Thanks for taking a look at this.
A few years ago, my husband purchased an HP Pavilion; Win XP; Celeron 1200 MH; Mem 128 MB. No software with the sale;

A few months ago he started having problems and I recommended AdAware in addition to his Symantec. AdAware seemed to do the trick...for a while.

When I took a look at his computer today...I tried to (1) update Microsoft - denied access (now only administrator) when I managed to get to the Microsoft XP help page, I followed the directions to delete iuctl.dll and iuengine.dll, but that didn't help; (2) tried to update AdAware (nothing new to download...crock- I downloaded a new one on my machine just this morning); (3) tried to run Symantec - no go... message to uninstall and reinstall; (4) update SpyBot (nothing new) found nothing; (5)(attempted to access Hijack This two or three times with no success- no download just booted me out); (6) attempted to access CW Shredder (nothing - booted me out); (7) tried to boot into safemode but the only program to select to start was "Microsoft Windows Whistler Personal" so I just re-booted. He can't access his MSN 6 email and windows flash on and off again too quick to read what they say ALL THE TIME.

It's like a tennis volley - the opponent is on the other side of the net just batting back all my attempts to access recovery sites.

So - since I can't access HJT, what is your best recommendation?

Happy 4th!

Judi

Try to download and install the newest version of Spybot 1.3... If you are unable to do that, you probably have HackerDefender and it is extremely nasty... If that seems to be the case, try this... Download the latest version of HJT on a different computer and rename it to something like "howdy.exe" and put it on a floppy... Boot the infected computer to Safe Mode and run the program on the floppy, copying the log to the floppy... Go to the good computer and post the log here so we can confirm if it is HackerDefender... It is possible that it is cleanable, but it may not be possible to ever verify that it is truly clean... If it is HackerDefender, you need to change all password and any other confidential information on that computer... If there is credit card or other financial information, you need to contact the companies in question...

Thanks Budfred. But what about the "Microsoft Windows Whistler Personal" in Safe Mode? Does that sound legitimate? I was expecting to see Windows XP or some other familiar Windows program... but Whistler Personal?

I will proceed to do as you suggested with a floppy and will post back.

Thanks again!

Judi

I have not heard of that before, but it may just be a sign of the hijacker boasting that he/she has taken over your system....

"Microsoft Windows Whistler Personal":

http://www.google.com/custom?sa=Search&domains=www.PCGuide.com&q=Microsoft+Windows+Whistler+Personal&sitesearch=&client=pub-7336295634598623&forid=1&channel=4794982004&ie=ISO-8859-1&oe=ISO-8859-1&cof=GALT%3A%23008000%3BGL%3A1%3BDIV%3A%23336699%3B VLC%3A663399%3BAH%3Acenter%3BBGC%3AFFFFFF%3BLBGC%3 AFFFFFF%3BALC%3A000000%3BLC%3A000000%3BT%3A0000FF% 3BGFNT%3A0000FF%3BGIMP%3A0000FF%3BLH%3A50%3BLW%3A1 40%3BL%3Ahttp%3A%2F%2Fwww.pcguide.com%2Flogo.gif%3 BS%3Ahttp%3A%2F%2Fwww.pcguide.com%2F%3BFORID%3A1%3 B&hl=en


or just put it in google like that

I reinstalled AdAware, downloaded an update, ran a scan - nothing was found!

I tried two times to download SpyBot 1.3 and finally got it to download and install. I copied the log if you need it.

I copied Hijack This onto a floppy and ran it on his computer. I COULD NOT RUN IT IN SAFE MODE!!! When I booted into Safe Mode, my only option was "Microsoft Windows Whistler Personal", which just booted to normal Windows XP.

So his log is:

Logfile of HijackThis v1.97.7
Scan saved at 7:48:57 PM, on 7/4/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\xl.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlhhlde.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://all-find.net/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9476E1F-786D-4F12-902E-4F636086CCAC} - C:\WINDOWS\System32\mlhhlde.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [rundll32] C:\rundll32.exe
O4 - Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O4 - Global Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [url]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/url]
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - [url]http://download.microsoft.com/download/0/5/c/05c905f4-dd30-427d-a3de-373c3e5552fc/msSecAdv.cab?1083808721250[/url]
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - [url]http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab[/url]
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - [url]http://images.myfamily.net/isfiles/downloads/MrSIDI.cab[/url]
O16 - DPF: {A8658086-E6AC-4957-BC8E-7D54A7E8A78E} (SassCln Object) - [url]http://www.microsoft.com/security/controls/SassCln.CAB[/url]
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - [url]http://www.idownload.com/download/queue/PBP-9687-2941-1606-6658/setup.exe[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - [url]http://www.contentwatch.com/audit/includes/ContentAuditControl.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/url]

Thanks ever-so for giving up the fireworks for this!

