I finally get my computer up and runnign again and I get a stupid virus. It's a blue screen on my desktop that says:

A fatal error in IE has occured at 0028:C0011E36 in VXD VMM(01)+ 00010E36. Error was caused by Trojan-Spy.HTML.Smitfraud.c

System can not function in normal mode.
Please check your security settings.

Scan your PC with any available antivirus/spyware remover program to fix the file.

I did that. I had just finished installing ad-aware. I ran it 4 times and again this morning and it can't get rid of it. I also ran Spybot and it can't get rid of it.

I have seen it on the internet and ways to get rid of it however, I think I got it after goiing to a website doing a search for something. The sites it says to go to, never heard of before and don't wanna try again.

It is not on this computer and don't want to put the infected on on the web. But I can't seem to find a solution on any of the sites I trust, such as this one.

Any solutions?

Download the HijackThis (http://www.merijn.org/) program, unzip and install it in its own folder and scan the infected PC. Copy/paste the log here for the experts to review. Do not remove/fix anything until they advise.
Post back also if the program will not scan as it may indicate a different problem.
Can you boot up in SAFE mode?

yes I can download in safe mode. And I did just find a fix on Cnet. I haven't done it yet but they say to do this..

http://www.bleepingcomputer.com/forums/How_to_remove_the_Smitfraud_or_Wpexe_WindowsFY-t17258.html

Download the HijackThis (http://www.merijn.org/) program, unzip and install it in its own folder and scan the infected PC, creating a logfile. Copy/paste the log as a Reply Post here for the experts to review. Do NOT remove/fix anything until they advise.
Post back also if the program will not scan as it may indicate a different problem.

Here is the Hijack This log:

Logfile of HijackThis v1.98.2
Scan saved at 7:43:36 AM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\explorer.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWSA\System32\HpMmKbd.exe
C:\WINDOWSA\addyo32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\wp.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\WINDOWSA\System32\wuauclt.exe
C:\WINDOWSA\ntqn32.exe
D:\zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWSA\xmllib.dll
O2 - BHO: Class - {804EC123-38A8-DB34-2366-3BB8766CF473} - C:\WINDOWSA\system32\apill32.dll
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [addyo32.exe] C:\WINDOWSA\addyo32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\RunOnce: [ntqn32.exe] C:\WINDOWSA\ntqn32.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWSA\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWSA\System32\Tmntsrv32.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab


Also, When I booted up this morning, before XP finished loading, I got an error saying it couldn't find the following 2 programs:

crdp.exe and javash.exe

I am currently in safe mode.

The copy of Hijack this you are using is out of date. Please download the latest version from here (http://www.merijn.org/files/hijackthis.zip), and post a fresh log.

Here ya go

Logfile of HijackThis v1.99.1
Scan saved at 1:21:54 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\explorer.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWSA\System32\HpMmKbd.exe
C:\WINDOWSA\addyo32.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\wp.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\WINDOWSA\system32\apizz32.exe
C:\WINDOWSA\System32\wuauclt.exe
C:\WINDOWSA\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\D\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWSA\xmllib.dll
O2 - BHO: Class - {804EC123-38A8-DB34-2366-3BB8766CF473} - C:\WINDOWSA\system32\apill32.dll
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [addyo32.exe] C:\WINDOWSA\addyo32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\RunOnce: [javanr.exe] C:\WINDOWSA\javanr.exe
O4 - HKLM\..\RunOnce: [apizz32.exe] C:\WINDOWSA\system32\apizz32.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWSA\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWSA\System32\Tmntsrv32.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD6050A-60C6-4918-9761-BE5D1A8307A2}: NameServer = 137.118.212.5 137.118.1.33
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

Download CWShredder (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41). After installing, choose update. Once you have updated. Click on fix.


Download About Buster (http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41).

Install the program then boot into safe mode and run it twice. Save a log each time.

Post both logs back here along with a new HJT log after fixing:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R3 - Default URLSearchHook is missing

O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWSA\xmllib.dll
O2 - BHO: Class - {804EC123-38A8-DB34-2366-3BB8766CF473} - C:\WINDOWSA\system32\apill32.dll

O4 - HKLM\..\Run: [addyo32.exe] C:\WINDOWSA\addyo32.exe
O4 - HKLM\..\RunOnce: [javanr.exe] C:\WINDOWSA\javanr.exe
O4 - HKLM\..\RunOnce: [apizz32.exe] C:\WINDOWSA\system32\apizz32.exe
O4 - HKCU\..\Run: [WindowsFY] c:\wp.exe
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWSA\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWSA\System32\Tmntsrv32.EXE

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing)

Delete the following files:

C:\WINDOWSA\system32\ctnjk.dll
C:\WINDOWSA\xmllib.dll
C:\WINDOWSA\system32\apill32.dll
C:\WINDOWSA\addyo32.exe
C:\WINDOWSA\javanr.exe
C:\WINDOWSA\system32\apizz32.exe
c:\wp.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\WINDOWSA\ipho.exe

You may have to set windows to show hidden files (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

OK, I did everything you told me to do and now I can't get on the internet at all. I can log on but AOL freezes, IE freezes, and I had some concerns with some of the files I was told to delete. One of them (C:\WINDOWSA\System32\SMSSU.EXE) told me access denied, 2 of them (C:\WINDOWSA\xmllib.dll,C:\WINDOWSA\System32\Tmnts rv32.EXE) had dates of 9/3/02 which is similar to alot of other files and I wondered if there were necessary files or if alot of other things were put on my computer at the same time. The game spider solitaire has the same 9/3/02 date.

As far as the HJT fix, I tried to fix this one (O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing) 3 times but it never was deleted or fixed.

I ran both (About Buster and HJT) 3 times. Twice was in safe mode as you said, and all was fine. When I rebooted, I ran again just to be sure, and it all came back again. Also, my IE start page is nw this :

res://C:\WINDOWSA\System32\shdoclc.dll/navcancl.htm

Here's the first About Buster Log I wasn't sure if you meant to run it twice separately or twice as they recommend so I did twice separately. ANd then a 3rd after the reboot

Scanned at: 3:29:19 PM on: 5/9/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

The 2nd Time

Scanned at: 3:30:24 PM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 3 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

and the 3rd

Scanned at: 4:41:01 PM on: 5/9/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Removed 4 Random Key Entries
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 19

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Here are the HJT Logs

#1

Logfile of HijackThis v1.99.1
Scan saved at 3:08:35 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\explorer.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWSA\javanr.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWSA\System32\HpMmKbd.exe
C:\WINDOWSA\addyo32.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\wp.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWSA\System32\wuauclt.exe
C:\Program Files\Grisoft\AVG6\avgw.exe
C:\Program Files\Grisoft\AVG6\avginet.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWSA\xmllib.dll
O2 - BHO: Class - {804EC123-38A8-DB34-2366-3BB8766CF473} - C:\WINDOWSA\system32\apill32.dll
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [addyo32.exe] C:\WINDOWSA\addyo32.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWSA\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWSA\System32\Tmntsrv32.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD6050A-60C6-4918-9761-BE5D1A8307A2}: NameServer = 137.118.212.5 137.118.1.33
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

#2

Logfile of HijackThis v1.99.1
Scan saved at 4:04:37 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

and #3 (I just redid this)

Logfile of HijackThis v1.99.1
Scan saved at 5:00:16 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\explorer.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\Program Files\Canon\BJPV\TVMon.exe
C:\Program Files\Canon\BJCard\BJLaunch.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWSA\System32\HpMmKbd.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\WINDOWSA\System32\SMSSU.EXE
C:\WINDOWSA\System32\Tmntsrv32.EXE
C:\WINDOWSA\System32\dwwin.exe
C:\WINDOWSA\System32\dwwin.exe
C:\WINDOWSA\System32\dwwin.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWSA\xmllib.dll
O4 - HKLM\..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe
O4 - HKLM\..\Run: [BJLaunchEXE] C:\Program Files\Canon\BJCard\BJLaunch.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [HpMmKbd] HpMmKbd.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWSA\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWSA\System32\Tmntsrv32.EXE
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

Read this (http://securityresponse.symantec.com/avcenter/venc/data/trojan.startpage.o.html), they are definitely bad.

When you have load HJT, Internet Explorer and all other Windows except for HJT should be closed.

Fix the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWSA\system32\ctnjk.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: XMLDP Class - {60371670-81B9-4d06-9C42-4DEC1AABE62B} - C:\WINDOWSA\xmllib.dll
O4 - HKCU\..\Run: [SMSSU] C:\WINDOWSA\System32\SMSSU.EXE
O4 - HKCU\..\Run: [Tmntsrv32] C:\WINDOWSA\System32\Tmntsrv32.EXE
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWSA\ipho.exe (file missing)

Click on Config, then Misc Tools then Delete file on Reboot and past the fule fle name and path into thw window. Repeat the process for the files where access was denied.

I am also concerned about the C:\WINDOWSA\System32\dwwin.exe becuase that Indicated Dr. Watson has found some hardware problem at start-up.

But one thing at a time

Well, it doesn't work. It continually comes back. I delete it using ctr-alt-del in the processes and it immediately comes back. I have just edited the registry as it said on the link however, I don't have much confidence. I tried to run CWShredder and it told me there was a virus that it had to change the name of the program so it could run, it did, it ran, and it came up without a virus. I tried to run spybot, it shut my computer down instantly. I am currently rebooting, but I can't run the scan from symantec because I can't get on the internet. Is the only solution reformating?

Did you put the items in the section of HJT to delete on re-boot?

If you did, download Killbox from the same place you got HJT and use Killbox to stop the processes from running

You might also want to try in safe mode if you can't delete them in regular mode.

Yes, I did put those items in there, 4 different times. I also tried deleting under DOS, Safe Mode, Regular. I see several files that are similar in name to SMSSU, are they supposed to be there? There must be a file that is bringing it back. Does anyone know which file that is? I can't run any virus software, it shuts it down. It finds it, but then shuts it down or freezes it. I tried using MIcroTrend, the only one it wasn't kicking off the internet doing updates, but it shut it down.

The files with similar names are:

smss.exe
smlogsvc.exe
smlogcfg.dll

I THINK I may have gotten rid of it doing everything from various different sites given. HOWEVER, I still have the file javanr.exe listed in the register 3 times, though I don't see the actual file anywhere on the system. One of those times is listed under "disable" but I'm not sure what the actual value is supposed to be. Is there somewhere I can find what the values should be? Should I delete them? I'm afraid to reboot because I don't want that to be the file that brings it all back again.

HKCR\CLSID\E2E1818C-C7D7-1488-4B10-1D0119ABA5C3\Local Server32\Default
HKLM\SOFTWARE\CLASSES\CLSID\E2E1818C-C7D7-1488-4B10-1D0119ABA5C3\Local Server32\Default
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENT VERSION\RUNONCE-DISABLED

DON'T re-boot.

