consider that a 'newbie' type question.

This may help you some:
http://dept-info.labri.u-bordeaux.fr/~strandh/Teaching/AMP/Common/Strandh-Tutorial/Dir.html

And here is a list of some other sites:
http://www.intelligentedu.com/newly_researched_free_training/Hardware.html

Let's see if I can clarify this...

A controller is a device (hardware), that controls the transfer of data from the computer to another device (printer, monitor, etc.). A controller does not translate information.

A driver is a program (software), and translates information between hardware (devices) and software (programs). A driver does not control the transfer of data.

Since a controller is a device, it requires drivers, just like any other hardware, to translate between it and the program that uses it .

Does that help or just muddy it up some more? :)

This should help:

Driver -- http://www.webopedia.com/TERM/d/driver.html

Controller -- http://www.webopedia.com/TERM/c/controller.html

This could be caused by overheating, have you checked inside for dust lately? And check to see if the fans are operating properly? Be sure to gaurd against damage via static electricity when working inside the case!

Another possibility is bad RAM; have you added any RAM recently? If so, it may be incompatible. If you haven't, there is a possiblity your RAM has gone bad.

Reinstalling XP that often shouldn't really be necessary.

To reactivate, you should just need to call Microsoft.

Here's a site with some good info:
http://www.pcbuyerbeware.co.uk/ProductActivation.htm

Hi Missinglink, welcome to DaniWeb :D

I'd suggest trying it again, but read this thread first:
http://www.daniweb.com/techtalkforums/thread6632.html

Hi Picasso, welcome to DaniWeb :D

Sorry for the delay in responding to this; if you're still having problems, please follow the suggestions in the links below and then post a new HijackThis log.

Can you still give people good rep? I would like to do so with the both of you if possible :) Let me know how if we can.

Just click on the little 'scales' symbol next to the post number.

Multiple instances of scvhost.exe running is normal and does not indicate a problem :)

Well, Aurora has managed to get back into your system :(

Before cleaning that up again, please download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double-click l2mfix.bat and select option #1 for 'Run Find Log' by typing 1, and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or two, notepad will open with a log. Copy the contents of that log and paste it into this thread with your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

Now go to post #5 in this thread again to remove Aurora:
http://www.daniweb.com/techtalkforums/thread28196.html

When you've finished, please post a new HJT log, the new Ewido log, and the L2MFix log.

You're welcome :)

Please download Kill2Me -- http://www.majorgeeks.com/downloadget.php?id=4166&file=9&evp=e994cf5e9abe6c93b47c01f2922c271f

Run it to remove Look2Me from your computer.

Download WinPFind -- http://www.bleepingcomputer.com/files/winpfind.php

Right-click the Zip Folder, Select Extract All, and Extract the file to a convenient location, such as your Desktop, but don't do anything with it yet!

Reboot into Safe Mode.

Now, double-click WinPFind.exe

Click Start Scan; it will scan your entire system, so please be patient.

Once the Scan is complete, go to the WinPFind folder, and locate WinPFind.txt; copy and paste the results in your next post.

Scan with Ewido again, and post the results with your next reply.

Reboot (normal mode).

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...8464&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...8464&id=1.20030
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O2 - BHO: Band Class - {00027925-0017-4faf-9539-90E4AC0B9EC5} - C:\WINDOWS\ttext.dll
O2 - BHO: SDWin32 Class - {25BC5023-012B-4883-B5CB-523A8409C73A} - C:\WINDOWS\System32\llqrl.dll
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\ylthpdta.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\System32\nsj19.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: …

Post a new HJT log :)

Follow the 'Cleanup' procedures in the second link below (including CCleaner) and that should do it. Are you still having any problems?

Sorry, I missed a step. Open Windows Explorer, go to Tools, and then Folder Options; when the Folder Options window opens, click on the View tab. You should find these entries in the list under Advanced settings. Select Show hidden files and folders, and deselect (uncheck) Hide protected operating system files.

For any of the popup messages you're getting, don't click on any of them, not even to close them; either right-click and select Close, or use Task Manager (Ctrl-Alt-Del) and End Task.

Post a new HJT log with you're next reply (after you've fixed/deleted the bad entries).

Hi Robin, welcome to DaniWeb :D

Are you using Outlook or Outlook Express?

What browser are you using? If it's IE, see if any of the suggestions here work:
http://www.outlooknewsgroups.net/group/microsoft.public.outlook/topic1261.aspx

If it's Firefox, try this:
http://www.slipstick.com/problems/firefox.htm