Judi

OH! Thanks Donn. That's some mighty reading... Looks like Whistler Personal was a precursor to XP... don't know why it won't let me boot to safe mode though. Maybe I can find something current about it.

Shouldn't be harmful though, should it? NAH!

Thanks for the look-see.

Judi

Okay, I am understanding part of the picture now... When you said: "No software with the sale" you meant no disks... So the computer has a beta of WinXP on it and you don't have anyway to restore it if it is fried... That also explains why it isn't updated... This may make it very difficult, especially if you have Hacker Defender...

I am a little unclear about how you got the HJT log... Did you run it in Normal mode from the floppy and did you have to rename it?? You are using the old version of HJT and we need the new one in order to see if you have a particular infection that I suspect is there... If you were able to download and install Spybot, it means that you probably don't have HackerDefender, but you probably do have a bad CWS infection... You also have a few other things, but get a new log before we deal with those...

Download and install the latest version of HJT... It is 1.98 and you are running 1.97.7.... If you changed the name and installed from a floppy before, just leave the name as is and install it again... However, if you put it in the C:\ directory, it will put backups all over there, so create a new folder like: C:\HJT and put it in there.... Post the fresh log when you get it and make sure you run it with all windows and browsers closed....

Good morning Budfred: I am having trouble locating the latest version of HJT... 1.98

When I go to the link and try to download from the "button" the page will not display. When I go to the other sites, the version is 1.97.7.

Can you tell me how to make the page display? Or another site?

Thanks.

j

Okay, not all the sites have updated to the latest version yet... Try here:

http://subratam.org/?page=removal

Also, is what I posted correct about your WinXP?? If so, I suggest you look into buying a copy of Windoze....

I think so Budfred. After the few quick perusals of the Google sites from Donn, that's my best guess - that my husband's machine was used as a "beta" tester. He bought it on e-bay, so we have no way of backtracking at this late date.

The machine I use is a ME 4 edition. I know everyone hates that version of Windows but, so far, I haven't had any problems... that I know of.

If I can't solve the problem with his computer, we have discussed purchasing a copy of XP. I was wondering if I could have you, or someone else there walk me through the formatting of the hard drive and loading of XP? I have never done anything like that before. (I really need to have my user status pushed back to "pre-newbie-geek-wannabe"!)

Also, today, my husband is contacting our credit card companies and bank to see what they recommend. We will also be ordering a credit report. Thank's for that. I am really spooked.

I just signed on at SWI forums to see if I could find out what my problem is with not being able to "display the page" when I click on the link. Haven't had a chance to post anything yet.

I know this is a little down the post, but for any of you just reading along...take it from me - NICER FOLKS CAN'T BE FOUND!

I'll try your link now.

I'm home all day today (holiday!!!) - I'll be back. Thanks again.
Judi

It worked!
I downloaded the HJT to my C drive and renamed it to Howdy; I copied it to a floppy; managed this time to boot to Safe Mode and copied Howdy to C:\HJT; scanned and this is the log:

Logfile of HijackThis v1.98.0
Scan saved at 10:56:45 AM, on 7/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\HJT\howdy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://in.webcounter.cc/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?bzbjr about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\mlhhlde.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?bzbjr about:blank (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?bzbjr (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?bzbjr (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://all-find.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://all-find.net/sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=fntldr.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9476E1F-786D-4F12-902E-4F636086CCAC} - C:\WINDOWS\System32\mlhhlde.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [rundll32] C:\rundll32.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O4 - Global Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - [url]http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab[/url]
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - [url]http://images.myfamily.net/isfiles/downloads/MrSIDI.cab[/url]
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - [url]http://www.idownload.com/download/queue/PBP-9687-2941-1606-6658/setup.exe[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - [url]http://www.contentwatch.com/audit/includes/ContentAuditControl.cab[/url]
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

Can I offer you a sandwich while you're working? Silly me. I'm giddy with glee! Thanks so much for taking me to this point!

