Hi,
My problem looks like a Coolwebsearch, however I preformed Home Search Assistant until step 4, then I could find any of the services provided. I tried also get Active Services but without great success. I am puzzled I still get the same popups ieautosearch: 69.20.16.183 etc... Here is my log hjck this:

Logfile of HijackThis v1.98.2
Scan saved at 21:42:19, on 03/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\QuickZip\QuickZip.exe
C:\My Downloads\trojan\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.google.fr
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CrocPopup+ ] C:\Program Files\crocpopup+\Crocpopup+.exe
O4 - HKLM\..\Run: [glgbalyv] C:\WINDOWS\glgbalyv.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Tsa2] C:\PROGRA~1\COMMON~1\tsa\tsm2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: ppctlcab - http://www.my-etrust.com/includes/pscanner/ppctlcab.CAB
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.my-etrust.com/includes/pscanner/axscanner.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab



Do you have any idea? http://www.short-media.com/forum/newthread.php?do=newthread&f=57#
Scratch Head

Thank you,
Tartalacrème. :scratch:

If you still need need help for this problem please post a new hijackthis log.

If you still need need help for this problem please post a new hijackthis log.

I think I have fixed several things, however I still some pop ups from time to time. The computer doesn't stop by itself anymore. Here is the log:
Logfile of HijackThis v1.98.2
Scan saved at 23:08:08, on 05/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Thanks a lot if you can find something wrong with it, because I really become crazy! :banghead:

Download Kill2Me from here and run it.
http://www.majorgeeks.com/download4166.html

Reboot and post a new hijackthis log.

Download Kill2Me from here and run it.
http://www.majorgeeks.com/download4166.html

Reboot and post a new hijackthis log.

Many thanks for your concern. I did what you said. It seems as if I am up to date with microsoft. Here is the new log:
Logfile of HijackThis v1.98.2
Scan saved at 08:40:13, on 06/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCCLIENT.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCGUIDE.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\POP3TRAP.EXE
C:\My Downloads\trojan\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Tartalacrème.

These lines indicate a brand new variant of the Look2Me parasite. I don't think it will work, but try this anyway.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch


Reboot and please post a new hijackthis log so we can see if they're still there.

These lines indicate a brand new variant of the Look2Me parasite. I don't think it will work, but try this anyway.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch


Reboot and please post a new hijackthis log so we can see if they're still there.

Hi! Back again... I tried to fix them in either normal and safe mode but they come again as sure as the day after the night! The strange thing is that I have a bunch of antispyware and antivirus systems and some of them as Perfect Process Alert rings a bell as 'Divx4 codec:devldr32.exe in system32 added as a result of an unidentified virus.' Then I kill the process and delete the file, but the alert comes back a few minutes later if I use my browser... Of course the lines also appear in Spy Sweeper as an alert, and I can try to supress them as long as I am still awake but they are still somewhere back.

:confused:
Here is the log
Logfile of HijackThis v1.98.2
Scan saved at 08:12:08, on 07/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\My Downloads\trojan\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://v4.windowsupdate.microsoft.com/
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

I didn't think it would work...but we had to try. This is a nasty little guy, and very new. There isn't an automated removal process yet for this. I'm gathering information and will post when I have a fix for you.

I didn't think it would work...but we had to try. This is a nasty little guy, and very new. There isn't an automated removal process yet for this. I'm gathering information and will post when I have a fix for you.

Thank you! This nasty little guy is waiting for the sentence to be carried out... :smokin:

You have a new variation of the Look2Me parasite. An automated removal solution has not yet been established, so the current procedure for removing this parasite may take several steps. The first few steps involve collecting information from your system

Can you please start off by downloading VX2Finder to your desktop from here:

http://downloads.subratam.org/VX2Finder(126).exe

Start vx2finder, then click on "Click to Find VX2.BetterInternet" and then click "Make Log" and copy and paste the entire contents of the log here.



