One of the machines at work is obviously infected with spyware. I have read good reports of spybot here. Where do I download (or purchase) it? I already downloaded endpopups and will intall it...when I finish runing a virus check.

Thanks,
Relztrah

You can download it from http://security.kolla.de .
There are links in it to other download sites.
I would suggest to keep in mind that Spybot S&D does not detect absolutely everything, and to combine its use with Ad-aware, which is able to detect other kinds of nuisances.

You can download it from PepiMK software or mjc's AV link. Free for personal use, license for business.
Here is link also to download.com for S&D download:
http://download.com.com/3000-2144-10194058.html?tag=lst-0-1

Also there is a nice little quick start tutorial here (http://mjc1.com/mirror/spybot/)

As suggested I downloaded and installed Spybot S&D. When I went to use it I got the error message: Error Starting Program. A required DLL file, WS2_32.DLL was not found. Is this a Windows file or something I can download elsewhere? Should I again and download and attempt to re-install Spybot S&D?

Also, should I disable Nortan AntiVirus Auto Protect while running Spybot? Thanks for your help. BTW, endpopups helps some, but I'm still getting them. At least I open to my home page rather than something else.

Relztrah

"The reason (Error message: WS2_32.DLL is missing) is that you need the Winsock update for Windows 95. That one is available from Microsoft".
You'll need to get the Winsock update using the link provided then Spybot should work.
Download winsock update from Microsoft (http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95Sockets2/Default.asp).

No need to disable NAV.

I don't use a popup stopper at all, I just use Netscape 7.2 which allows popup blocking as part of the browser and it is smart about it. If I click on something to open a popup, it will, but I don't get any of the intrusive popups at all...

If you are running Win2K or WinXP and getting popups, they may be Messenger popups and you may need to disable Messenger to get rid of them. It is a useless "feature" of Windoze anyway...

If WIN Nt or 2000 or XP you can kill Messenger easily by downloading and executing "Kill the Messenger" here:
http://grc.com/freepopular.htm

FYI the OS is Win 95 with IE 5.5

After downloading Winsock update successfully and running Spybot S&D successfully I still have very strange things going on.

1) Something is changing my home page to FindFast...whatever that is. I change it back to Yahoo and next time I open IE my home page has changed again.

2) I get a message box on bootup prompting me to install Free Scratch Cards...whatever that is. Nothing in the startup folder that looks suspicious. Where else should I look? Win.ini? I'm not even sure what I'm looking for.

3) I tried to delete some n-CASE crap (whatever n-CASE is) using the Add/Remove feature in Control Panel and when I do I am told that to uninstall it I need to be online which I don't like because I suspect that that is how some clown who was using this machine got the spyware in the first place.

Any suggestions? I am tempted to reformat the hard drive and be rid of this headache, but there is some custom software on this machine that we still use which I don't know how to re-install.

Thanks,
Relztrah

Please download and run HijackThis (http://mjc1.com/mirror/hjt/ ) and post the log.

You have some known gackware on the machine. n-case in particular is difficult to remove without some serious registry editing (HJT will make it relatively painless, becasue it saves you from the manual edits)...and yes it does need to be online for the uninstaller to work, and yes it gives all sorts of dire warnings about how you are giving up sliced bread and heading back to the stoneage if you do uninstall it, but it will eventually work and uninstall.

Read it and weep...

Thanks,
Relztrah

Logfile of HijackThis v1.97.7
Scan saved at 11:37:05 AM, on 12/10/2003
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NCASE\MSBB.EXE
C:\WINDOWS\EUYN.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\TEMP\HIJACK\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=99
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vipfares.com/?aid=start3&lid=180sol
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
F1 - win.ini: run=fntldr.exe
O1 - Hosts: 1089288654 auto.search.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.5.DLL
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner1209.exe /S
O4 - HKLM\..\Run: [iuhbmewv] C:\WINDOWS\SYSTEM\iuhbmewv.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [Soundmx] C:\WINDOWS\SYSTEM\soundmx.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [EUYN] C:\WINDOWS\EUYN.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2171b66bc1703f161b02/netzip/RdxIE601.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://download.online-dialer.com/MaConnect.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Relztrah,

I'm no expert but I'd say you have a CoolWebSearch infection. You can run the CWShredder (http://www.merijn.org/files/cwshredder.zip) to clear this up.

After you run the shredder, have HJT fix any of the following that remain.