Please post a new HJT log and let us know what you did. If you are posting on a different site as well as here, it is a recipe for disaster for your PC.

Please let us know every thing you did....

heres the newest log.

Logfile of HijackThis v1.99.1
Scan saved at 3:41:04 PM, on 5/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\WINDOWSA\System32\carpserv.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Pogo Games\Great Escapes Solitaire Collection\solitaire.exe
C:\Program Files\EMS Free Surfer Companion\fs30.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWSA\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Get siteinfo data (fsc) - C:\Program Files\EMS Free Surfer Companion\fslauncher.htm
O9 - Extra button: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra 'Tools' menuitem: Free Surfer - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - C:\Program Files\EMS Free Surfer Companion\FS30.exe
O9 - Extra button: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab[/url]
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - [url]http://www.windowsecurity.com/trojanscan/axscan.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD6050A-60C6-4918-9761-BE5D1A8307A2}: NameServer = 137.118.212.5 137.118.1.33
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

I am having trouble with 2 programs .. here are the errors

with EMSFree Surfer - Unexpected condition occured while starting fsc-30 engine: out of memory: SHDocVw.ShellWindows.

then it shuts down.

the other is Win Media Player and this error is :

the procedure entry point GetIUMS could not be located in the dynamic link library MSDART.DLL

I've uninstalled and reinstalled it and even copied it from my other windows folder (see another post regarding 2 windows folders) neither worked.

thanks

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab

Click Fix Checked

Then re-boot

RE:
I am having trouble with 2 programs .. here are the errors

1)with EMSFree Surfer - Unexpected condition occured while starting fsc-30 engine: out of memory: SHDocVw.ShellWindows.

Uninstall the popup blocker and install Popup Manager (http://www.endpopups.com/)

2)the other is Win Media Player and this error is :

the procedure entry point GetIUMS could not be located in the dynamic link library MSDART.DLL

If the PC is running better, lets run Windows update and get the system patched up to date then we can download Media Player 10.

The main question is:

How is the PC running.

Here is the new log

Logfile of HijackThis v1.99.1
Scan saved at 6:34:36 AM, on 5/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\WINDOWSA\System32\carpserv.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWSA\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SpyBotSnD] "D:\Program Files\Spybot - Search & Destroy 1.1\SpybotSD.exe" /autoclose
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG6 Service (AvgServ) - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

It seems to be running fine except "Trend Micro" pops up once a day to say it quarenteed a virus. But nothing shows anywhere. I don't know where it keeps coming from.

I finished updating a windows update and then the media player seems to be working fine now.

I found a place on Microsoft that will send you a cd for the free service pack 2 upgrade and I requested it and received it but nervous and unsure about installing it.

Do NOT install the SP2 pack until you are sure the viruses are GONE!!! Or you'll be asking for trouble...

but by all means, after resolving the issues, install it. I have it on my XP machine and have not incurred any problems but I installed to a new build, not one that has been built for awhile and encountered problems.

Your log looks clean to me. Where need to go from here is getting your protections up to speed.

1) Open Trend Micro and clear out the quarntine file.
2) Update the Virus Patterns
3) Scan for Virus infection
4) Go On line to Trend Micro House call and scan for virus infection.

After 3&4 are clean

5) Make a restore point

6) Install SP2

7) After installing SP2 run Windows update and apply ALL critical patches and updates.

8) You need to install a firewall. I personally prefer Sygate (http://www.sygate.com/firewall/) though many folks also like Kerio (http://www.kerio.com/kpf_download.html)

9) Download, install and Keep Updated SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html)

10) Install and use Firefox (http://www.mozilla.org/products/firefox/) as your default browser.

11) Do not install any software that comes from a pop-up

12) Read this (http://castlecops.com/postlite7736-.html) article on how you got infected in the first place.

Before you install SP2, it might be a good idea to run an MWavScan to make sure it is all cleaned up, this is a tricky infection...

It will produce a log in the lower right hand corner and you will need to use Ctrl-C to copy the bottom part of it that has the bad items and then paste it here for review....

http://www.mwti.net/antivirus/free_utilities.asp

It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...

Ok will do but first, the one fileMicro keeps finding is A0008926.exe in C:\System Volume Information\_restore\{.......} (forever long numbers and letters) is that something to worry about?

Also, I thought i HAD a firewall installed.. tho under control panel it gives me.. "Due to an unidentified problem, Windows can not display Windows Firewall settings.

But I thought I had a firewall installed under Trend Micro, it does tell me it is installed

Ok will do but first, the one fileMicro keeps finding is A0008926.exe in C:\System Volume Information\_restore\{.......} (forever long numbers and letters) is that something to worry about?

NO. Just delete your restore points.

Also, I thought i HAD a firewall installed.. tho under control panel it gives me.. "Due to an unidentified problem, Windows can not display Windows Firewall settings.

If the Trend Micro is supposed to be a firewall, disconnect from the net & reinstall it and see what windows says.

Also, I thought i HAD a firewall installed.. tho under control panel it gives me.. "Due to an unidentified problem, Windows can not display Windows Firewall settings.

But I thought I had a firewall installed under Trend Micro, it does tell me it is installed
If you are going into the control panel in windows, then that would be windows firewall you are trying to start, not Trend Micro. Also a lot of firewalls these days disable windows firewall when it is installed to avoid conflicts(a good thing). Which would explain why windows firewall is not able to start up.

I hope that helps clear things up.

JLREICH:

I disagree. I have never seen that message. I have seen:

1) Firewall off
2) Unknown settings
3) Firewall protected by: Name of Firewall.

Is that file (A0008926.exe) supposed to be there or do I delete it?

You are right Classic, now that I think about it that is a strange message. What got my attention is going into the control panel to start Trend Micro, and this

"Due to an unidentified problem, Windows can not display Windows Firewall settings

Under Trend's Firewall it says "Enable Personal Firewall" and that is checked. Current Profile is.. Direct Connection. Is that not on?

Is that file (A0008926.exe) supposed to be there or do I delete it? From what you posted, this is in your System Restore Point and you will need to reset System Restore to get rid of it... I am not sure what it is without a context for it... As I suggested earlier, a MWavScan would be helpful...

OK, ran the MWav and this is the problems it gives

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{3BF4771A-18F5-4EAB-80B7-AC254D3C7503}" refers to invalid object "C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{F1232222-458A-4613-9AD0-C2D9DE6B6E1E}" refers to invalid object "C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdProcessRawImages" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdProcessRawImages.1" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdRemoteCapture" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdRemoteCapture.1" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.
File C:\WINDOWSA\XMLLIBUI.exe infected by "Trojan.Win32.StartPage.yg" Virus! Action Taken: No Action Taken.

Now, here is my question, I haven't downloaded anything, not even before I got the virus. I did a search on Yahoo, clicked on the link and that's when all the problems seemed to start. Since then I have only downloaded what you have told me to download, and didn't download before that so I'm not sure what happened.

Also, I ran the Trend scan, and the online Trend scan, both came up clean. I've run CWShredder, About Buster, Spybot, Spyware Blaster, Adaware, yet nothing comes up infected. I understand you have to run several programs to insure but are these other programs any good if they have all missed this virus that MWav now says I still have?

Thanks so much for all your help. It makes sense to me cuz I was concerned with how Trend kept finding a virus if everything else said I was clean

ok, another question. I just ran Regedit and did a search for "google" since it popped up as my homepage on IE and i don't ever have that listed as a homepage, and it seems that that is included in this virus, anyway.. there was twice listed under

HKCU\Software\Microsoft\Windows\Current Version\Internet Settings\Zone Map\...

now this is what I question since I don't ever recall seeing these before but I didn't know if they are part of one of these programs you have told me to download or not.

at this point it lists...

...\Domains\

then every unwanted website you could imagine and then some. It is also listed under HKUsers.

Also, is that file XMLLIBUI a bad file? I can't find anything on the web about it

You need to wait for Budfred's advice on how to proceed from here. I think we are almost clear.

Once he tells us how to evalute the Results of the scan you posted, we can go from there.

Sit tight, I think we are almost done.

Now, here is my question, I haven't downloaded anything, not even before I got the virus. I did a search on Yahoo, clicked on the link and that's when all the problems seemed to start. Since then I have only downloaded what you have told me to download, and didn't download before that so I'm not sure what happened.

Also, I ran the Trend scan, and the online Trend scan, both came up clean. I've run CWShredder, About Buster, Spybot, Spyware Blaster, Adaware, yet nothing comes up infected. I understand you have to run several programs to insure but are these other programs any good if they have all missed this virus that MWav now says I still have?

Thanks so much for all your help. It makes sense to me cuz I was concerned with how Trend kept finding a virus if everything else said I was clean
The other programs are very good, but no one program can catch it all... It would be much easier for those of us who volunteer if there were... As for the download, you are downloading every time you click on a link and some links are booby trapped with malware that will download and then ask for more garbage from the parent garbage... That is why protection programs like a good firewall are so important, but even they won't protect you on some sites...

As for the bad file that was found in the MWavScan... Please download KillBox:

http://www.downloads.subratam.org/KillBox.zip

Boot to Safe Mode and open it, select to "Delete on reboot" and copy/paste this into the dialogue window:

C:\WINDOWSA\XMLLIBUI.exe

Click through to approve the deletion, close KillBox and reboot... Post a fresh MWavScan after that... You can leave off all of those Entry listings...

Also, please be very careful about messing around in the Registry... if you are going to change anything, back it up first...

Bud:

I assume the invalid objects are program/registry links for files that have already been deleted????

Bud:

I assume the invalid objects are program/registry links for files that have already been deleted????
From the info I have seen on MWavScan, that is the case and the Object entries are orphaned Registry items...

ok masters, I am sick of this crap, I don't know how you do it every day. Here is the latest..

First, with the Syate I installed, it is like wading through quicksand. You go nowhere fast. I can log onto the net but it won't load a webpage, aol won't connect and I clicked allow when it asks but still nothing. I am running on dial-up so it is taking awhile to download all this crap. The AVG program I had was apparently ancient and it wont support it anyomre so I have to redownload. I have been tryig to have the program update itself but gets stuck at 26% and wont go further so yesterday I had to start a fresh DL and wel.. it's 14 meg and I can't tie up my phone for the hours it says it needs so I do piece at a time. tried to finsh this morning but thats when I had the problem of getting online. I am now on my husbands puter and ust staringly dreamily at mine since he got my old and I got the new :-)

I have run the MWavScan again and it gave me the same 2 errors, (I will copy and paste instead of retyping everything, the "XM..." file is gone thankfully but there's another issue as well with Spybot

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

Spybot continually find this error and I click fix it then run again and it is immediately back again.