Please download DLL Compare to your desktop from here:

http://www.atribune.org/downloads/DllCompare.exe

Start Dll Compare, then click on "Run Locate.com". When it tells you that's finished, click on "Compare" at the bottom right. When that finishes, click "Make a Log of What was Found" and answer "Yes" to View Log file. Copy and paste the contents of that log here.

Please also open the c:\Windows\System32 folder and see if there's a file there called Guard.tmp visible and report that here as well.



Can you please download the file "Find It.zip" to your desktop from here

http://computercops.biz/zx/Zupe/Find%20It%20NT-2K-XP.zip

Unzip the contents to a folder, then open the folder and double-click on Find.bat. It will run for a minute, then produce a log. Please copy and paste that log here.

Please find the several logs here, thank you:

VX2Finderlog:

Files Found---

Additional Files---

Keys Under Notify---
RunOnce


Guardian Key--- is called:

User Agent String---
{F1102748-C700-4A72-B672-35005F373415}

==============================================================================

As far as DLL Compare is concerned, I tried to view the log, however nothing happened, therefore I copied one by one the lines of the what I supposed the log was (the second window below) and here it is:

C:\WINDOWS\SYSTEM32\aza001~1.dll Sat 4 Dec 2004 13:34:54 ..S.R 225 998 220,70 K
C:\WINDOWS\SYSTEM32\cjmcat.dll Wed 1 Dec 2004 23:32:16 ..S.R 224 469 219,21 K
C:\WINDOWS\SYSTEM32\czl3d32.dll Thu 2 Dec 2004 17:14:30 ..S.R 223 082 217,85 K
C:\WINDOWS\SYSTEM32\d40m0e~1.dll Sat 4 Dec 2004 22:16:26 ..S.R 222 876 217,65 K
C:\WINDOWS\SYSTEM32\d6j02g~1.dll Fri 3 Dec 2004 19:49:48 ..S.R 223 216 217,98 K
C:\WINDOWS\SYSTEM32\dn4201~1.dll Thu 9 Dec 2004 21:04:04 ..S.R 222 887 217,66 K
C:\WINDOWS\SYSTEM32\dnj801~1.dll Fri 3 Dec 2004 18:43:36 ..S.R 225 948 220,65 K
C:\WINDOWS\SYSTEM32\dnl401~1.dll Sat 4 Dec 2004 16:31:58 ..S.R 223 537 218,30 K
C:\WINDOWS\SYSTEM32\dnnm01~1.dll Thu 2 Dec 2004 19:48:08 ..S.R 223 084 217,86 K
C:\WINDOWS\SYSTEM32\dnr001~1.dll Tue 30 Nov 2004 9:48:02 ..S.R 225 938 220,64 K
C:\WINDOWS\SYSTEM32\dqdmo.dll Fri 10 Dec 2004 8:10:16 ..S.R 222 887 217,66 K
C:\WINDOWS\SYSTEM32\eicapi.dll Sat 4 Dec 2004 19:18:14 ..S.R 225 635 220,34 K
C:\WINDOWS\SYSTEM32\en02l1~1.dll Fri 3 Dec 2004 22:43:22 ..S.R 224 150 218,89 K