C:\PROGRAM FILES\NCASE\MSBB.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.websearch.com/ie.aspx?tb_id=99
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.vipfares.com/?aid=start3&lid=180sol
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about :blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr...://my.yahoo.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
F1 - win.ini: run=fntldr.exe
O1 - Hosts: 1089288654 auto.search.msn.com
O2 - BHO: (no name) - {00000273-8230-4DD4-BE4F-6889D1E74167} - (no file)
O2 - BHO: (no name) - {6F8ADBE2-8C92-4362-B0E6-7321AA49EE46} - (no file)
O2 - BHO: (no name) - {63B78BC1-A711-4D46-AD2F-C581AC420D41} - C:\WINDOWS\SYSTEM\BTIEIN.DLL
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL
O4 - HKLM\..\Run: [SUSP] C:\WINDOWS\SUSP.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O16 - DPF: {ED3ADB6E-5AA9-41B0-9DDC-6F31A34552BE} - http://www.free-scratch-cards.com/install.exe
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v3.0/0006.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} (Loader Class) - http://download.online-dialer.com/MaConnect.cab
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install011.exe
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

And post a followup log.....there may be pieces left after all of that is removed.

The recent HJT log follows. How do I use HJT to get rid of:



C:\PROGRAM FILES\NCASE\MSBB.EXE
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

I was able to delete all other lines recommended from previous post. Also, I'm still getting that stupid Scratch Cards crap. Is there something in the log that I still need to delete?

Thanks a bunch for your help, folks. Keep it up and I'll be forced to send another donation to the tip jar. Here's the log:


Logfile of HijackThis v1.97.7
Scan saved at 3:53:05 PM, on 12/12/2003
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\EUYN.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\TEMP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.5.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner1209.exe /S
O4 - HKLM\..\Run: [iuhbmewv] C:\WINDOWS\SYSTEM\iuhbmewv.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [EUYN] C:\WINDOWS\EUYN.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2171b66bc1703f161b02/netzip/RdxIE601.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab

Have Hijack This fix all of the following by placing a check in the appropriate boxes and hitting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=99

O4 - HKLM\..\Run: [VBouncerDL] C:\Program Files\VBouncer\VBouncerInner1209.exe /S
O4 - HKLM\..\Run: [iuhbmewv] C:\WINDOWS\SYSTEM\iuhbmewv.exe
O4 - HKLM\..\Run: [EUYN] C:\WINDOWS\EUYN.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2171b66bc1703f...ip/RdxIE601.cab


Reboot, and delete
C:\Program Files\VBouncer\ << folder
C:\WINDOWS\SYSTEM\iuhbmewv.exe << file
C:\WINDOWS\EUYN.exe << file

Reboot again, and if those item reappear in the log, repeat the process in safe mode.

I found this info on Vbouncer:

"VbouncerDL
VBouncerInnerxxxx.exe
Virtual Bouncer - malware from Spyware Labs. It is distributed by the same bundling and drive-by download techniques as the parasites it claims to remove, so definitely qualifies as unsolicited commercial software in itself. It also has an update feature that can download and execute arbitrary code. Warning - choose "custom" uninstall as "automatic" may remove other programs - see here and here. "xxxx" represents 4 random numbers"...

It may be worthwhile to see if you can remove it in Add/Remove Software or if it actually has an uninstall file, but make sure you do the manual uninstall the note suggests...

Following the above I see a dramatic improvement in performance and apparently I got rid of the crap. Here's today's log. Anything suspicious looking here?

Logfile of HijackThis v1.97.7
Scan saved at 1:26:59 PM, on 12/15/2003
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NCASE\MSBB.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\TEMP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.5.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [NAV DefAlert] C:\PROGRA~1\NORTON~1\DEFALERT.EXE
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [SSVPQTN] C:\WINDOWS\SSVPQTN.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D9EC0A76-03BF-11D4-A509-0090270F86E3} - http://download.spywarelabs.com/install/1203030306/VBouncerOuter1203.EXE
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activexinstallers/Installer/nCaseInstaller.cab

Much better!!!
Just one item remains:
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab

Fix that one in Hijack this.


Apart from that, clean log.
Good job of cleanup

C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab

I would say that you have still not get rid of ncase. Though there is an uninstaller which you can access from add/remove programs, It seems that it's an eye wash.:mad:

I suggest that you download Adaware (http://www.lavasoft.de/), fix whatever it identifies as malware. If it does not remove ncase, post back for manual removal instructions.

There are a couple of people who insist that these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

are bad too, but I asked for clarification and never got any... I would hold off on doing anything with them unless someone else has info to indicate they are bad....

rd.yahoo is fine

red.client.apps is Red sheriff......the ultimate in tracking "cookies".

I downloaded the Google toolbar with popup blocker which seems to help some. I'm still getting a few strange things, and Spybot found all kinds of crap which I fixed. Here's today's log from HJT. Anything else I can fix?

Thanks,
Relztrah

Logfile of HijackThis v1.97.7
Scan saved at 5:55:43 PM, on 01/12/2004
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\MSBB.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\TEMP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.faithtechcenter.pitt.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.5.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SSVPQTN] C:\WINDOWS\SSVPQTN.exe
O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\RunServices: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\RunServices: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

These are definitely bad and can be fixed by HJT:

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe

This one looks like a random file name which is usually malware. If you don't recognize it, please find the file and check Properties to see what it says. If you still don't recognize it, please rename it with a BAK extension so that it won't run. We will probably want you to send it in to be analyzed...