"DSO Exploit"
HKEY_Users\S-1-5-18\Software\Microsoft\Windows\Current Version\Internet\Zones\0\1004!=W=3
HKEY_Users\S-1-5-20\Software\Microsoft\Windows\Current Version\Internet\Zones\0\1004!=W=3
HKEY_Users\S-1-5-19\Software\Microsoft\Windows\Current Version\Internet\Zones\0\1004!=W=3
HKEY_Users\Default\Software\Microsoft\Windows\Curr ent Version\Internet\Zones\0\1004!=W=3

I've run and updated CWShredder and under the list is says CWS.TheRealSearch and it says it's not present

UGHHHH

As far as the registry goes.... I do make backups and am VERY careful with it. I really just look don't change anyting, except in this case where I changed the Google, tho it hasn't helped. Spybot detected a change trying to occur again after I changed it, wanted to change back to Google. Why does a bad virus, make the home page Google?

PS.. can I run TweakNow reg cleaner to get rid of those links?

PSS.. I uninstalled Sygate and can now stop staring at my puter and actually use it again :-) So obviously I need info on how to adjust the properties of Sygate. But again, Under Network Connections, it says that my connection is firewalled (even now after the removal of Sygate) but I can't figure out how to tell what program or setting or anything on it and I still get the same error message under control panel.

1) The DSO exploit error message is known flaw in spybot.

2) The MWavScan is clean as far as I can tell, Budfred will have to say for sure.

3) The firewall, you have is Windows Built in Firewall. You should disable it. If Sygate does not work for you, try Kerio, also a very low memory footprint.

4) If AVG is too large, try AVAST, I find it to be an excellent AV software.

Post another HJT Log to see what is going on. These things morph and change and fixing one thing can cause something that was hiding to appear.

Those 2 spyware's that MWav found are nothing?

The When I click on the firewall in Control panel it gives me this error...

"Due to an unidentified problem, Windows can not display Windows Firewall settings."

so I can't turn it off, at least I don't know how too.

I was able to finish the download and will install (AVG) as soon as I finish updating all my prog's

and.. can I use the regcleaner?

Here's the latest HJT log

Logfile of HijackThis v1.99.1
Scan saved at 8:19:47 AM, on 5/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\WINDOWSA\System32\carpserv.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Trend Micro\Internet Security\PCCLIENT.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\Internet Security\pccmain.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [PCCLIENT.EXE] "C:\Program Files\Trend Micro\Internet Security\PCCLIENT.EXE"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD6050A-60C6-4918-9761-BE5D1A8307A2}: NameServer = 137.118.212.5 137.118.1.33
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

and if everyone is in snyc with this being clean... what now? Do I install the SP2? also, is there a way to incorporate Firefox into AOL? or are they strict on IE? Can I just uninstall IE? (I know I can't if AOL won't use anything else) I am still trying to DL all the updates with my current version of XP, again, dial-up is sooo slow. DO I have to do all the updates before I install SP2?

Let's wait and see what Budfred says about being clean. Also hold up on the reg cleaner for now.

Do you know anyone who has high speed internet and a CD-R. If they do, they can download SP2 and burn you a copy.

DO not download other updates until after you do SP2 some of them will be taken care of by SP2.

You cannot uninstall IE

You can connect to the web using AOL dialup and then use Firefox as your browser. Why are you hitched to AOL are there no inexepnsive dialup services in your area?

I already got the SP2 CD update from Microsoft so thats not a problem, I am in a real remote area and i get to AOL thru isp. there is only 1 isp available in my area and i stick with aol cuz i like it. i cuss it to death but i do prefer it to everything else. but aol uses ie for the internal browser

As I said, you can connect with AOL, minimize the screen and use Firefox as your browser w/o a problem....

That's usually what I do except when aol has something linked. Then if i don't feel like using aol I will click it just to get an address then copy & paste into outside browser. But was just seeing if there was a way I could stay inside aol and not use IE all together. thanks for all your help

Your log looks clean... Are you still being redirected to Google?? There is a new infection that will spoof a Google redirect, but apparently it isn't really Google...
If you want to use AOL's actual software, I think you are stuck with IE... There are some things you can do to make it safer though...

If you have backed up your Registry, you could try to RegCleaner... Do you know how to do a Repair Install if something goes wrong??

If you are not having anymore problems, it would be good to go ahead with SP2 as well...

No, not being directed to Google, when spybot caught it I told it to never allow the change. plus, I haven't used IE since (at least not outside of AOL) and only a couple times in aol.

how do I make it safer?

I have backed it up and yes, I know how to do a repair install on the registry.

what about the windows firewall error? How do I fix that?

thank you all so much for your help.

Your log looks clean to me. Where need to go from here is getting your protections up to speed.

1) Open Trend Micro and clear out the quarntine file.
2) Update the Virus Patterns
3) Scan for Virus infection
4) Go On line to Trend Micro House call and scan for virus infection.

After 3&4 are clean

5) Make a restore point

6) Use your reg cleaner

7) Install SP2

8) After installing SP2 run Windows update and apply ALL critical patches and updates.

9) You need to install a firewall. Lets try Kerio (http://www.kerio.com/kpf_download.html)

10) Download, install and Keep Updated SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html)

11) Install and use Firefox (http://www.mozilla.org/products/firefox/) as your default browser.

12) Do not install any software that comes from a pop-up

13) Read this (http://castlecops.com/postlite7736-.html) article on how you got infected in the first place.

Let us know how it goes.

Thanks so much for your help. Will keep you posted. Now if I could only find a dvd decoder, thought there was one with XP but not mine.

Also, is there a free reg cleaner that you recommend? Tweak, and RegCleaner aren't finding leftover crap. I did DL a trial of WinASO Optimizer but that only allows 10 cleans. There were 616 to be repaired. I would rather not go to each individually and clean using Regedit. I'm not going to repair all of them anyway, just the ones that were part of the virus.

RegSeeker (http://www.hoverdesk.net/freeware.htm) is nice IMO. You don't have to install it at all. Just run the .exe from within the unzip box by double clicking on it.

Click on Clean the Registry, select all it finds and then delete selected items. Boom, Done!!!

How about a list of files that the virus/trojans/whatevers create and imbed in the registry so I can delete them? I have tried doing google search for alot of them but can't really find anything on them.

What files in particular?

Isn't that what antivirus softwares and HJT are for? By finding viruses the files are deleted or moved to a 'vault' and when you fix things with HJT it removes them also.

That's what I thought but there was a refernce to "wp.exe" in the registry as well as a couple of the others that was on the list to delete. I've run CCleaner several times and it's never found them.

But.. lo and behold.. I can't tell you which files now sicne I installed SP2 (after all the virus scans) and now I can't get it to reboot outside of safe mode. I am currently on my hub's puter again and trying to find the solution to why it won't boot normal. I have tried uninstalling keyboard drivers, I KNOW that's not the problem, but I had to try it since it would freeze right after the keyboard light blinked. It is a keyboard I had trouble with before when I installed XP. It;s an HP keyboard I got with the old puter. But I uninstalled the driver, changed keyboard and that didn't work, then I disable all my startups (I know that's not the prob either), I've rebooted in "Diagnostic Mode" and that didn't work either. I also booted to log but can't figure out which driver is freezing it

Try going into Add/Remove Programs and remove SP2 or use a Restore Point from before the update to set it back to before the update... if it still won't boot to Normal mode, we will need to try other things... Either way, you are going to need to do some more scanning.... :(

OK, I've got a blasted mess. I am about 2 minutes away from reformating this stupid thing. I went to the Microsoft website and followed the instructions on how to get it to boot and uninstall. Well, that just totally screwed it up more. When it tried to boot after I did their "repair" it gave me a blue screen error before it loaded saying "mpr.dll" was corrupt. I couldn't go anywhere. My only option at that point was to reinstall the software (without reformating). So I did that, it restored back to original installation. I figured well shoot, then I will just do a restore from when I made a restore point the day before or I would restore the registry from the backup I made BEFORE the SP2 install.

Well.. naturally... after I installed, apparently it wiped out my previous restore points. I did a test restore to see if I could find out what file it may be in and just not recognize it but lo and behold.. can't find it. Frustrated, I restored my registry. Still, I'm not a happy camper. I've got no sound, even though it is all listed there and says no conflicts, I had to "update my driver" on the modem to get it working so I tried that with my sound card and still.. nothing.

I'm sure you're gonna say I made things worse (DUH I know this lol) and that I shouldnt have done the reinstall of XP1 but, I really needed to try and get this at least running again. So here I am. AGAIN with problems.

It also seems that certain settings are not the same as before, for example start-up programs that I had disabled previously.

Is it easier to just wipe it? It seems like it is to me. Also my Media player now says "internal erro" and shuts down.

Dieing a quick death over here.

Check and make sure you don't have 2 installs of WinXP... Often when people try to install over WinXP, it ends up creating a second install instead...

You can certainly wipe and start fresh if you don't have any important files to maintain... If you do, you can probably access and back them up first...

The fact that you had trouble with the SP2 install suggests that there is still hidden malware on the system, so we will need to find that if you don't wipe and start over...

You might want to try a Repair Install before going to a wipe...

http://www.michaelstevenstech.com/XPrepairinstall.htm

I tried a repair install, that's what gave me that MPR error and stopped loading. Is the "restore point" lost? or just hidden in a file somewhere.

Microsoft says that apparently I didn't have all the updates loaded, tho I think that's crap, or that my BIOS needs and update, again crap but that is an option. The prob is that it's a custom built puter (not by me), and I can't figure out where to go to see if there are updated drivers. That is something I really don't like doing anyway (updating BIOS drivers) haven't had great exp. with that either in the past.

I am gonna hold out on reformating cuz I don't have the desire to back everything up today. But can't hold out much longer lol

and now I have to reinstall all the MS updates again don't I?

Here's my MB..

http://www.jetway.com.tw/evisn/product/p-4/pm800bms/pm800bms.htm

I REALLY am nervous about updating it.

I agree. There comes a point to throw the towel in. It's been more than half a month! I think part of the problem is the 'boldly going where no-one has instructed me to go' and deleting needed system startup files etc. I just went back to page one and found that ground has been gained then lost, regained and relost again. Enough!

What is on this pc that you would like to save?

Music files, tax info, movies, pics etc? If you have a burner, begin copying them to a cd-r or dvd-r. Double check them, then reformat and reinstall os clean. If you don't have a burner and there's room on the older pc, you could slave one to the other by removing one harddrive from the pc and installing it into the other.

If that's what you want to do, give a holler if you need more help.

Favorites, emails: inbox, sent items, outbox,
Documents, program installers (.exe's)

This time partition your pc so you can recover more rapidly if anything like this ever happens again. How big is the harddrive? Making a backup of the os partition would be a very good idea also when it is fresh and just the programs you want are installed.