Judi

Okay, you have a nasty CWS infection... good news is that it doesn't seem to be HackerDefender... Please download CWShredder and run it... Close all open windows and browsers when you run it and choose FIX.... Then run HJT again and see if those R1 and R0 items are gone... If they are not, boot to Safe Mode and run CWShredder from there... Then reboot run HJT and post a fresh log... You should be able to run HJT in Normal mode if this works...

We can certainly walk you through a format and reinstall if needed... If we can get this cleaned up, you may simply be able to upgrade, but a clean install is better...

I am not sure what you are planning to ask at SWI, but I am a Mod for the school there, so I may well be able to answer your question without having to start another thread for it... There is a good chance that the problem is due to the infections and that it will resolve when we get those cleaned up...

OK! I'll get right on it.

Thanks again.

j

I managed to download CWShredder using the "subratam" link you gave me earlier...msn won't let me log in and explorer kept hanging.

After I downloaded CWShredder, I closed all windows and browsers, ran it and chose "Fix" (I didn't save any log though - it did find stuff). I then ran HJT but the R1 and R0 items were still there.

I booted into safe mode, ran the shredder there... nothing found - completely clean...

I restarted, ran HJT and this is the log:

Logfile of HijackThis v1.98.0
Scan saved at 6:07:44 PM, on 7/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\xl.exe
C:\windows\system\hpsysdrv.exe
C:\Windows\system32\HpSrvUI.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\S3apphk.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
C:\HJT\howdy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://all-find.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://all-find.net/sp.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E9476E1F-786D-4F12-902E-4F636086CCAC} - C:\WINDOWS\System32\mlhhlde.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O4 - Global Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - [url]http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab[/url]
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - [url]http://images.myfamily.net/isfiles/downloads/MrSIDI.cab[/url]
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - [url]http://www.idownload.com/download/queue/PBP-9687-2941-1606-6658/setup.exe[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - [url]http://www.contentwatch.com/audit/includes/ContentAuditControl.cab[/url]

Thanks for your time.

Judi

Looks like we are almost there... Close all open browsers and windows, open HJT and mark/fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://all-find.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://all-find.net/sp.html
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {E9476E1F-786D-4F12-902E-4F636086CCAC} - C:\WINDOWS\System32\mlhhlde.dll (file missing)

Then run a full set of security scan... Spybot, AdAware and an online virus scan... Reboot at each step, then reboot and post a fresh log with details about how things are working now...

I don't know how you do it, hour after hour, day after day, for geek after geek...
Did as you said - marked and fixed the four files...spy bot reported no immediate threats; adaware found 4 - quarantined; but I couldn't run a virus scan...still can't log on MSN and explorer gives me a window that spy bot detects I'm trying to install double click to I want to block - yes or no. At this point I feel like I'm damned if I do...damned if I don't.

For grins, I booted into safe mode again and ran HJT... one of the files I marked "fixed" was back! So I "fixed" it again and ran Spy Bot which found DSO exploit... The disk I copied "Howdy" onto now is reading "Howdy" Hijack This Sopeperman Enterprises, Inc.

But here's the log:

Logfile of HijackThis v1.98.0
Scan saved at 9:25:57 PM, on 7/5/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
A:\fool\joof.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://msn.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [hp Silent Service] C:\Windows\system32\HpSrvUI.exe
O4 - HKLM\..\Run: [hpScannerFirstBoot] c:\hp\drivers\scanners\scannerfb.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3apphk] S3apphk.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe "Owner"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program Files\Washer\washidx.exe
O4 - Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O4 - Global Startup: NetTurbo.lnk = C:\Program Files\SharewareOnline.com\NetTurbo\NetTurbo.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - [url]http://content.ancestry.com/asfiles/files/install/MFImgVwr.cab[/url]
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - [url]http://images.myfamily.net/isfiles/downloads/MrSIDI.cab[/url]
O16 - DPF: {B91AEDBE-93DF-4017-8BB3-F1C300C0EC51} (InstallShield Setup Player 2K2) - [url]http://www.idownload.com/download/queue/PBP-9687-2941-1606-6658/setup.exe[/url]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - [url]http://www.contentwatch.com/audit/includes/ContentAuditControl.cab[/url]

Sweet dreams!