O4 - HKLM\..\Run: [SSVPQTN] C:\WINDOWS\SSVPQTN.exe

This could be a bad version of this and is considered to be User's Choice in terms of whether it needs to be running. You could fix it and restore it later if there is a problem:

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE

When you finish these fixes, please reboot into Safe Mode and find this and delete it:

C:\WINDOWS\MSBB.EXE

Once you are done, reboot again, run HJT alone, open your browser and come back here to post the new log. Also, let us know what you find out about SSVPQTN....

Originally suggested by shanmuga on 16.12.2003C:\PROGRAM FILES\NCASE\MSBB.EXE
O4 - HKLM\..\Run: [msbb] C:\PROGRAM FILES\NCASE\MSBB.EXE
O16 - DPF: {6EB5B540-1E74-4D91-A7F0-5B758D333702} (nCaseInstaller Class) - http://bis.180solutions.com/activex...seInstaller.cab

I would say that you have still not get rid of ncase. Though there is an uninstaller which you can access from add/remove programs, It seems that it's an eye wash.

I suggest that you download Adaware, fix whatever it identifies as malware. If it does not remove ncase, post back for manual removal instructions.

O4 - HKLM\..\Run: [msbb] C:\WINDOWS\MSBB.EXE
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
are all indications of ncase adware.

"The ncase adware generates logs of your surfing activity, including web pages you have visited and the order in which you visited these pages.
These logs are then uploaded to 180Solutions' secure servers.It will cause pop-up advertisements or can add shortcuts to the desktop or startup or both. It can update itself. Whenever Windows starts, because of being at startup, it calls itself and runs on backend causing pop-ups".

stcloader is detected by NAV, have you updated your definitions ?

My earlier suggestion is still valid. Update and run NAV, If any malware is turned up,note down the name, quarantine and cure the malware.Download, install, update and run Ad-aware from http://www.lavasoftusa.com/ , Notedown the names of any problems it turns up. Then quarantine and cure the malware.Download, install, update, restart, and run Spybot S&D from http://security.kolla.de. Notedown the names of any problems it turns up. Then quarantine and cure the malware.

Post a fresh HijackThis log.

Links:
http://securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html
http://www.pchell.com/support/ncase.shtml For manual removal
http://www.doxdesk.com/parasite/nCase.html

Unfortunately this old jalopy is running Win 95 and there is no version of Adaware for Win 95. I was able to delete a couple lines using HJT but did not find the MSBB.EXE file. There is a MSBBI.EXE file, but I was reluctant to delete it now knowing what it is. Here's today log:

Logfile of HijackThis v1.97.7
Scan saved at 8:35:34 AM, on 01/16/2004
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LEXPPS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\TEMP\HIJACK\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.syspage.com/ads/homepagesai.php?id=start1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/ymsgr/defaults/*http://my.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\PROGRAM FILES\POPUP MANAGER\POPUPMGR_1.0.1.5.DLL
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINDOWS\SYSTEM\QTTASK.EXE
O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [SSVPQTN] C:\WINDOWS\SSVPQTN.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MSMSGS] C:\Program Files\Messenger\msmsgs.exe /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: AOL Instant Messenger (SM) (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi Relztrah,

Your looking pretty good. I'd have HJT fix the following...

O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\SYSTEM\EXPLORER.EXE

O4 - HKLM\..\Run: [SSVPQTN] C:\WINDOWS\SSVPQTN.exe I can't find any info on this one. If you don't know what it is, I would have HJT fix it. If there is a problem, you can fix it with the HJT backups.

There might be some other things. Others will follow...

Originally posted by shanmuga
No need to disable NAV.
But I suppose NAV should be/have been disabled for the Spybot S&D setup process, shouldn't it ?
I hope you don't mind me asking this here and now, although it could be asked for any app.
Normally an installation process asks for closing any active windows application, but I am not really sure about an anti-virus.

jeeza :)

originally posted by Relztrah on 28.11.2003Also, should I disable Nortan AntiVirus Auto Protect while running Spybot?
originally posted by shanmuga on 29.11.2003No need to disable NAV. I don't mind you asking here but the mods might in some other forums for being off-topic, but not here.Also the original poster should not feel that his post is getting hijacked:).

I personally don't close the AV application unless I am particularly asked by the program I am installing. It generally happens when I install an application which writes to the MBR, like some of the 3rd party system restore software I tried. Though It's highly recommended, I seldom close even other non-av applications when installing a new program and I can't recall having a problem because of that. Guess I was just lucky. :)

If you have figured out what this is, please tell us. If you haven't, please find it and Right click to look in Properties and tell us what it says. If it is not something you clearly recognize, it would be a good idea to find it and rename it with a BAK extension so it won't be active. Let us know and I will post a link to send it to in order to figure out what if it is bad....

O4 - HKLM\..\Run: [SSVPQTN] C:\WINDOWS\SSVPQTN.exe