C:\WINDOWS\SYSTEM32\f62m0g~1.dll Sun 5 Dec 2004 7:35:32 ..S.R 225 511 220,22 K
C:\WINDOWS\SYSTEM32\ftclient.dll Fri 3 Dec 2004 6:42:50 ..S.R 223 110 217,88 K
C:\WINDOWS\SYSTEM32\fwifs.dll Sat 4 Dec 2004 18:14:12 ..S.R 223 721 218,48 K
C:\WINDOWS\SYSTEM32\g4402e~1.dll Tue 30 Nov 2004 9:59:10 ..S.R 223 230 217,99 K
C:\WINDOWS\SYSTEM32\gpnol3~1.dll Sat 4 Dec 2004 13:09:42 ..S.R 222 884 217,66 K
C:\WINDOWS\SYSTEM32\h02o0a~1.dll Fri 3 Dec 2004 21:24:34 ..S.R 222 368 217,16 K
C:\WINDOWS\SYSTEM32\hr8u05~1.dll Wed 1 Dec 2004 8:15:40 ..S.R 226 116 220,82 K
C:\WINDOWS\SYSTEM32\hrn205~1.dll Sat 4 Dec 2004 8:08:50 ..S.R 223 204 217,97 K
C:\WINDOWS\SYSTEM32\irlql5~1.dll Fri 10 Dec 2004 8:10:16 ..S.R 224 422 219,16 K
C:\WINDOWS\SYSTEM32\irr2l5~1.dll Fri 3 Dec 2004 21:16:22 ..S.R 222 855 217,63 K
C:\WINDOWS\SYSTEM32\jt0o07~1.dll Tue 7 Dec 2004 7:47:02 ..S.R 224 277 219,02 K
C:\WINDOWS\SYSTEM32\jt4607~1.dll Mon 29 Nov 2004 19:03:22 ..S.R 223 286 218,05 K
C:\WINDOWS\SYSTEM32\jtp207~1.dll Wed 1 Dec 2004 22:29:24 ..S.R 223 279 218,04 K
C:\WINDOWS\SYSTEM32\k0lq0a~1.dll Wed 1 Dec 2004 22:40:34 ..S.R 223 532 218,29 K
C:\WINDOWS\SYSTEM32\k0pm0a~1.dll Fri 3 Dec 2004 19:49:54 ..S.R 222 979 217,75 K
C:\WINDOWS\SYSTEM32\kedinbe1.dll Thu 2 Dec 2004 16:32:22 ..S.R 223 125 217,89 K
C:\WINDOWS\SYSTEM32\kt8ol7~1.dll Sat 4 Dec 2004 10:46:28 ..S.R 225 287 220,00 K
C:\WINDOWS\SYSTEM32\ktr4l7~1.dll Tue 30 Nov 2004 10:14:42 ..S.R 222 956 217,73 K
C:\WINDOWS\SYSTEM32\l28mlc~1.dll Wed 1 Dec 2004 22:56:54 ..S.R 224 184 218,93 K
C:\WINDOWS\SYSTEM32\m2640c~1.dll Fri 3 Dec 2004 21:03:42 ..S.R 222 439 217,22 K
C:\WINDOWS\SYSTEM32\mvrml9~1.dll Sat 4 Dec 2004 16:16:26 ..S.R 222 807 217,58 K
C:\WINDOWS\SYSTEM32\n64slg~1.dll Fri 3 Dec 2004 16:40:32 ..S.R 224 992 219,72 K
C:\WINDOWS\SYSTEM32\nfdenb32.dll Fri 3 Dec 2004 18:45:14 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\nkwrsno.dll Fri 3 Dec 2004 21:03:42 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\p26s0c~1.dll Fri 3 Dec 2004 20:28:02 ..S.R 222 589 217,37 K
C:\WINDOWS\SYSTEM32\q4nu0e~1.dll Mon 29 Nov 2004 8:42:54 ..S.R 222 927 217,70 K
C:\WINDOWS\SYSTEM32\rfm.dll Thu 2 Dec 2004 16:42:50 ..S.R 226 155 220,85 K
C:\WINDOWS\SYSTEM32\s6rslg~1.dll Sat 4 Dec 2004 16:22:46 ..S.R 223 106 217,88 K
C:\WINDOWS\SYSTEM32\sns.dll Fri 3 Dec 2004 16:50:58 ..S.R 223 246 218,01 K