Judi

Okay, now I am getting confused...

What item came back that you fixed again??? Without knowing what that is, I am operating in the dark...

I suspect that part of the problem is that you are running a beta of Windows that is full of security holes...

Try this, download the trial version of Trojan Hunter and run it... If you can't download it from this computer, you may have to burn it to a CD or use a flash drive to move it since I think it is too big for a floppy...

http://www.misec.net/

Please provide as much detail as possible about what is going on... Imagine that I am a complete novice and you need to explain it to me... remember that you are my eyes to your problem....

Sorry -
When I booted into safe mode, I ran HJT again. One of the files I marked "fixed" (O2 - BHO: (no name) - {E9476E1F-786D-4F12-902E-4F636086CCAC} - C:\WINDOWS\System32\mlhhlde.dll (file missing))
was back! The other three weren't. I checked it again and "fixed" it again and, while I was still in safe mode, I ran Spy Bot again, which found "DSO exploit"...(whereas, before, while I was in regular mode, Spy Bot said there were "no immediate threats".

And I did reboot at each step as you instructed. Then I got a Windows Installer window that popped back up three or four times.. that never happened before ... no programs were identified on the installer except the for the last - Microsoft Money 2000 - I think.

MSN will connect but won't let me log on. When I go to explorer, I get a "3explorer" button on the taskbar.

That's about all I can remember.

Tomorrow I will burn the Trojan Hunter on a cd and see if I can run it on his computer.

I love a good fight, but tell me please when it's time to give up and move on.

Thanks. Judi

When it is time to give up and move on is up to you... You have a version of WinXP that probably can't be updated with the latest patches which means it will always be extremely vulnerable to infections of all kinds, even with good security... If I had that, I would get an OEM copy of Windows, wipe the drive and install clean... If I had important files on the drive, I would back those up first of course, but then scan them thoroughly before using them on any other system... I would also only back up document files since executables are more likely to be malware... If that is what you ultimately decide to do, I would say to give up tracking down the villains and order a new copy of Windows... If you want WinXP, check here for options:

http://www.newegg.com/app/manufact.asp?catalog=368&DEPA=6

If it were me and I wanted WinXP, I would go with the $90 WinXP HOME OEM version... you have to buy some hardware, but that can be quite trivial...

If you want to keep on working to get it clean, we can do that and I can give you ideas for improving security, but without the critical updates from MS, it will never be secure... One thing you can do right away is to try a different browser... Download Mozilla, Firefox or Opera and use it to see if you can connect... Even some people at MS are now saying it isn't a good idea to use IE.... and it may simply be too corrupted to work...

I agree. It's like beating a dead horse. My husband is a musician and the only files he cares about are his music files, he doesn't use any programs really.

I'll get the new operating system and sign back on. Not here though, right? In "Windows" or "Core Hardware"?

I really appreciate all the time you spent helping me.

I'll be back soon.

Judi

You can do it here if you would like since you already have the thread going... You can start a new thread if you prefer...

You will find that it isn't all that difficult, assuming the computer has the specs to handle XP... check that before you buy... If it doesn't, go with an earlier version... The main thing that may take a little effort is wiping the drive... You probably need to reformat a couple of times to be sure that it is clean and you need to power down for a while completely to make sure that nothing can be stored in RAM to infect the new OS... There is a program called Eraser that will thoroughly wipe the drive.... Here is another one:

http://www.pcworld.com/downloads/file_description/0,fid,23288,tk,hsx,00.asp

Great! I'll do it here. I'll check back when I've got everything ready to go.

Thanks again Budfred.

Judi

Budfred! I don't know how I did it, unless not running a virus check on the floppy from my husband's machine enabled infection of my machine, but I'm having the same problems that he had. Symantec is disabled in the internet security and won't let me turn it on. MSN logs on but won't let me sign in, AdAware finds nothing, SpyBot finds nothing and the Norton scan I ran found nothing! Should I start another thread, or may I post the HJT log from my machine here?