I'm not sure what system startup files I deleted that you are referring to but.....

It's a 120 gig HD.

I have a 2nd HD on this computer with win 98 but I can't get it to be "master" with this HD. I can get it as slave but not master, and they are both marked as CS and I have also tried doing master/slave with both but I can't ever get the other HD to master. It sees it in BOIS but can't get it to see it in 98.

I guess I don't understand the partion thing. If you want to get "fruss tray ted" (apparently you've earned your name with me) with me somemore, than you could explain it.

thanks

M<aybe I was thinking about the 'other' Smitfraud thread about startup files. So disregard that.

If the second harddrive is set to slave and you can see it in WinXP, go into BIOS and set the boot order to Floppy, CD-ROM, HDD1. Reboot. You should now be booting into Windows 98 and you will be able to retrieve or burn files from there AS LONG AS XP is not on an NTFS partition.

it is a NFTS. Is that why 98 wouldn't view it?

This HD is working, just can't get my sound card to work.

Bud gave me a link to check out and I did. It also had a link on how to use Autostreamer to Slipstream Win XP Service Pak 2.

Is this something I should/could do. If I understood it corectly than it is saying I can take my original XP1 disk and combine it and SP2 into 1 so when/if I do a fresh install I now have XP SP2 on 1 disk and do it all at once? Is that correct and is that what I do?

I again am nervous about doing that in fear of the same thing happening again. and do I upgrade my BIOS?

I do have a dvd writer but with XP, everything (files) is so spread out anymore I can't find everything. Used to be you knew where everything was. such as AOL, the mail files and all the setting have now moved to another location and having to find everything is really frustrating. in 98, all their files were under their folder.

Getting sound to work in 98 can sometimes be tricky. With my nVidia ASUS board, I needed to use the motherboard disk but needed to 'Explore' it, find and run the .exe for 98SE drivers and NOT the autoinstaller on the disk or the pc would freeze every time.

Upgrade BIOS ONLY if experiencing problems. The- If it ain't broke theory, applies to that one.

When I install XP, I just install SP2 afterwards. If you have SP1 as a separate disk from the os itself, I don't believe you even need it anymore. Just install XP, then SP2 and then update at the MS site. I haven't tried slipstreaming as it is more for if you will be making a regular habit of installing and not that neccessary if you only want to install once or every year or less often.

Yes. I agree that files and folders are much more difficult to keep track of in XP. I D/Led something the other day, unzipped it and then couldn't find where it went :eek: Unzipped again but to a folder I knew where it was. The unzipped files are still there somewhere...

Well, you either need to continue with the fix or prepare for a reinstall. With 120 gigs and a 98 HDD as a dual boot, I'd partition, format in Fat32 so 98 can see the files and install XP on something around 15-20 gigs. It would be easier to reinstall if all the data is kept on other partitions in and for the future.

how much harder/longer is the fix? Neither of us have the time or energy anymore for much more of this. I'm sorry I'm taking so much time, jsut not sure when I am supposed to install SP2. My disk is XP w/SP1. It's sp2 thats on a separate disc.

Bud mentioned I may still have the bug? If that's true, Im gonna go with a fresh install. If not and it's only a couple more steps, I would like to try to fix this mess. If it's gonna be long and drawn out then forget it.

Part of the prob is that I know you all have lives outside of this forum and can't spend every minue of every day fixing eveyrone elses problems, but everyone else with the problem is kinda stuck. I am one of the lucky ones that have a 2nd computer to work on but sometimes I need my own, plus my hub is sick of me being on his.

I agree with you on the MB issue but MS says differntly, but we all know how reliable they are...

To me, the current condition of the os would have driven me to reinstall already,, no doubt about it.

How big is that 98 drive and could you format that first and put XP on it so you can see the NTFS files, then retrieve all you need and put it onto the smaller drive? Then you could do whatever want to the 120 gig HDD.

It's time to stop talking about. Decide. Tell us what you want to do and then begin.

Do you know the definition of procrastination?
>
>
>
>
It's the beginning to start to get ready to commence. We are there now. :rolleyes: ;) :D

the 98 HDD is only 10gig and I don't want to reformat that one for sure! You didn't tell me how long it would take to fix the current one. As I said, if its only a couple steps then I want to fix, if its gonna take awhile then i'll reinstall.

Up to ~4 hours? But you can do other things as it works on it's own for the most part. You just need to do a few commands here and there, then leave it to itself again until prompted.

The fastest thing to do is as Budfred said is to check to make sure you do not have two installs of XP on your drive. Look to see if there is 2 Windows folders. If there is, it would probably mean the repair ended up an install over another. If there is only one Windows folder, you are probably ok.

IF only one folder is found, do another repair install. See MSKB article here (http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp) and follow it to the letter using Method 2. Make sure that when you get to the first set of choices of installing xp and repairing xp, choose install. You will be asked again if you want to repair and to press 'R' for repair. That is the best one and the one we want.

You'll need to update again as it mentions, and other drivers may be needed to be reloaded also. But most, if not all of your documents will be saved.
__________________
Partitioning and clean install is better but much more involved. If the above still doesn't get us anywhere, I suppose this will be the route to go.

Good luck this time :cool:

OK, will do that again. Thats what I did yesterday when I got that MPR.dll error and then reinstalled. But I will do that again.

Thank you

To find if you have any malware left we would need to have a working install of Windows... I am so lost in all the different things that are going on and the abbreviations that I don't recognize, I can't even tell if you have a working copy of WinXP at this point... If you want to try to find any malware that is there, I can try to sort this out and give you some ideas, but I am lost at this point...

Thanks Bud, but.. after doing the reinstall and after all the frustration, I have other problems now. My modem won't work, I try to unistall it and I get a blue screen with an IRQL_NOT_LESS_OR_EQUAL, telling me it's dumping, my sound doesn't work even though I've installed it several times, it's a blasted mess. I'm gonna wipe it. I do want to try and see if I can use the AutoStreamer, the link you gave me yesterday, and see if that will work so I don't have to go thru all this again with SP2 install, but they refer to making an "image file" is that the same as a "copy" not data but a true copy? as though you would be making a backup of a useable cd?

thats my dilimna now, I'm looking for that answer and then I will let you know how it goes. I just hate wiping it because it seems like we all went thru all that crap for nothing. but I guess that happens sometimes.

Thanks

Is this onboard modem? Please give us info on your system. Mobo model and added cards if any.

I would try to uninstall the modem in Safe Mode to see if the errors persist. It's starting to look like hardware problems have developed. There may be ghost drivers and similar and booting to Safe Mode should reveal those. Removing all instances of modem and rebooting should help.

Making an image cd is going to be in an iso format and should be a choice in your burning program but may not be installed depending on program and version. It is not as easy as making a copy. On this pc I am on at the moment, I do not have iso image capability due to Roxio EZCD Creator 5 basic version is all I have installed at the moment.

Well, that idea of creating the cd didn't work. The program stopped responding 3 times before it completed. It did create a ISO file, but i'm not sure if it is complete so.. ughh

im running a..

Jetway PM800BMS
Intel 4 540 3.2G
1024 ddr-400 ram
Sony 16X DVD-R/+RW DVD Burner Drive
56k pci rockwell modem
160 g HD not 120 like I said yesterday... (i read somewhere that these big HD could cause problems partitioning?) ,

Integrate S3 Graphics UniChrome Pro
CMedia CMI9739A 6 Channel, AC97 audio codec
VIA VT6103L 10/100 Fast Ethernet controller (disabled)

I'm gonna assume you mean removing modem in safemode and rebooting...

Don't physically remove the modem yet. In Safe mode, remove all traces of modem in Device Manager. Reboot. Try to reinstall when the wizard discovers new hardware. If no hardware is discovered, go into BIOS and force ESCD by setting it to manual. Reboot, see if it is discovered this time. If not power down and toss the modem into a circular file... ;)

a circular fire that include the entire computer :-) will let ya know..

you are a brave soul to keep this thing going :-)

will clone dvd or dvdxcopy work to make a cd? that's what i had to use to make a copy of XP SP1 when the disc was bad.

ok well..I uninstalled and rebooted.. nothing. went into bios and saw that it was ALREADY set to manual.. (not sure why that was, I thought defaults were auto, and tTHAT I hadn't messed with i swear :-)) anyway... booted, it works fine. there is still no audio device listed under sound and audio devices but all software and hardware are installed. I did try to uninstall the soundcard while I was uninstalling the modem (in safe mode) but it froze on me in the middle of it.

since i'm online on this computer i haven't been able to test an internet connection on it but it was able to communicate with it so thats a good sign anyway, and I started a connection and it didn't give me an error so that is another good sign..

A 160 gig harddrive and you've done a repair install may have created some problem. --- Go to My computer and see if the size is right. Please reply either way.

Are your sound drivers on a cd? You could download them from the site you posted on page 3 if you need to download them. You'll need to go into safe mode again and try to remove the drivers for sound once more. Do it in Add/Remove programs if listed there, then check DM to see if they are gone.

Reboot. What do you have for sound drivers? On motherboard cd? Put cd in pc and close the autoinstaller then right click on the cd-rom where the driver disk is and explore until you find the audio installer. Right click on that and post back the size in megabytes. There's 3 online for that board and the newest one is 22 to 24 megs. You may want to download that on your other machine when you can leave it on for awhile like at night. Dial-up.. :rolleyes: There should be a law against it! :D

you could still use your original drivers, IF we can get it to stick.

yeah it's right, 160 gig.

yes drivers are on MB cd, dont see under add/remove..

the folder ALCCODEC - Realtec AC97 is 50 mb, and i am having a real hard time trying to differenciate between which ones are needed so I can't really say a date.

Is AC97 in Device Manager? Does the driver cd autoplay when inserted to the drive and if so, is there an audio driver install choice as opposed to display etc? If yes to all 3:

Go to DM, uninstall AC97 drivers. Reboot and cancel the wizard if it comes up. Finish booting and put the cd in tray, try installing sound. If it doesn't work, we'll try another of about 2 more ways.

Nothing to add really, but just wanted to make a comment.
Almost three weeks in, I would have formatted within the first week. :p

This thread does prove a point though.
The consequence of not having updated anti-virus and firewall programs! :D

now, I have done what you told me to do on my own, a couple times ted, but never made a difference. However, when I tried to cancel the wizard this time, I couldn't but I went ahead and reinstalled and I now have sound :-) :-) :-)

thank you, yet again.

I have to reactivate XP again, gonna try and find those 2 wpa (?) files and see if that will work, otherwise, gotta do it again. Last time I tried to do over the phone I couldn't I just got a recording.

I'm pretty nervous about installed SP2 again. Don't wanna go through this crap again.