=============================================================================


No Guard.tmp in c:\Windows\System32 folder

=============================================================================

Find It.zip lo is here:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 08:12 <DIR> dllcache
10/12/2004 08:10 222ÿ887 dqdmo.dll
10/12/2004 08:10 224ÿ422 irlql5351.dll
09/12/2004 21:04 222ÿ887 dn4201hoe.dll
07/12/2004 07:47 224ÿ277 jt0o07d3e.dll
05/12/2004 07:35 225ÿ511 f62m0gf1e62.dll
04/12/2004 22:16 222ÿ876 d40m0ed1eh0.dll
04/12/2004 19:18 225ÿ635 eicapi.dll
04/12/2004 18:14 223ÿ721 fwifs.dll
04/12/2004 16:31 223ÿ537 dnl4013qe.dll
04/12/2004 16:22 223ÿ106 s6rslg9716.dll
04/12/2004 16:16 222ÿ807 mvrml9911.dll
04/12/2004 13:34 225ÿ998 aza0019me.dll
04/12/2004 13:09 222ÿ884 gpnol3531.dll
04/12/2004 10:46 225ÿ287 kt8ol7l31.dll
04/12/2004 08:08 223ÿ204 hrn2055oe.dll
03/12/2004 22:43 224ÿ150 en02l1do1.dll
03/12/2004 21:24 222ÿ368 h02o0af3ed2.dll
03/12/2004 21:16 222ÿ855 irr2l59o1.dll
03/12/2004 21:03 226ÿ243 nkwrsno.dll
03/12/2004 21:03 222ÿ439 m2640cjqefoe0.dll
03/12/2004 20:28 222ÿ589 p26s0cj7efo.dll
03/12/2004 19:49 222ÿ979 k0pm0a71ed.dll
03/12/2004 19:49 223ÿ216 d6j02g1mg6.dll
03/12/2004 18:45 226ÿ243 nfdenb32.dll
03/12/2004 18:43 225ÿ948 dnj8011ue.dll
03/12/2004 16:50 223ÿ246 sns.dll
03/12/2004 16:40 224ÿ992 n64slgh7164.dll
03/12/2004 06:42 223ÿ110 ftclient.dll
02/12/2004 19:48 223ÿ084 dnnm0151e.dll
02/12/2004 17:14 223ÿ082 czl3d32.dll
02/12/2004 16:42 226ÿ155 rfm.dll
02/12/2004 16:32 223ÿ125 kedinbe1.dll
01/12/2004 23:32 224ÿ469 cjmcat.dll
01/12/2004 22:56 224ÿ184 l28mlcl11fq.dll
01/12/2004 22:40 223ÿ532 k0lq0a35ed.dll
01/12/2004 22:29 223ÿ279 jtp2077oe.dll
01/12/2004 08:15 226ÿ116 hr8u05l9e.dll
30/11/2004 10:14 222ÿ956 ktr4l79q1.dll
30/11/2004 09:59 223ÿ230 g4402ehmgh4a2.dll
30/11/2004 09:48 225ÿ938 dnr0019me.dll
29/11/2004 19:03 223ÿ286 jt4607hse.dll
29/11/2004 08:42 222ÿ927 q4nu0e59eh.dll
29/10/2004 20:38 <DIR> Microsoft
42 File(s) 9ÿ404ÿ780 bytes
2 Dir(s) 63ÿ011ÿ893ÿ248 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 08:12 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ011ÿ893ÿ248 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 08:11 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ011ÿ889ÿ152 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RunOnce]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dn4201hoe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------
:hiding:

Good job on the logs! I can see what we need to do. Can you check to see if your Recycle Bin is working properly?

One thing I forgot to mention in the previous post. Do not reboot or log off until we complete this fix. If you have since this last post i will need you to run the tools again and post new logs. I don't want to give further instructions until that is confirmed.

In the meantime, download this tool and unzip it to the desktop. We will need it later.

http://www.downloads.subratam.org/KillBox.zip


Also please post a new hijackthis log.

Good job on the logs! I can see what we need to do. Can you check to see if your Recycle Bin is working properly?

One thing I forgot to mention in the previous post. Do not reboot or log off until we complete this fix. If you have since this last post i will need you to run the tools again and post new logs. I don't want to give further instructions until that is confirmed.

In the meantime, download this tool and unzip it to the desktop. We will need it later.

http://www.downloads.subratam.org/KillBox.zip


Also please post a new hijackthis log.