I am REALLY spooked now. I'm afraid every second I am on line, my computer is getting sicker.

Thanks.

Judi

P.S. I have an HP running Windows ME 733MHz 64 MB ram

Announcement:

I have Win Me 4.90.300 also. I unabashedly love it. Why not ax the Whistler and put Me on it if all your husband cares about are the music files...what do you need a train station like Xp for anyway ??

We of the Win Me 4.90.300 salute you. :cool:

I know Donn. I agree and I fully intend to redo my husband's machine as soon as I can get rid of the flu... but did you read my last post? I'm afraid I infected my ME! Besides having the flu, I've got computer(s) virus(es)!

I just want to choke.

Thanks for the good words.

Judi

Yes, install and run HJT, then post it here... I didn't remember to say to not put that floppy back in the good computer... it is possible that it is how the infection was transferred...

Are you sure AdAware and Spybot are updated?? Also, have you used an online virus scan??

Budfred: I did both online virus scans - no files found! Then I did update AdAware (1 cookie found); Spybot 1.3 resulted in 2 bookmarks, 1 Alexa Related, 1 Avenue A, Inc. cookie and 1 XerOx being fixed.

HJT log for my machine:

Logfile of HijackThis v1.98.0
Scan saved at 9:38:44 PM, on 7/9/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT OFFICE 2000\PROGRAMS\ALARM.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HOWDY.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - Startup: CORELCENTRAL ALARMS.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - [url]http://www.msnbc.com/download/nr1228.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Thanks again!

Judi

Your log looks clean... are you still having those problems?? Did you recently update either of the programs in question??

You can download and run the trial of TrojanHunter to see if it finds anything, but it looks clean at the moment...

I ran the Trojan Hunter and it didn't find anything. I am still locked out of my Symantec...everything is disabled and the internet security is off. I am denied access to change anything because I need to be the "supervisor"... and I still can't sign on to MSN.

Thanks for your time.

Judi

I am largely stumped, but there is one possibility here... Please find and check Properties for this file... If it isn't Microsoft, it is probably a trojan... Post back whatever info you find... To check Properties, right click on the file and select Properties... Write down what you find if it isn't MS...

C:\WINDOWS\RunDLL.exe

If that doesn't sort it out, we will have to look at other scan options... Use HJT to run a StartupList Log and we will see what that says... Choose Config, Misc Tools and StartupList Log to create it... Then post it here...

It's Microsoft. So is the RunDLL32.

I'll run the HJT startup log in the morning. Thanks!

Judi

OK - so I downloaded Mozilla...but can't use it because all the connections I try to make... even to Mozilla, are blocked. SHOULD I UNINSTALL IT? SHOULD I UNINSTALL ADAWARE AND ATTEMPT TO DOWNLOAD IT AGAIN?

So I tried to run the startup log ... but couldn't because now a required MSVBVM60.DLL can't be found. So I went to my laptop... and copied msvbvm60.dll and copied it to c:\windows\system and downloaded HJT into yet another new folder and ran it.

Please check the log and tell me if you want me to continue with the startup log.

Thanks - Judi

Logfile of HijackThis v1.98.0
Scan saved at 2:14:04 PM, on 7/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\JTH\HIJACKTHIS.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Delay] C:\WINDOWS\delayrun.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [InstantAccess] C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [RegShave] C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: CORELCENTRAL ALARMS.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
O4 - Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://hp.my.yahoo.com
O16 - DPF: {2FF18E20-DE11-11D1-8161-00A0C90DD90C} (MSNBC News Menu Control 3.01) - [url]http://www.msnbc.com/download/nr1228.cab[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [url]http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab[/url]
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - [url]http://www.bitdefender.com/scan/Msie/bitdefender.cab[/url]
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

I am really sorry to be such a bother.

Your log continues to look fine and I don't know what might be causing the problems you are having, so a StartupList Log is the next thing to try... With luck I might be able to see there what is going wrong... It is VERY odd that you can't run Mozilla!! You could try uninstalling and reinstalling them if you would like, but without knowing what the problem is, I don't know if it would make any difference at all....