If it was malware that messed up your SP2 update last time and that malware is still on the system, it will mess it up again...

what do I need to do to recheck it? what do you want? i haven't been able to be on here much the last couple days but this monring I'm updating all my programs so I can give ya a fresh whatever you want...

Update and rerun your antivirus and one or two online scans.

Rerun Spybot, AdAware and mWave. Do another online trojan scan. Use any and all tools you have at your disposal.

If all comes out clean, post a new HJT log and one from mWave. Then wait for the go-ahead from BudFred.

okey doke, will do, thanks

MWavScan..

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:03:16 PM, on 5/31/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWSA\System32\smss.exe
C:\WINDOWSA\system32\winlogon.exe
C:\WINDOWSA\system32\services.exe
C:\WINDOWSA\system32\lsass.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\system32\svchost.exe
C:\WINDOWSA\System32\svchost.exe
C:\WINDOWSA\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWSA\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWSA\wanmpsvc.exe
C:\WINDOWSA\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWSA\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Trend Micro\Internet Security\PCCLIENT.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ProcessGuard\procguard.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWSA\System32\wpabaln.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\WINDOWSA\System32\wuauclt.exe
C:\Program Files\HiJackThis\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O2 - BHO: Popup Manager - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_7_0. dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWSA\System32\msdxm.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [PCCLIENT.EXE] "C:\Program Files\Trend Micro\Internet Security\PCCLIENT.EXE"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {ABE5CF13-E6D5-403F-9BBA-109DA4940727} - (no file) (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsecurity.com/trojanscan/axscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{701AF9BB-C95E-4FBA-964E-485C835B26F8}: NameServer = 205.188.146.145
O17 - HKLM\System\CCS\Services\Tcpip\..\{9FD6050A-60C6-4918-9761-BE5D1A8307A2}: NameServer = 137.118.212.5 137.118.1.33
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWSA\wanmpsvc.exe

the only scans and adaware and aboutbuster, cwshedder, spybot, all came out clean..

And your log looks clean...

Run this and if it comes back clean, you should be good to go...

http://www.f-secure.com/blacklight/

what about those 2 that MWavScan found?

Those apparently represent leftover fragments in the Registry and will need to be manually removed or cleaned out with a Registry cleaner... However, they are not likely to cause any problems because they have been disarmed...

also, and i prob have to move this to another forum but I hope its a 1 answer question. I now a windows update that keeps failing and "VIA Rhine II Fast Ethernet Adapter". How d I get it to redownload? It asks every other minute, I saw yes then it immediately asks to install, I say yes, then it fails.

Also, I'm pretty dang nervous about this again but... I am now getting the SP2 download under my updates, according to MS, that is when I can install it but.. I don't know.. I'm aweful nervous about doing it. Do I try to install SP2 again now?

The new scan with that program said it was clean.

thank you guys SOOO much!!

You might want to download the free standing copy of SP2 and save it to a CD so that you have it if something goes wrong this time.... That way you also don't have to worry about how well your internet connection is working during the update as well...

I am not sure what is going on with that other update you referenced...

Didn't you say you have SP-2 on a disk from MS already?

I now a windows update that keeps failing and "VIA Rhine II Fast Ethernet Adapter". How d I get it to redownload?

I now a?? Huh? Please repeat that in another language?!?! ;)

Go into Device Manager and report what is said about the network adaptors.

Driverguide.com has the drivers (http://list.driverguide.com/list/company368/) for that adaptor if you need them.

Regseeker (http://www.snapfiles.com/get/regseeker.html) will get rid of those dead registry entries very quickly, painlessly and the best part, for free. :)

I wouldn't install SP-2 until all issues are resolved unless prompted that the installation of SP-2 is the cure. With 2 of my mobos upon trying to install USB2 drivers, I was prompted to install SP2 and it would resolve the issue. That's the only issue I would allow to go on prior to installing it.

yeah I was just reading that myself trying to figure out what the heck I was trying to say lol

I do have it on cd, will that adapter be on the cd? I uninstalled it and thought that maybe it would prompt for a new download after reinstalling but it never did.

and it was I now HAVE a windows update :-)

there were 2 listed, both disabled. 1 I uninstalled again and the other is listed as unknown, but I can't uninstall it.

I was asking about SP2 cuz (except for this new update error, I thought all issues were resolved) but.. apparently I don't know much :-)

I have regseeker and it seems to have a whole lot of entries .. 619 to be exact.. I don't wanna blindly say.. fix all.. but it's gonna take forever to go through each one. Which files shold I be looking for?

Alot of those 619 include "spuninst" are they safe to delete? I figure they are from the previous updates before this last disaster.

also, what about this file "javasj.exe" I can't find anything about it and it shows up in all the registry programs as trash and I recall earlier during all this, I got an error about not being able to find it and crdp.exe. Both are still listed in registry

Those are all dead registry entries. I always choose fix all. "spuninst" by the letters looks like an uninstaller that is orphaned because the program is already gone. If you are nervous of Regseeker, let it keep a backup but pay attention to where it will be stored. If no problems arise after removing the registry entries, after some time go delete the backups.

What are the 2 updates that while on the MS updates site, will not install?

I didn't mean 2, I meant 1.. let me start over with that to remove the confusion.

There is 1 update, the VIA Rhine II Adapter, I have uninstalled it, in Device Manager but haven't rebooted yet. When I click download, it immediately comes back with "updates are ready". When I click "install", it tries to install but fails. Then within 10 seconds comes back with updates are ready to download.

My question was how do I get it to actually re-download it. Or do I just tell it to not remind me again

I think the terminology is what is throwing me off. When you say 'updates' and you are in Device Manager? I thought you were at the Windows Update site on the internet.

Get the drivers from my other post at Driverguide.com. If you need to log in it's: Driver2 and password is all Once there are no more yellow bordered exclamation points in DM, install SP-2 with fingers crossed.

Don't be alarmed if it seems to pause a bit, it does that anyway and it also takes a long time to complete. Let it run, it may take ~a half hour or so to complete.

and if it wont reboot again? thats what happened the last time. ughh thats scary.

when I say updates I am refering to the automatic updates.

You asked about what was listed under network adapters. There are 2 network adapters listed. Both are disabled. One of the 2 is listed as unknown device.

I will get the drivers but will that take care of MS's auto update install?

I have cleaned out the registry and now have a problem with Control panel. I get an error whenever it opens, "App Name : Explorer.exe .... ModName: Ntdll.dll"

FYI, I jsut ran MWScan again, and this is AFTER cleaning the registry, it gave me those same syware/adware info again

The file belongs in, so put it there: C:\windows\system32\ntdll.dll and you can download it from here (http://www.dll-files.com/dllindex/dll-files.shtml?ntdll).

and if it wont reboot again

Then I would consider it time to cash in your chips and do a complete reinstall. AAMOF if you can do a backup of your files, address book, emails etc, prior to trying SP2, I'd probably sleep easier knowing that. :cool: The fact that you are getting errors from deleting unused files tells me there is something still wrong, missed or one of the mysteries of the universe and one of those things best left unexplored... :rolleyes: Not being able to install updates at MS also worry me. As does the remaining files found with mwave after cleaning the registry.

At least now your pc is functional and it is possible to prepare for a full reinstall. If someone comes in and talks you out of it, I will relinquish the reigns and let them waste more of your time. I won't. There should be a time limit to fixing malwares and virii. Pass that time limit, cash in the chips and wipe the slate clean. It's been 23 days. Let's try to keep it under a month. Personally, 5 days is max in my book, give or take on how busy I am with other things.

With a full install, you'll gain the opportunity to create partitions and begin building a more recoverable system should this dilemma ever resurface it's ugly head... VERY many of us at this forum do just that, me included.

My towel is in the ring.

See if your burner works.

:-) totally agreed. I have already decided that if this install gives me probs than I'm wiping.

Thank you for all of your time and expertise, it is functional, and for now, I am gonna leave it be, I think :-) but either way.. more probs and this is history. I just hate feeling like I wasted everyones time by wiping it. But.. the time comes for everything.

thank you thank you thank you again

SP2 is a critical security update for XP. If you plan to use the pc online, I heavily suggest you take the time to back up your files over time (a week or so), keeping this thread alive and do a clean install soon or you'll only be leaving some back door open to predators and the mess will start all over again.

If you are likely to wipe it anyway, I suggest that you back it up, install SP2 and see if it holds... If it does, you may be able to avoid the wipe... If it doesn't, you just proceed with the wipe...

ok guys, thanks again. I will try to take some time over the weekend to totally back everything up and install.

Hello again... did ya miss all my hassles? :-)

Well, after several more errors yesterday, I called it quits. I wiped the drive. I was able to streamline my original XP SP1 CD with the SP2 update I have. So, I installed both at the same time. Worked great.

Haven't been online much, been busy, immediately installed the firewall, all the virus programs, spybot, adaware, etc.. and spent 14 hours downloading updates and upgrades and all that crap.

This morning I ran all the programs, and came up with a dang virus again! Now, I think I went to 3-4 websites yesterday. This was one of them, another was ebay, IRS website and I can't recall the 4th but it wasn't a new one or questionable site. The firewall is blocking all ads on the pages so I'm not sure what the deal is.

CWShredder said I had "CWS.MSCONFIG" that it deleted, all the others said I was clean, MWavScan said I had the same one again, or still I don't know... I deleted my huge partition, created one at about 100gig and the other at 50 some gig, I do, and did, question the "quick format" option of reformating. Not sure what the difference between quick or regular. I, for the first time ever, decided to pick the quick format. I now wonder if that was the problem, but I thought either format would wipe everything from the drive especially since it was being repartitioned. But.. what do I know.

this is the error from MWavScan

Object "cws.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

again, it's the same one as before.

I ran HJT tonite.. here is this log. What is this #17? how the heck did this happen AGAIN?!!! ALREADY!!

Logfile of HijackThis v1.99.1
Scan saved at 10:32:53 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Canon\BJCard\Bjmcmng.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Windows Media Player\wmplayer.exe
D:\Program Files\Pogo Games\Great Escapes Solitaire Collection\solitaire.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSPS~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\FreshDevices\FreshDownload\fd.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: PopupManager Class - {08E74C67-99A6-45C7-94DA-A397A8FD8082} - C:\Program Files\Popup Manager\PopupMgr_1.0.2.1P.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - D:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://D:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{C0682851-2C09-4578-BAF1-46E88593EADE}: NameServer = 137.118.212.5 137.118.1.33
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Canon BJ Memory Card Manager (Bjmcmng) - CANON INC. - C:\Program Files\Canon\BJCard\Bjmcmng.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

Is it time to give up the computers all together? I am beginning to think they are NOT my friends!

oh yeah...

AOL did a scan and they found one and deleted it.