Oups... I have left home since then, thus I shut the computer down. As soon as I can I send you everything back... :buck:

VX2 Finder has found the following:

Files Found---

Additional Files---

Keys Under Notify---
ThemeManager


Guardian Key--- is called:

User Agent String---
{F1102748-C700-4A72-B672-35005F373415}

============================

Guard.tmp is still not a piece of cake from system32.

============================
Dll compare:


C:\WINDOWS\SYSTEM32\aza001~1.dll Sat 4 Dec 2004 13:34:54 ..S.R 225 998 220,70 K
C:\WINDOWS\SYSTEM32\cjmcat.dll Wed 1 Dec 2004 23:32:16 ..S.R 224 469 219,21 K
C:\WINDOWS\SYSTEM32\czl3d32.dll Thu 2 Dec 2004 17:14:30 ..S.R 223 082 217,85 K
C:\WINDOWS\SYSTEM32\d40m0e~1.dll Sat 4 Dec 2004 22:16:26 ..S.R 222 876 217,65 K
C:\WINDOWS\SYSTEM32\d6j02g~1.dll Fri 3 Dec 2004 19:49:48 ..S.R 223 216 217,98 K
C:\WINDOWS\SYSTEM32\dnj801~1.dll Fri 3 Dec 2004 18:43:36 ..S.R 225 948 220,65 K
C:\WINDOWS\SYSTEM32\dnl401~1.dll Sat 4 Dec 2004 16:31:58 ..S.R 223 537 218,30 K
C:\WINDOWS\SYSTEM32\dnnm01~1.dll Thu 2 Dec 2004 19:48:08 ..S.R 223 084 217,86 K
C:\WINDOWS\SYSTEM32\dnp201~1.dll Fri 10 Dec 2004 19:58:14 ..S.R 224 693 219,43 K
C:\WINDOWS\SYSTEM32\dnr001~1.dll Tue 30 Nov 2004 9:48:02 ..S.R 225 938 220,64 K
C:\WINDOWS\SYSTEM32\eicapi.dll Sat 4 Dec 2004 19:18:14 ..S.R 225 635 220,34 K
C:\WINDOWS\SYSTEM32\en02l1~1.dll Fri 3 Dec 2004 22:43:22 ..S.R 224 150 218,89 K
C:\WINDOWS\SYSTEM32\f62m0g~1.dll Sun 5 Dec 2004 7:35:32 ..S.R 225 511 220,22 K
C:\WINDOWS\SYSTEM32\ftclient.dll Fri 3 Dec 2004 6:42:50 ..S.R 223 110 217,88 K
C:\WINDOWS\SYSTEM32\fwifs.dll Sat 4 Dec 2004 18:14:12 ..S.R 223 721 218,48 K
C:\WINDOWS\SYSTEM32\g4402e~1.dll Tue 30 Nov 2004 9:59:10 ..S.R 223 230 217,99 K
C:\WINDOWS\SYSTEM32\gpnol3~1.dll Sat 4 Dec 2004 13:09:42 ..S.R 222 884 217,66 K
C:\WINDOWS\SYSTEM32\h02o0a~1.dll Fri 3 Dec 2004 21:24:34 ..S.R 222 368 217,16 K