Here is the startup list - finally --- it's like battling an invisible creature trying to get back on - my computer hangs with every other task I do:

StartupList report, 7/10/2004, 4:35:33 PM
StartupList version: 1.52.2
Started from : C:\JTH\HIJACKTHIS.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\KEYBDMGR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TEXTBRIDGE CLASSIC 2.0\BIN\INSTANTACCESS.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE
C:\PROGRAM FILES\NETROPA\ONE-TOUCH MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\WINDOWS\RunDLL.exe
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\JTH\HIJACKTHIS.EXE
C:\PROGRAM FILES\MSN\MSNCOREFILES\MSN6.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\MOZILLA.ORG\MOZILLA\MOZILLA.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
CORELCENTRAL ALARMS.LNK = C:\Program Files\Corel\WordPerfect Office 2000\programs\alarm.exe
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
PCHealth = C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
SystemTray = SysTray.Exe
LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
Hidserv = Hidserv.exe run
Keyboard Manager = C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
hpsysdrv = c:\windows\system\hpsysdrv.exe
Delay = C:\WINDOWS\delayrun.exe
Adaptec DirectCD = C:\PROGRA~1\ADAPTEC\DIRECTCD\DIRECTCD.EXE
LoadQM = loadqm.exe
InstantAccess = C:\PROGRA~1\TEXTBR~1.0\BIN\INSTAN~1.EXE /h
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
DXM6Patch_981116 = C:\WINDOWS\p_981116.exe /Q:A
LVComs = C:\WINDOWS\SYSTEM\LVComS.exe
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
QuickFinder Scheduler = "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
RegShave = C:\Progra~1\REGSHAVE\REGSHAVE.EXE /autorun
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ccRegVfy = "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
Symantec NetDriver Monitor = C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
THGuard = "C:\PROGRAM FILES\TROJANHUNTER 3.9\THGUARD.EXE"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run Services

LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
SchedulingAgent = mstask.exe
SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
RegisterDropHandler = C:\PROGRA~1\TEXTBR~1.0\BIN\REGIST~1.EXE
SAgent2ExePath = C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
ccEvtMgr = "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
Nisum = C:\Program Files\Norton Internet Security\NISUM.EXE
ccPxySvc = C:\PROGRA~1\NORTON~2\CCPXYSVC.EXE
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "C:\Program Files\Microsoft Money\System\Money Express.exe"
Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
Mozilla Quick Launch = "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 9/7/2004, 21:7:44)

[Rename]
NUL=c:\windows\cookies\t. mcrae@atdmt[1].txt
NUL=C:\WINDOWS\TEMP\_iu14D2N.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\PAGEMGR;c:\windows;c:\windows\command
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
Symantec NetDetect.job
Norton AntiVirus - Scan my computer.job

--------------------------------------------------

Enumerating Download Program Files:

[MSNBC News Menu Control 3.01]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM301.OCX
CODEBASE = http://www.msnbc.com/download/nr1228.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?38029.1985185185

[Symantec RuFSI Utility Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\XSCAN53.OCX
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[AvxScanOnline Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\BITDEF~1.OCX
CODEBASE = http://www.bitdefender.com/scan/Msie/bitdefender.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
AUHook: C:\WINDOWS\SYSTEM\AUHOOK.DLL

--------------------------------------------------
End of report, 8,398 bytes
Report generated in 2.606 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Thanks!

I found an optional fix that may be worthwhile to do... run HJT and fix:

O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A

Then use this to clean out all temporary files and post back on whether that seems to have helped...

Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:

Temporary Files
Temporary Internet Files
Recycle Bin

Trouble connecting....

Please report the ownership of the C:\WINDOWS\SYSTEM\AUHOOK.DLL

Is this a Microsft File?

If it's not, it can go.

Since Budfred has pretty much exhauted the malware route. I would look at items that could cause problems. Let's try uninstalling the firewall. Do not unload it, uninstall the Norton Internet Security. If you can ,download one of the free firewalls first:

Sygate (http://smb.sygate.com/products/spf_standard.htm)

Kerio (http://www.kerio.com/kpf_download.html)

Zone Aalarm (http://www.zonelabs.com/store/content/company/products/znalm/comparison)

If you can't download one of them first, then do it right after you uninstall NIS. Sometimes a firewall can go off the reservation, especially since you are running a beta bersion of the OS.

Please report the ownership of the C:\WINDOWS\SYSTEM\AUHOOK.DLL This is legit, you don't need to worry about it...