Also, I am AGAIN having a problem installing that same automatic update MS tells me I need. It installs one but then tells me there is another to install and THAT"s the one that fails everytime.

and I bet I'm gonna have a problem when I call MS to activate this again. I'm gonna try doing it online but I bet I have probs because I streamlined it.

The O17 is Neonova Network Services and is probably fine... It is usually your ISP or something that leases internet connectivity to other companies... In this case, it is not one of the common malware sites and does seem to be your ISP...

Your log looks clean... I don't know what you did to get other infections or even if you were really infected since you could be getting false positives... It would have been a good idea to do the full reformat and I would have probably used a program that did a "zero-fill" to really be sure it was clean... I would also turn off the computer and let it sit for a bit to make sure there was nothing lurking in RAM memory...

How, and on what pc did you make the slipstreamed cd? It is possible that the virus or malwares were burned to the cd.

I only burned it because you told me it all looked clean. I did it on here and used.. ohh... the site that bud gave me a page back, the one that I first asked about it.

what's a zero-fill?

the computer had been off all night.

so even though it partitioned it it still could not be clean? that just doesn't make sense.

If you repartitioned it and there was a hidden partition that you did not address, it could have reinfected from there.... It can also reinfect from RAM, but only with a warm reboot... If the infection was able to get on to the SP2 CD, it could also have moved along that way... I am not sure how this would have happened, but these things are extremely ingenious and sneaky in how they work... All of that said, you have been online and installing a number of things since you reformatted and reinstalled, so there are a couple of dozen different ways you could have been infected...

A "zero-fill" is an inaccurate name for a technique to destroy the data on a hard drive... While it is not 100% effective, it can be pretty good... It involves writing random data to the drive... The Dept of Defense in the USA apparently considers 7 zero-fills to be enough to consider the drive wiped... Even then, someone with enough money and resources could probably recover at least some of the data...

so even though it partitioned it it still could not be clean? that just doesn't make sense.
Partitioning is similar to walls in your house. The belongings are still there even though you have rearranged the rooms. Also formatting only destroys the link to the stored info on the drive so the 'rooms' remain full.

If AOL and the others found and got rid of the viruses, you may be ok. To check the integrity of the slipstream disk, leave it in a drive and go to where you did the online scan and point it to the drive and test that.

To zero your drive would mean to start over again. I don't know if you want to or not. To zero fill, the best way is to download the utilities from the manufacturer of your harddrives and use that. I'd wait a bit, see how you do.

man o man.. lol what happened to the days where you wiped and you were clean again?!!

Will test it and let ya know.

well, can't find the option on aol for what drives to test, and they recommend downloading adaware and spybot..mwavscan does floppy's but I don't see where I can choose CD... About Buster doesn't let me chose, and neither does CD Shredder. Any suggestions?

I guess the only thing you can do to test the cd then, is to use your A/V or one online like Housecall. I'm not sure of any of the Trojan hunters or others that can scan an optical drive.

Can you tell us the exact update that won't install to your pc? And in the future, when you get a virus that AOL or whomever says you have, make a note of it so you can post that as well.

You made 2 partitions. Which one is the primary drive?

Many of us use a primary drive trimmed down in size but opinions vary to just how small is desireable, it depends on how and what you do with your pc. For XP, if you don't want to relocate Program Files and My Documents, 10 gigs would be a minimum and 40 gig would be close to overkill. Using a 50 or 100 gig as a primary is not going to be an easy wipe and reinstall come that day (You know it will again.. :rolleyes: ).

The larger drives are more for file storage such as games, dvd's/movies, program .exe's etc. Keeping the primary drive smaller also speeds up your system. Some notice it easily, others don't but I KNOW I can tell easily!

When I do a clean install, I already have the newest version of almost all the softwares I will want to install, waiting on a partition (or cd) in the form of .exe's or Zip files waiting. I install my os first and load the motherboard drivers with that. SP-2 goes on second. Firefox third. Then firewall, A/V, Spybot, AdAware, SpywareGuard and SpywareBlaster to complete the programs at first. I have all these on cd but I can also install from the harddrive if they are stored locally.

Then, and only then, do I connect a cable and go online. And this is d-i-r-e-c-t-l-y to my A/V site to get the most recent definitions. Reboot if neccessary, most times I do anyway. Then I update all the other programs and head off to Windows Update after that.

These days, any other method other than a better one, leaves you vulnerable as soon as you connect to the net. Going to any other site prior to donning 'full body armor' is not a good idea. Drive-by's are even possible when the site itself may have been innocent.

I'm running out of steam so I'll stop for now, ;) Hope some of this helps for the dreaded, inevitable... :eek:

PS
I thought I might have had time to mention this stuff prior or during your most recent reinstall. Shoulda made the speech a little sooner, sorry...

ok, going back a couple posts here to answer/talk about a couple things...

as far as the partitioning goes.. I delete the original partition, there was 8 gig that was not partitioned to start with, i tried to delete that partition as well but it would not let me, something about windows something or other having to use that.. i got the impression it was referring to setup. don't rememeber exactly but it seems i may get the opportunity to review it again soon huh..

I thought formating the HD was like remodeling the house. lol

i made 2 partitions as I said, the 97.6g is the main partition. the 51.3 (?? dont ask me where these numbers came from, I made them whole/even numbers). Course my 2nd HD is 37.2 so I imagine that IS a windows thing.

I was able to find the log from AOL and it found: "Spyware name: cydoor"

I did HouseCall and it didn't find anything wrong on the disk or the C drive, but it found it clean before.. so I don't know.

also, part of the reason I have such a hard time with reformating is because I have 2 pogo games on here that, once bought, you have 5 times to "reactivate". Everytime I reinstall, I have to "reactivate". I'm down to 2 times left. Seems pretty stupid but... there it is

The 2nd HD I have IS essentially where I store all my programs and such. I didn't realize the smaller drive/speed thing so next time will defintely do that. When I was deciding sizes, I just recall reading about XP having probs with HD's over 120 so I went with 100. Nice round even #.

How do I download the updates for all the programs, adaware, trend, shredder, etc., to save them to a file instead of DL'ing them on their own, or where do I find them? I tried doing that with AVG's million meg update but couldn't.

Don't worry about the "little too late" thing, how were you to know I would continue to get error messages. I have still gotten another today, I don't know what else to do.

This is the update error

<There is 1 update, the VIA Rhine II Adapter, I have uninstalled it, in Device Manager but haven't rebooted yet. When I click download, it immediately comes back with "updates are ready". When I click "install", it tries to install but fails. Then within 10 seconds comes back with updates are ready to download.>

ok, just ran "Bitdefender" . Gave me 2 errors,..

C:\AOL Instant Messenger\AIM.exe=>wise0090=>wise0008: infected with Adware.Wheaterbug.A
C:\RECYCLER\S-1-5-21-854245398-343818398-725345543-1003\Dc14.lnk=>C:\AOL Instant Messenger\AIM.exe=>wise0090=>wise0008: infected with Adware.Wheaterbug.A

Now, is this acurrate?

According to this Google search (http://www.google.com/search?hl=en&q=VIA+Rhine+II+Adapter&btnG=Google+Search), that onboard Rhine adaptor seems to be problematic and a few posters are just sick of it and went out and bought new pci nics cards.

Why MS is the only place the drivers are available is confusing me. How is something while operating, supposed to be able to update itself? If it were a standalone download that you install after getting off the internet, I could understand it. Or maybe the fact that you are on dial-up and not utilizing the nics card is part of the problem also. Either way, you are currently not using it so I would not worry about it.

You may be able to go in BIOS and disable the ethernet adaptor and hopefully it will result in no more reminders to update it.
______________

On the reinstall issues, I am on broadband and it is no trouble for me to download the latest versions of all my needed softwares. If you downloaded AVG a month ago, it will be smaller because it does not have all the definitions available since then, which a fresh download would. Then, when you go to download updates, the file is much smaller.

Please explain how you reinstalled step by step or point us to the exact instructions you followed to the letter. The 8 gigs not accessable for format has me confused. If you formatted after booting to Windows, that's not the way we wanted for you to do it. You want to boot from the XP cd and choose the install route. Then repartitioning and formatting from there which would effectively wipe out most virii and malware, although a zero fill is more guarranteed to gitterdun! ;)
_________________
Is there any chance you are going to broadband in the near future? That sucks about Pogo. Is there a login number or something you can reload and not have to set up their program each time? Do you install as you download it or is there a way to download to your harddrive to install offline?

Edit:
I missed your latest post.
Please explain your reinstall method prior to our finding out how else you could have gotten reinfected so soon.

ok.. where we begin...

ok on the adpator. I have had it disabled to get rid of that annoying reminder on the taskbar. I had finally after reinstalling, told it to not remind me of the update again so it hadn't been annoying either. But, I also just went and told it to offer all updates previously hidden and it is not highlited, meaning, I can't do that, whihc says to me there are no other updates. Confusing to me since I definitely remember seeing "installation failed". But s'ok, at least it's not an issue anymore.

I can reinstall the newest downloads but it doesn't offer me a "save" location when it does download, if you understand what I am trying to say. It just downloads, I don't know where it "stores" it on my HD to copy onto cd for after the reinstall. So, when I reinstall the zip file that I downloaded, AVG for example, the software is not updated. Where do they store all the updates? Does that make sense to you?

ok, the reinstal.. I put the newly created, streamlined XP SP2 cd in the drive and shut down, went to bed, the next morning, after being shut down all night (only important due to Bud's thought on virus in the ram) I turned it on. When boot from Cd came up, I hit a button and then "installed fresh copy of XP". don't recall exactly since I'm not looking at it but I beleive there's an option to click a partition to use. At that point I hit delete partition, there were 2 listed, the 8g and the 152 g. I deleted the 152 g., tried to delete the 8g and it said it couldn't. I then had just the 8 there that I couldn't do anything with. (it wouldnt let me)... (I tried to look at it and the 50 g. after the reinstall and couldn't see the 8, and the 50 wasn't formatted). Then I dreated a new partition, the 100g, and then the 50. Installed the cd on the 100 and left it. Came back later and was up and running.

I then installed the zips of AVG, Trend Micro, Spybot, Adaware, Kerio, About Buster, CDShredder, Spyware blaster... think that's all of them, and not necessarily in that order.

I went to each site and downloaded the updates, tho, AVG and Trend took several hours to do and not all at once, went to MS and did updates, did all immediates, ones such as windows installer and media player and outlook (I don't use outlook) , but those kind I did later. Before I went to any sites I did update spybot, adaware, spywareblaster. After that I thought I was pretty safe to go to those other sites, here, ebay, irs and I can't remember the other now.

I did adjust my startup programs under "msconfig". When I got that virus error under Shredder, at first I questioned whether that was related but later decided it wasn't. Just thought it was coinsidental that I had been in msconfig and now it gives me that virus.