C:\WINDOWS\SYSTEM32\hr8u05~1.dll Wed 1 Dec 2004 8:15:40 ..S.R 226 116 220,82 K
C:\WINDOWS\SYSTEM32\hrn205~1.dll Sat 4 Dec 2004 8:08:50 ..S.R 223 204 217,97 K
C:\WINDOWS\SYSTEM32\irr2l5~1.dll Fri 3 Dec 2004 21:16:22 ..S.R 222 855 217,63 K
C:\WINDOWS\SYSTEM32\jt0o07~1.dll Tue 7 Dec 2004 7:47:02 ..S.R 224 277 219,02 K
C:\WINDOWS\SYSTEM32\jt4607~1.dll Mon 29 Nov 2004 19:03:22 ..S.R 223 286 218,05 K
C:\WINDOWS\SYSTEM32\jtp207~1.dll Wed 1 Dec 2004 22:29:24 ..S.R 223 279 218,04 K
C:\WINDOWS\SYSTEM32\k0lq0a~1.dll Wed 1 Dec 2004 22:40:34 ..S.R 223 532 218,29 K
C:\WINDOWS\SYSTEM32\k0pm0a~1.dll Fri 3 Dec 2004 19:49:54 ..S.R 222 979 217,75 K
C:\WINDOWS\SYSTEM32\kedinbe1.dll Thu 2 Dec 2004 16:32:22 ..S.R 223 125 217,89 K
C:\WINDOWS\SYSTEM32\kt8ol7~1.dll Sat 4 Dec 2004 10:46:28 ..S.R 225 287 220,00 K
C:\WINDOWS\SYSTEM32\ktr4l7~1.dll Tue 30 Nov 2004 10:14:42 ..S.R 222 956 217,73 K
C:\WINDOWS\SYSTEM32\l28mlc~1.dll Wed 1 Dec 2004 22:56:54 ..S.R 224 184 218,93 K
C:\WINDOWS\SYSTEM32\m2640c~1.dll Fri 3 Dec 2004 21:03:42 ..S.R 222 439 217,22 K
C:\WINDOWS\SYSTEM32\mv42l9~1.dll Fri 10 Dec 2004 21:49:42 ..S.R 225 942 220,64 K
C:\WINDOWS\SYSTEM32\mvrml9~1.dll Sat 4 Dec 2004 16:16:26 ..S.R 222 807 217,58 K
C:\WINDOWS\SYSTEM32\n64slg~1.dll Fri 3 Dec 2004 16:40:32 ..S.R 224 992 219,72 K
C:\WINDOWS\SYSTEM32\nfdenb32.dll Fri 3 Dec 2004 18:45:14 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\nkwrsno.dll Fri 3 Dec 2004 21:03:42 ..S.R 226 243 220,94 K
C:\WINDOWS\SYSTEM32\p26s0c~1.dll Fri 3 Dec 2004 20:28:02 ..S.R 222 589 217,37 K
C:\WINDOWS\SYSTEM32\q4nu0e~1.dll Mon 29 Nov 2004 8:42:54 ..S.R 222 927 217,70 K
C:\WINDOWS\SYSTEM32\rfm.dll Thu 2 Dec 2004 16:42:50 ..S.R 226 155 220,85 K
C:\WINDOWS\SYSTEM32\s6rslg~1.dll Sat 4 Dec 2004 16:22:46 ..S.R 223 106 217,88 K
C:\WINDOWS\SYSTEM32\sns.dll Fri 3 Dec 2004 16:50:58 ..S.R 223 246 218,01 K
C:\WINDOWS\SYSTEM32\wofeman.dll Fri 10 Dec 2004 21:49:42 ..S.R 224 693 219,43 K