BUDFRED: First: When I rebooted after "fixing" O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A with HJT and running cleanmgr to remove Temporary Files, Temporary Internet Files, Recycle Bin - I rebooted and got a WINDOWS REGISTRY CHECKER window with the following "Windows encountered an error accessing the registry. Windows will repair the registry for you and restart the computer." message. I did not press OK. I worked around it in case it's just another ploy...I don't know.

classicsoftware: Second: The AUHOOK.DLL appears to be an:
Application Extension that opens with "Unknown application"
Version 5.4.5681.0; Microsoft AutoUpdate; © Microsoft Corporation. All rights reserved.

I'm not running a beta version of the OS on THIS computer. In the process of trying to fix my husband's beta version computer, I think I infected THIS computer with the floppy I used to transport the HJT program and log!

Do you still have the same recommendation? If you do, I am not clear on the difference between DO NOT UNLOAD but rather UNINSTALL Norton Internet Security. Can you clarify for me? Is that like NOT GOING TO ADD/REMOVE to take it off but see if I can actually find an UNINSTALL file in the program folder?

I will remove mozilla and try again.

Can either of you address the WINDOWS REGISTRY CHECKER issue? Should I say "OK"?

Thanks again!

Judi

I would probably say yes on the Registry thing... It may be about what the problem is... Back up important files first though, if you haven't already done that....

If you are getting the registry error, I think it may be corrupted.

This is a bad sign.

I would fully uninstall the firewall. I have had some problems with firewalls and internet/network acces and they did not resolve whn they were unloaded (stopped from running, but still on the system) that resolved after they were un-installed (removed from the system) and re-installed.

Thanks!

I will attempt to do the firewall uninstall tomorrow and post back and let you know how it went.

I did say Yes on the registry thing and was able to sign in on MSN.

We will see what happens tomorrow!

Is this thread too long to continue?

And can someone tell me why I have a black dot on the envelope in the forum?

I'll post back.

Judi

The thread is not to long. Keep posting back and answering the questions that are asked & we'll worth this out together.

Others will respond as I will be unavailable until after 10PM EST on Sunday.

And the black dot will show up anywhere that you have posted... not a problem...

OK, I'm back. I have to use my laptop for now because I can't access the internet on my computer...

Let's start with my husband's first. His it the beta XP. I ordered an XP online as you suggested. I should be getting it Monday or Tuesday. So I'd like to begin cleaning his hard drive and getting it ready to install the new OS when I get it.

Will you give me the instructions to wipe the hard drive clean and how many times I should do it and how long I should wait until I install the new system please?

Then, after we get finished with his computer, I'd like to do the same to mine...I have the disks that came with my HP, and printer but I don't remember how or where the disks are to install the scanner. Also, what about the floppy and CD drives on my husband's computer? Will I have to buy new because I don't have any disks?

Thanks for your help.

Judi

This thread talks about wiping the drive and a number of different programs that can do it...

http://www.pcguide.com/vb/showthread.php?s=&threadid=30874&highlight=Disk+wipe

You can also just use a floppy Startup disk to go in and remove partitions on the drive and reformat... When you get WinXP, it will have the ability to partition and reformat again so you will get another layer of security that way... You can wipe it just once with a zero fill if you would like, but I would probably go a couple of times just to be sure it is wiped clean... Power down completely and unplug the computer at some point in the process, then push the power button on... This will discharge the capacitors and should clean out the RAM... Once that is done, you should have a completely clean system to start over with...

Also, what about the floppy and CD drives on my husband's computer? Will I have to buy new because I don't have any disks? I am not sure what you are asking here... These both use generic drivers and should work fine with any version of Windoze you use...

I managed to download Eraser 5.7. I ran it through my husband's computer three times. I unplugged the machine and turned it on. The message is "Operating System not found".

Did that do it?

I got my XP CD in the mail today. What's next please?

Oh, by the way --- I don't know what I did to turn on the remember password feature for the PC Guide login, but I don't like it. Will you please tell me how to turn it off?

Thanks again.

Judi

Originally posted by J McRae
I managed to download Eraser 5.7. I ran it through my husband's computer three times. I unplugged the machine and turned it on. The message is "Operating System not found".

Did that do it?

