My daughter brought her laptop home from college and complained it was a little buggy. She had no updated virus protection, ect.

I am cleaning and noticed a mywebsearch toolbar. Daughter cannot remember whether she intentionally installed or not. She previously had problems with spyware and had Ad-Aware (not updated) already installed.

Two questions:

Is mywebsearch toolbar harmless, or should I wipe it out? Ad-Aware did not object to its presence.

Ad-Aware found malware "Win32.Sasser." Is this related to the sasser worm or is it something else?

Thanks in advance for any information.

Mywebseach is definitely spyware. Read about it here (http://www.doxdesk.com/parasite/MySearch.html). It appears relatively easy to remove. As for Ad-Aware not recognizing it, make sure you're running the latest release with the latest definitions.

Win32.Sasser sounds like the Sasser virus to me. Follow the removal instructions here (http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.removal.tool.html).

Thanks for the quick response, Mr. Kwitko. Seems like there might be several problems. Critical updates not installed. Can't check for the sasser worm yet 'cause microsoft can't (won't) check 'till the patch is installed. Something is blocking access to the McAfee website.

Odd that you think Ad-Aware should object to mywebsearch toolbar as I updated Ad-Aware immediately before running it.

Going to take some time to get the microsoft updates as I'm on dial-up.

I'm not seeking additional assistance at this time. I'll clean as best I can and then see if I need help.

Thanks again,

Jim

As previously stated, the laptop was full of bugs. Removed toolbar. Could not install microsoft critical updates. Access to known anti-virus websites is blocked. Finally got to trendmicro.com and ran scan. Multiple instances of Sasser.C and Agobot worms were found and deleted. Found Trojan MSCACHE.A but could not remove. Now access to trendmicro is blocked. When attempting to go to known anti-virus website, address bar shows: http:///?%20www.*****.com, where ***** represents address (e.g., mcafee, trendmicro, etc.). Little bugger has good survival instincts.

Where do I go from here? Seems that MSCACHE.A might be the problem as it was only virus that trendmicro did not delete.

There may be some delay in responding as I work days (US) and the laptop is at home.

Last microsoft critical updates were installed mid April.

Thanks for any suggestions.

Jim

Would also note that I'm unable to open or install SpybotS&D. Got HiJack This, but the program shuts down after approximately 2 seconds. I'll try running HJT in the safe mode this evening.

Any suggestions?

Definitely had sasser and agobot. Spybot found too many problems to list here.

I've run Ad-Aware, Spybot 1.3, and CWShredder.

Here are some of my symptoms:

Will not allow microsoft critical updates to install (I managed to install most in safe mode)

Will not allow McAfee to install (although I can now access the web page, when previously I could not).

After disconnecting from internet (I'm now on dial-up), programs are requesting access to internet (e.g., Scooby_doo3.yi.org, oxygen13.ath.ex)

Here is my HJT log run in safe mode:

Logfile of HijackThis v1.97.7
Scan saved at 11:50:12 AM, on 5/20/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\virus stuff\hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.purdue.edu/
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\virus stuff\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [QuikShield] qkshield.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [File System Service] wmiprvsc.exe
O4 - HKLM\..\Run: [System Update Service] wmiprvsv.exe
O4 - HKLM\..\Run: [System Updater Process] wmiprvsw.exe
O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
O4 - HKLM\..\RunServices: [System Update Service] wmiprvsv.exe
O4 - HKLM\..\RunServices: [System Updater Process] wmiprvsw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\America Online 7.0\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O4 - Global Startup: Purdue University Air Link.lnk = C:\Program Files\Purdue University\Air Link\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.6610532407
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I know my thread title is no longer accurate.

I am also 99.9% certain that wmiprvsv.exe is part of agobot.

Please advise on exactly what entries to remove, and any other steps to cure this ailing laptop.

OK, I got impatient waiting for a response, so I deleted the following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com

Ok, but don't use

R3 - Default URLSearchHook is missing

Could not see any harm in deleting

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll

Don't use. Do I need it if want to use in future?

O4 - HKLM\..\Run: [QuikShield] qkshield.exe

Got rid of QuidShield all together.

O4 - HKLM\..\Run: [File System Service] wmiprvsc.exe
O4 - HKLM\..\Run: [System Update Service] wmiprvsv.exe
O4 - HKLM\..\Run: [System Updater Process] wmiprvsw.exe
O4 - HKLM\..\RunServices: [File System Service] wmiprvsc.exe
O4 - HKLM\..\RunServices: [System Update Service] wmiprvsv.exe
O4 - HKLM\..\RunServices: [System Updater Process] wmiprvsw.exe

99.9% sure this is Agobot

O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocach...etup1.0.0.8.cab

Smiley Central crap

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...81/mcinsctl.cab

My failed attempt to install McAfee, I'll try again

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab

On line virus scan, don't need

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/...nfo/webscan.cab

Another on line virus scan

O16 - DPF: {8EF27A70-DD04-11D6-B7F6-00A0C9CD5F8A} - http://www.quikshield.com/qshsetup.exe

Removed program

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,19/mcgdmgr.cab

Another failed McAfee download

Did I miss something?

Did I delete too much?

Is anyone listening? (I would appreciate a little feedback, if even to only say I'm doing good.)

Must be doing some good, as now microsoft critical updates are being allowed to install. However, as I am on dial-up, I still have 6 hours left on the update install.

Jim

Just trying to move up the list to get a reply.

Jim

Post your latest log.

I think I'm getting closer. Note the updated IE version.