For the record, I always adjust my startup, the only things I "unclick" are the aol startup crap programs, realplay, quicktime, and a printer program. All the virus and normal startups are there.

You would THINK that there HAS to be a number somewhere in either the registry or a log file somewhere for POGO, but I thought maybe I had found it in the registry a time or 2 ago but I have gone back loking for it and couldn't find it so I don't know how they do it. the program is downloaded and loaded and installed on my other HD. I do have a zip for it also. When I click the program to play after a fresh install, it tells me it has to be registered. Even without quote-unquote reinstalling it. I then have to go online, through the program, not a browser, put in my "activation code" that they give you upon purchase, and they do something and then it's good to go. I have no lcue what happens or how, I have checked the log it produces but don't see anything in it that would tell me anything.

Did I answer all?

ok, I just realized, I probably need to redownload MWavScan to get any updates since I've spent the last couple days trying to figure out how to download updates.. so.. I updated. It now says I have 3. Here they are.

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.

I don't know what to do here... What haven''t I done and what is left? Can no longer say wipe it, I've done that too

Please explain how you reinstalled step by step or point us to the exact instructions you followed to the letter
I am still unsure if you installed properly or not. You have not given a detailed explanation of how you did the procedure.

There is no way any malware can survive a clean install if done correctly. Your backup files may contain them or your surfing habits may also cause them to reappear as well. But the clean install will not if done with a clean disk. I would do it again but not using the streamlined disk you made.

You take too many steps between posts and it is very difficult to weed through and figure out just where you erred. You've mentioned Pogo, Realplayer, Quicktime and AOL. I use none of these programs and other than Real and QTime, I wonder if either of the other 2 could be the culprit.

Realplayer and Quicktime have alternative softwares to use: Real Alternative (http://www.google.com/search?hl=en&q=Real+alternative&btnG=Google+Search) Quicktime Alternative (http://www.google.com/search?hl=en&q=Quicktime+alternative&btnG=Google+Search)

I'm not sure what I didn't say. I started the install from a cold start. I did NOT boot to harddrive first. When the computer started up it asked to boot from cd I said yes, I have the settings to read floppy, cd, then HD. When the screen came up for "repair or new install, I clicked new install. When the screen for which partitions to install it on, I deleted all the current partitions and then created 2 new partitions. I then formatted the 100g partition using the NFTS - quick method. Then I let it install. I don't think I am missing any steps and I thought I detailed enought but I guess not. What else is it that I didn't explain?

If AOL was the culprit, would it have found a virus itself?

I'm not sure what steps I am taking between posts except to update virus programs. That's all I've done I think.

Duh! My bad on the AOL thing.

This post (http://www.pcguide.com/vb/showpost.php?p=233237&postcount=111) mentions going to sites other than A/V and other security related ones. And it appears you were using IE? :rolleyes:

Question: Does your isp have any protections with their package or are they one of the 'cheapy' ones that don't? Mine catches emails that are infected before ever reaching me and surfing is somewhat protected too.

In this one (http://www.pcguide.com/vb/showpost.php?p=233476&postcount=121) you mention another harddrive. Is there one or did you mean to say the second partition that you had made? quote: "Course my 2nd HD is 37.2 so I imagine that IS a windows thing." /quote

Then, here (http://www.pcguide.com/vb/showpost.php?p=233480&postcount=122) you mention an infection in AIM. Did you install and use it since reinstalling?

And that non deletable 8 gigs mentioned here (http://www.pcguide.com/vb/showpost.php?p=233489&postcount=124) has me worried too. What kind of pc is this? Some have recovery consoles or BIOS info on locked partitions but 8 gigs is a lot.

I would start over but this time use the harddrive manufacturer's utilities to partition and completely zero fill prior to using the original XP cd and original SP2 cd. And as far as I know, zero filling is not a misnomer because it writes to every single block on your hardrive, that is why it takes so long to do. Basically the 'zero' represents an electrical charge like the binary '+'s and '0's. By writing something to every sect it overwrites any virus or malware, program etc, quite effectively.

You would only need to run it once though, as you are not trying to make data non-recoverable but only to make the malware ineffective. As you install your os and add data, over time this becomes a second pass, but of course, not of all zeros.

no prob on aol.. :-)

no, I'm sorry, along with immediately installing the adaware, kerio, etc that I discussed, I did forget to mention I immediately installed Firefox. The oinly time, since you gave me the link to install, which I did install immediately, the only time I have used IE is when using aol. Hence the previous question about hooking another browser with aol.

When I went to those sites I discussed previously it was NOT with AOL. so I went to them using Firefox

No, my ISP is cheaper than cheap. I live in a town of 500 people, we are lucky to ahve the internet. And to answer your previous question, NO lol don't expect to see DSL offered here for some time. The only mail I use is AOL mail. They are supposed to be protected. I don't have any other address.

No, I have a completely separate 40 gig HD, which I had talked about before where I said I wouldn't reformat that one because that is where I had kept all the actual programs stored. And yes, that HD is scanned along with the C drive and never finds anything, it's always on the C drive. That one is listed as having 37.2 g. This last install however, I decided to install all the A/V and such programs to the C drive instead of the other drive thinking maybe that would make a difference.

The other "partition" is currently not being used. If I am referring to the smaller partition, I will refer to it as a 2nd partition, how's that :-)

No, have not used nor installed AIM, which was why I was so puzzled. I don't understand that at all. Normally I uninstall it immediately because I don't use it.

It is a custom built computer. Received April 21, 2005, so it hasn't been running very long. Do you need me to run specs again? I didn't get HD utilities but it is a Western Digital Caviar SE 160 gig..... huh.. I am ready specs on the HD now and I imagine I have just answered this problem. I think... The exact specs, according to my invoice, not on any other paperwork, just the invoice, says "Western-160GB 7200 rpm 8mb buffer ide drive" I imagine there's the 8 gig. My 2nd HD (40 gig) is also a WD caviar. Is that a standard of theirs?

And how do I zero fill? I didn't understand that when Bud explained it. Is there a program or is it just the reformatting NOT using the quick method? Or a program?

I have also wondered about Partition Magic. Is that a good program to use?

Sorry if some of this discussion is redundant, the thread is so long now it is difficult to go back and find all the relevant info each post. A synopsis wouldn't be bad. Putting your system in your profile helps alot too.

I don't know anything about Partition Magic. Haven't used it. I would only if I wanted to rearrange some partitions without wanting to reinstall my os'es.

I use predominantly WD harddrives also. The 8mg refers to your cache size in the harddrive software itself and nothing to do with a partition of 8 gigs.

Western Digital's DataLifeguard (http://support.wdc.com/download/index.asp?cxml=n&pid=999&swid=2) is the tool you need for writing zeros. It can also test for bad sectors and sometimes repair them as well. There's other programs available on their website though I haven't used any other than the one in the link. You may need to remove the NTFS format prior to running the DOS version of this software though, but try the floppy first.

If your hubby's pc has been scanned and it is clean of any malware, I would suggest downloading and creating the floppy on his.

If this is a custom built pc, that 8 gig partition that you cannot access does not belong there unless you meant to put it there.

One thing for sure is, once you do get over this thing, you'll be quite adept at installing and repairing your pc enough to do some on the side... ;)

I have thought about maybe seeing if we should start a new thread but you said before I reformatted to keep this one alive so I did as told but agree on the size.

heres the specs

m running a..

Jetway PM800BMS
Intel 4 540 3.2G
1024 ddr-400 ram
Sony 16X DVD-R/+RW DVD Burner Drive
56k pci rockwell modem
WD Caviar 160 g HD
Integrate S3 Graphics UniChrome Pro
CMedia CMI9739A 6 Channel, AC97 audio codec
VIA VT6103L 10/100 Fast Ethernet controller (disabled)

As far as that Program from WD, I already have it, Dl'ed it before I got this computer to test my sis-in-laws computer and it's on CD so it should be fine. But I did not create a floppy. do I need to use my husbands computer to do that? Or can I do it on here.

I also wonder, and may be stupid question but...

All the A/V, etc programs that I run, only 1 program finds any errors, even now. I've done all the online scans and such, I went to:

http://vil.nai.com/vil/content/v_10477.htm

http://www.thespykiller.co.uk/chronicles.htm#therealsearch

http://securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html

to see what they say about removals of the problems that MWavScan found, and I MADE NO CHANGES TO THE COMPUTER but, did check to see if files were on the computer, or registry and nothing shows up. So where does MWavScan find them if none of the other programs, including online scans, can't?

AGAIN, I MADE NO CHANGES AND DID NOTHING BUT LOOK!!

It just seems odd that that is the only thing finding anything and I check for updates on these programs every hour almost and still no other programs find anything.

Is it possible it's clean but just not showing it? I know it's stupid but it just seems odd that 1 and only 1 finds this stuff.

P.S. According to Symantec, The ALTNET spyware is installed from KAZAA and another, yet I hadn't downloaded anything except A/V programs before it gave that error.

A couple quick things to try:

Disable your restore points reboot and re-enable them. Reboot and run MWav again. I can't tell where they are residing by your post here (http://www.pcguide.com/vb/showpost.php?p=233549&postcount=125). There's no file path in your list. You could put them in the run box and see if they are findable that way Use pieces of them like: therealsearch or just CWS or both.

Just curious, seeings Kazaa and Grokster mentioned, where did you download all the programs you are reinstalling? They should only come from well known trusted sites like the original software maker or places such as MajorGeeks, AfterDawn, CNET and others like that. I don't trust ANY software from a p2p site AT ALL!

I download the new programs from the links you gave me. As far as my previous downloads I only download from majorgeeks and download.com (cnet). Mostly download.com, that one I have been doing for a couple years. Major geeks I jsut ran across last year and have been using them as well but a post I saw a couple weeks ago said that Download.com has adware (??) Don't know if that's true but haven't downloaded anything new except what you have given me, since this started so not a real issue. Never heard of after dawn but will add that to my lsit

And you do understand that Kazaa is only mentioned as a reference to what symantec said that one came from, not that I have downloaded that program

I will try rebooting and see how that does me.

That post you referred to was from MWavScan. It doesn't list paths, just objects. I can post the whole thing if you like, but was following directions from this post http://www.pcguide.com/vb/showpost.php?p=231598&postcount=36

Referring to Regseeker... when they list the errors after the scan, it lists 2 colors, green and red. which color is ok to fix or delete? are both ok?

Did that, no change. here is complete log, which gave me a thought...

Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "CWS.therealsearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Object "iSearch Spyware/Adware" found in File System! Action Taken: No Action Taken.
Entry "HKCR\CLSID\{0DED49D5-A8B7-4d5d-97A1-12B0C195874D}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD0A5AF3-B41D-11d2-9C95-00C04F7971E0}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdProcessRawImages" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdProcessRawImages.1" refers to invalid object "{4DCADFA0-556A-4288-AB68-833C51A2CF6B}". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdRemoteCapture" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.
Entry "HKCR\Zb.ZbCmdRemoteCapture.1" refers to invalid object "{7D5BAFEE-5A7D-4BB0-B709-A17422EEB658}". Action Taken: No Action Taken.
File C:\Program Files\America Online 9.0\backup\restore\comp02.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\America Online 9.0\Jiti\Jiti_mm.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\aolback\comp02.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

There is a new one in here.. the "isearch".. and i'm not sure what the deal with the AOL things are and listed as "tagged as not-a-virus" (what is that?) .... but it gives me a thought.. I did a search in the registry for anything related to those names and I did find the "therealsearch" listed under:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Internet Settings\ZoneMap\Domains\therealsearch.com

But.. I wonder if however those got in the registry again already, if I deleted (or altered) those keys, would that remove the error in MWav. I ran Regseeker and it tells me all of those files or paths do not exist.

<<Entry "HKCR\CLSID\{0DED49D5-A8B7-4d5d-97A1-12B0C195874D}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{88E729D6-BDC1-11D1-BD2A-00C04FB9603F}" refers to invalid object "fde.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{FD0A5AF3-B41D-11d2-9C95-00C04F7971E0}" refers to invalid object "BdaPlgin.ax". Action Taken: No Action Taken.>>

course it also tells me that the file "cmmgr32.exe" does not exist either, and I thought that was a legit MS file.

And was

scratch that "and was"

For the record, I went to the AIM folder, saw the only thing in the folder was the AIM exe file, and deleted the entire folder. I am currently re-running Bitdefender and will let you know the results

I seem to recall mention of Download.com as well but I'm not too worried about them myself. I have yet to get a popup or other problem using their site. But if offered a choice, I choose others like MajorGeeks.

The red items in Regseeker for me at least, all refer to file types that are not used. Thusly, they are not needed. A small, if even noticeable, performance boost would result if you removed them so Windows doesn't have to 'consider the existance' of them when examining, opening or modifying files. Your choice on removing them as they would be reinstalled either by the program you may install at a later date or Windows will retreive them from cab files during an install of a prog that needs them.

The green ones are mostly in the Temp files (in my case at the moment) and you can delete those yourself or use a program like Eraser to do same, so that is why Regseeker doesn't consider them much of an issue. Again, your choice to remove them if you wish.

My choice? In my pc, anything not needed gets kicked off the C: drive. Less baggage the better. I don't even make a backup though I should first to see if any problems start. If not and all my apps work, then delete the backups.
________________________

Now here we are, fixing things when we still have 8 gigs of storage space that we don't know anything about other than it doesn't allow you to delete it. :confused:

I'd really like to see this thing with a squeeky clean install before tweaking it for performance and adding other peripherals etc. Does 'My Computer' show that partition at this time? It really sounds like a rather large virtual drive during XP's installation but without initiating an install at this moment I cannot tell you for sure if that is what it was if it is not seen there. I have a small HDD that I could try and see if you do not find the mysterious 8 gig partition on your pc and all the space is accounted for.

What you should see is 3 drives if it is not seen, 4 if it is. If it is listed, right click and explore it, WAIT, after scanning it! :eek: If it is not listed, it is either hidden to Windows or it was used as a swap/virtual file during installation.

Edit:
I thought I refreshed but must not have. I started this post, then my son showed up and I got sidetracked. I missed your latest 3 post till now but haven't read them. I'm about to now.

Cancel your AOL account! Get a regular isp even if there's no protection from any malware and popups but 'put up your dukes' before venturing out into cyberland. Notify and update all contacts of your new address if neccessary prior to the move. You can start a new subscription and let it run, then after some time, cancel the bastards! (http://www.google.com/search?hl=en&q=AOL+hell&btnG=Google+Search). AOL HELL (http://www.pcguide.com/vb/search.php?searchid=110677) is exactly what you are going through. I'm particularly amused by Ernie's post in the fist hit, second post.

Seems I've been turning my blind eye towards all the AOL and AIM references when this site (pcguide) abhors them. My ten foot pole is not long enough to touch them on this machine or any other one under my care for that matter!

I'm willing to bet a lot of those invalid entries are what was used to install all the junk you've got going in this new install.

Dump them, reinstall (no need for a zero fill, they're not that nasty :rolleyes: ), use an alternative connection and email, then breathe a sigh of relief! :cool:

If you have any more of those free offers for ~so many hours of AOL for nuthin' cd's, we'll take'em. They fit in trap and skeet throwers. Adds a challenge when 10 at a time are thrown :p

Someone yell Pull! puhleeze... :D

roflmao :-) I'm not sure if I am supposed to address anything or not rofl

but I will.. lol

as far as aol goes.. yeah they are a pain in the..... but the isp is worse.... (?) lol

how do you feel about ewido trojan scanner? ran across it on Geeks to Go (didnt download or install just ran across trying to find some probs..)

bitdefender came up fine. no probs once I deleted the AIM crap.

My Computer does NOt show the 8 g,

C: is 97.6
D: is 37.2 (this is the old HD, not sure why this stayed D after adding the new partition)
G: is 51.3 (this is the new partition. not sure why it didn't adjust this to E instead of working around the 2 dvd's)

Also, the 2nd HD (D:) is 40 gig and has Win 98 on it. As you can see, it too does not have the full 40 gig. It's not 8 but still.. I don't know if that is normal? And when doing the math on the other 2, (C: & G:) It is off 11.1 g. ughh your gonna tell me to wipe arent you lol

When you say reinstall don't zero fill, do you mean to just reinstall XP over the existing without wiping?

A repair install will leave you with AOL still on your system.

Not all ticks carry Lyme Disease either.... :o

Don't worry 'bout the unexplained space on your drive, we can get back to it.

I said:
"Reinstall with all except AOL."

Sorry to jump in at the end here...

FTT, certainly you have read some of my rants against AOL. I'll keep it short here, but for deltabwa's benefit, let me reiterate: AOL is crap. AOL is a parasite. AOL comercials are a fraud. Nine out of ten spyware/virus/trojan infested computers I have worked on have or have had AOL or some AOL component on them. I politely but firmly recommend that clients dump it and never look back. Sometimes they dump and things go much better. Sometimes they insist on keeping it and things return to hell very quickly.

AOL is not worth it at any cost, even free, even if they paid me. I would use dial-up on a 300 baud modem before I would use AOL.

EDIT: FTT, the last two of your links puzzle me. One searches PCGuide and comes up empty and the other opens the PCGuide Home Page.

okey doke, I will get back to you when I am all done.. Again. If only someone could figure out how to save my POGO codes.....

Pop pop,
My links were working as verified by me immediately after posting.

The second one, AOL HELL should have opened the search result page of a local search here at pcguide using those same words. I don't know why the link went south, I checked it yesterday right after posting it. Same search again here (http://www.pcguide.com/vb/search.php?searchid=111047). You should be able to see search #111047 in the task bar as you hover over it.

The 3rd link was simply where I typed (url=pcguide)here(/url) (but using the correct brackets) and the software must have autocompleted the rest and made pcguide.com as the result.

No big deal either way but once I did a similar thing to the third one and the resulting autocomplete directed you to a questionable site where porn was another hyperlink there. So I am a bit more careful these days and always check the link either in preview post or just after submitting.

Oddly, for me anyway, is today the links are working as advertised. I think I'll blame the previous malfunction on evil AOL vodoo:mad: --couldn't have been me or my PC. Nah.

ok, uhhhhh.. before i begin the tedius chore, I never did get an answer on how/where do I find each programs "updates", such as, AVG, they have updated a few times, same with Trend Micro, Adaware, etc.. where on my computer do I find the files to copy so when I install them again I don't have to go online before completely updated.

You only have a couple of choices. Download the latest core application versions and you should generally be safe after installing them. You can also, if you want to go to the trouble, download the database/definitions files either from the respective home site or from Majorgeeks.com using a different, protected PC. Put those on your PC in a folder and then use the respective update facility but tell it to update from the file on your computer rather than from the internet. Once installed and updated, run full scans before even connecting to the outside world. When you know you are clean after the fresh installs, enable all protection and remember to set AVG to auto update from the net.

AVG:
Open Test Center> Click Service Tab> Program Settings> Keyboard tab> Export Key Definitions. That is the same location to import them also. But the file is only 226 bytes! My copy of the latest version but not fully updated, is less than 10 megs. Easily D/Led on Dial-up if you choose that way.

The newest AdAware is 2.72 megabytes which should be no problem downloading fresh on dial-up before or after does not matter.,.Spybot should be similar. They are programs you use for cleaning your pc not guarding it like SpywareGuard or your A/V softwares and firewalls etc.

I don't use Trend Micro except for their online scan.

I would have my A/V, browser and firewall downloaded, the rest can be done after.

ok, I have the actual programs, that's not the problem, I was referring to the daily updates. After reading your post http://www.pcguide.com/vb/showpost.php?p=233352&postcount=120 I guess I misunderstood. I thought you were saying to get all the updates (new definitions and such) and install all that before I went online. Trend, I know, had a HUGE update after the last install, as though it was a new version. I imagine I'll have to check the webpage for that.

Also, since this has become a "get rid of aol hell" ordeal, can I use the streamlined CD or do I ahve to go back to the originals? I'm just so antsy about installing SP2 separate and having the same issue I had before with stalling at reboot.

And.. should I be deleting partitions since I'm going through all this? What kind of partition should I be making? Put it on the small one?

And my AVG emport file is only 1kb?? not sure that's right.

You could use your slipstream cd if you like, all this junk looks like an AOHELL thing. I don't think you would have any probs with SP2 if you chose to install with the 2 originals either if you remain off the net and esp. AOL!

I would suggest a 20 gig primary partition (12 and up is ok) and the others are up to you but 40-60gig is the size I make them with large drives.

1kb is probably right because XP may not want to measure anything smaller and reports it as 1kB.

Just when you think I am done.. :-) Can I ask for some help in obtaining software or updates or anything. I have a sony dw-d22a, apparently dvd decoders are supposed to come with the hardware but the cd I have doesn't seem to have a decoder. Anyway, I have search sony, as well as google and can't find anything on this model. Was wondering if you could find something about it. I'd really like to get the decoder (and not have to pay for it) but any software/driver updates as well.

thanks if you can

If you buy the OEM Nero, make sure it has 'Recode' and Nero 'Showtime'.

Nero's burning software will handle making disks and Showtime will play dvd's. Pay attention to the one you buy especially about the dual-layer capabilities. Version 6.6 OEM may not burn dual layer but can be had for $5 if you look around. 6.6 ultra probably can but is more likely to be around $65