Yes.
Originally posted by J McRae
I got my XP CD in the mail today. What's next please?

Put the CD in the PC and boot from the CD. You may have to set your BIOS to boot from the CD

When you unplugged the computer and pressed the power button, did you leave it unplugged for a bit?? If not, do that just to be sure there isn't anything in RAM... Probably isn't by now, but better safe than sorry...

To install XP you just put the CD in the drive and turn on the computer... It will boot into the disk and offer you the option to set up the drive and install. You need to decide how you want the drive partitioned and whether you want to format in FAT32 or NTFS... There are advantages to both, but NTFS is the more stable... If your hard drive is large enough, I suggest at least a couple of partitions... The C: partition where you install XP can be as little as 5 gig, but I would go with about 10 gig... XP will walk you through most of it, but if you get stuck, post back here...

As for your settings in PCGuide... You can change them through the "user cp" button at the top of every page on the right...

Edit: classicsoftware got there while I was typing, but we both are saying things that may help, so I will leave my comments.... :)

Thanks....I'll post back.

Judi

OK -
for those of you who have done this a million times... skip to ***. for those of you who have never installed XP... it goes something like this: I turned on the computer and put in the cd. I turned off the computer and then turn it on again and the cd booted. Setup began loading files and then it asked whether or not I wanted to create a partition in unpartitioned space 38162 MB Disc0 at Id0 on bus0 on atapi [MBR] - whatever that means - so I elected for Setup to create a new partition on 38162 MB Disc0 at Id0 on bus0 on atapi [MBR]. Then I had to decide a size for the partition, - so I just split the MB in half - and made the new partition 19077. When that was done, I had to select to (1) set up Windows XP on the selected item [press enter]; (2) to create a partition on the unpartitioned space [press c]; or (3) delete selected partition [press D]. I pressed "enter". Then, I was given the option to (1) format partition using NTFS (quick); (2) format partition using FAT (quick); (3) format using NTFS; or (4) format using FAT; I chose #3...don't know why...just did - probably because it was highlighted for partition 1 [new raw]. Set up coied files; Set up initialized; set up rebooted; set up set up Windows and installed devices and asked me what Name and location for the computer; gave me an "activation window" so I could activate XP. It took about 40 minutes. THEN.......

*****I set up the MSN internet account, logged on, signed in and was SHUT DOWN BY LSASS!!!!!!! YOU KNOW THE ONE THAT GIVES YOU 60 SECONDS TO SAVE YOUR DATA AND LOG OFF....

What's that about? I didn't surf anywhere. I hadn't even had time to enable the XP firewall....I rebooted, downloaded Adaware and updated it and found Alexa and two data miner cookies....

I am presently on my laptop....updates are downloading as we speak

WHAT DID I DO? OR NOT DO?

Am I just nuts? NO...don't answer THAT ONE...

Thanks. Judi

I am afraid I am a bit baffled... Alexa is kind of standard, that is to be expected... The Data Miners are probably from MSN...(nice huh??), but I don't know why the computer shut down... There is a way to look in the log to find out, but I am not familiar enough with that process to tell you how... I think it is called Event Viewer if I remember... hopefully someone who knows more about that will see this or you can start a new thread in the Windows forum to ask... This is unlikely to be a security problem although it is possible that one of the worms got you as you logged on.... The main protection for that is to get WinXP updated as quickly as possible and get the WinXP firewall up until you can get a decent one installed... Or download one on the laptop and install it from a CD...

I'll assume you have a broadband account. I'll also assume you DID not install an antivirus before you got on line.

You most likely have a virus.

First, unplug from the net if you connect by broadband.

Get either Stinger (http://vil.nai.com/vil/stinger/) or Avast Virus Remobver tool. (http://www.avast.com/eng/avast_cleaner.html) .

Boot into safe mode on the XP Box and run the tool.

Report back with your results.

I had a similar experience last weekend loading 2000 Pro onto a computer.
I solved it by formatting again to kill the virus, loaded the OS again, used the MS Security CD-ROM for the SP4 Service Patch updates it had on it, loaded the AV of choice and software firewall, then connected to the Internet, updated the AV and went to Windows Update immediately to download all the Critical updates (all 27).
You can be infected in just minutes if you are not very careful.