Here is the log run in normal mode

Logfile of HijackThis v1.97.7
Scan saved at 11:05:13 AM, on 5/21/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 7.0\aim.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Purdue University\Air Link\cvpnd.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\virus stuff\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.purdue.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\virus stuff\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\America Online 7.0\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O4 - Global Startup: Purdue University Air Link.lnk = C:\Program Files\Purdue University\Air Link\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.6610532407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I've still got agobot. Either the computer associates virus information center tool is not removing it, or I am getting reinfected. It seems to be blocking access to known anti-virus web sites.

One thing you can try is downloading another browser like Firebird and see if you can get to the AV websites. The virii you have on that machine might not know how to deal with a standalone browser like Firebird.

Delete this:
O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe

Then delete the file while in safe mode.

Thank you Mr. Kwitko.

O4 - HKLM\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe
and
O4 - HKCU\..\Run: [WinDriv32] C:\WINNT\System32\WinDriv32.exe

were definitely Agobot. I think Agobot is finally gone.

Found the solution to the blocked anti-virus sites. => http://www.experts-exchange.com/Security/Win_Security/Q_20935886.html

Many of the viruses/worms today are attacking your "hosts" file so you can't access antivirus sites.

With Notepad, open up the file

c:\windows\system32\drivers\etc\hosts

If you see lines like this:

0.0.0.0 www.symantec.com
0.0.0.0 www.norton.com

or any other site mapped to 0.0.0.0, delete those lines. Also, if you see any common sites you recognize (such as Google) mapped to another number (IP address), delete those lines.

Your browser checks this hosts file first when you type a web address into your browser. So, when it sees a site listed, it automatically uses that IP address.

Hopefully, deleting these lines from your hosts file will allow you to update your AV. And, hopefully that updated AV will get rid of your virus problem.

I'm downloading McAfee as I type.

I'll post a HJT log after updating everything, but I think I may finally be clean. Only took me four days to clean up two semesters worth of bugs.

Thanks again.

Jim

Make the hosts file read-only. I was going to mention looking at the hosts file, but usually HiJackThis will list strange entries. In this case it didn't.

Attach a copy of the hosts file so we can clean out the junk.

Hosts file is now blank. Only entries in host file were redirects to my computer for anti-virus sites. I cleared all.

After four days, I think I've finally got it. Sasser and Agobot (and a host of other infections) removed.

McAfee installed and updated.

Scrubbed system with Spybot 1.3, Ad-Aware, and CWShredder (all updated).

SpywareBlaster (updated) installed.

Immunized with Spybot.

All microsoft updates installed.

Original Java removed and Sun Java installed.

I can't think of anything else. Any suggestions apprecited.

Hosts file now empty. Deleted the folowing entries:

127.0.0.1 www.sophos.com
127.0.0.1 sophos.com
127.0.0.1 www.mcafee.com
127.0.0.1 mcafee.com
127.0.0.1 liveupdate.symantecliveupdate.com
127.0.0.1 www.viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 viruslist.com
127.0.0.1 f-secure.com
127.0.0.1 www.f-secure.com
127.0.0.1 kaspersky.com
127.0.0.1 kaspersky-labs.com
127.0.0.1 www.avp.com
127.0.0.1 www.kaspersky.com
127.0.0.1 avp.com
127.0.0.1 www.networkassociates.com
127.0.0.1 networkassociates.com
127.0.0.1 www.ca.com
127.0.0.1 ca.com
127.0.0.1 mast.mcafee.com
127.0.0.1 my-etrust.com
127.0.0.1 www.my-etrust.com
127.0.0.1 download.mcafee.com
127.0.0.1 dispatch.mcafee.com
127.0.0.1 secure.nai.com
127.0.0.1 nai.com
127.0.0.1 www.nai.com
127.0.0.1 us.mcafee.com
127.0.0.1 rads.mcafee.com
127.0.0.1 trendmicro.com
127.0.0.1 www.trendmicro.com
127.0.0.1 www.grisoft.com


Finally, my most recent HJT log (run in normal mode):

Logfile of HijackThis v1.97.7
Scan saved at 12:03:27 AM, on 5/22/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\GWHotKey.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\qttask.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 7.0\aim.exe
C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\virus stuff\hijackthis\HijackThis.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Purdue University\Air Link\cvpnd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINNT\System32\imapi.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://webmail.purdue.edu/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\VIRUSS~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [QuickTime Task] C:\WINNT\System32\qttask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\America Online 7.0\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: ORiNOCO Client Manager.lnk = C:\Program Files\ORiNOCO\Client Manager\CmLUC.exe
O4 - Global Startup: Purdue University Air Link.lnk = C:\Program Files\Purdue University\Air Link\ipsecdialer.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,81/mcinsctl.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37859.6610532407
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,19/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab


Special thanks to Mr. Kwitko for helping me get rid of Agobot.

That's All!

Jim a/k/a Vanagon45

Glad your machine is clean. :)

It's been a long road, huh? ;D

It's been a long road, huh? ;D

Yeah, in the past month I have become a reluctant debugger. Sasser at home (Windows XP), About:blank (CWS) at work (Windows 98), and Sasser and Agobot (plus too many others to list) on my daughter's laptop (Windows XP). The only easy one was Sasser at home. Learned a lot about updating Windows and IE on a timely basis, as well as some other computer functions. Had to pat myself on the back a little bit in being able to fix all three. Still spent way too much time on fixing (probably 40 hours on about:blank and 20 hours on Agobot).

The Internet is a great source of information (as well as computer viruses).

Thanks to everyone for the help.

Jim

Yep, my business is computer maintenance, and in the last few months, it seems as if that's all we've been doing is "(fill in the blank) removal"