===================================

Hijack this new log:

Logfile of HijackThis v1.98.2
Scan saved at 22:05:57, on 10/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\notepad.exe
C:\My Downloads\trojan\HijackThis.exe

O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

===============================

[B]Indeed this stupid bin is not working properly since it says that there are 6 itens to be deleted when nothing is in the bin...bizarre...

===============================

I leave the computer on.

Good luck! :thumbsup:

I also need the log from find.bat

Double-click on Find.bat. It will run for a minute, then produce a log. Please copy and paste that log here.


Have you downloaded Killbox? We'll fix the recycle bin once we get rid of everything. In the meantime just be aware that anything you delete will probably not go to your recycle bin.

Sorry I just woke up! here it is:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 22:10 <DIR> dllcache
10/12/2004 21:49 224ÿ693 wofeman.dll
10/12/2004 21:49 225ÿ942 mv42l9ho1.dll
10/12/2004 19:58 224ÿ693 dnp2017oe.dll
07/12/2004 07:47 224ÿ277 jt0o07d3e.dll
05/12/2004 07:35 225ÿ511 f62m0gf1e62.dll
04/12/2004 22:16 222ÿ876 d40m0ed1eh0.dll
04/12/2004 19:18 225ÿ635 eicapi.dll
04/12/2004 18:14 223ÿ721 fwifs.dll
04/12/2004 16:31 223ÿ537 dnl4013qe.dll
04/12/2004 16:22 223ÿ106 s6rslg9716.dll
04/12/2004 16:16 222ÿ807 mvrml9911.dll
04/12/2004 13:34 225ÿ998 aza0019me.dll
04/12/2004 13:09 222ÿ884 gpnol3531.dll
04/12/2004 10:46 225ÿ287 kt8ol7l31.dll
04/12/2004 08:08 223ÿ204 hrn2055oe.dll
03/12/2004 22:43 224ÿ150 en02l1do1.dll
03/12/2004 21:24 222ÿ368 h02o0af3ed2.dll
03/12/2004 21:16 222ÿ855 irr2l59o1.dll
03/12/2004 21:03 226ÿ243 nkwrsno.dll
03/12/2004 21:03 222ÿ439 m2640cjqefoe0.dll
03/12/2004 20:28 222ÿ589 p26s0cj7efo.dll
03/12/2004 19:49 222ÿ979 k0pm0a71ed.dll
03/12/2004 19:49 223ÿ216 d6j02g1mg6.dll
03/12/2004 18:45 226ÿ243 nfdenb32.dll
03/12/2004 18:43 225ÿ948 dnj8011ue.dll
03/12/2004 16:50 223ÿ246 sns.dll
03/12/2004 16:40 224ÿ992 n64slgh7164.dll
03/12/2004 06:42 223ÿ110 ftclient.dll
02/12/2004 19:48 223ÿ084 dnnm0151e.dll
02/12/2004 17:14 223ÿ082 czl3d32.dll
02/12/2004 16:42 226ÿ155 rfm.dll
02/12/2004 16:32 223ÿ125 kedinbe1.dll
01/12/2004 23:32 224ÿ469 cjmcat.dll
01/12/2004 22:56 224ÿ184 l28mlcl11fq.dll
01/12/2004 22:40 223ÿ532 k0lq0a35ed.dll
01/12/2004 22:29 223ÿ279 jtp2077oe.dll
01/12/2004 08:15 226ÿ116 hr8u05l9e.dll
30/11/2004 10:14 222ÿ956 ktr4l79q1.dll
30/11/2004 09:59 223ÿ230 g4402ehmgh4a2.dll
30/11/2004 09:48 225ÿ938 dnr0019me.dll
29/11/2004 19:03 223ÿ286 jt4607hse.dll
29/11/2004 08:42 222ÿ927 q4nu0e59eh.dll
29/10/2004 20:38 <DIR> Microsoft
42 File(s) 9ÿ409ÿ912 bytes
2 Dir(s) 63ÿ042ÿ990ÿ080 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 22:10 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ042ÿ990ÿ080 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 21:50 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ042ÿ990ÿ080 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ThemeManager]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\dnp2017oe.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------


And yes for Killbox: I have it. I understand that I wait before running it? :eek:

Copy this post to notepad and save it on your desktop so you can copy and paste exactly as written. Disconnect from the internet.

Next, start Killbox and click on Tools->Delete Temp Files.

When that finishes, copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox, and click the red button with the white X on it after each. Keep track of any files it tells you either could not be found or could not be deleted, as you'll need those in a minute:

C:\WINDOWS\SYSTEM32\aza0019me.dll

C:\WINDOWS\SYSTEM32\cjmcat.dll

C:\WINDOWS\SYSTEM32\czl3d32.dll

C:\WINDOWS\SYSTEM32\d40m0ed1eh0.dll

C:\WINDOWS\SYSTEM32\d6j02g1mg6.dll

C:\WINDOWS\SYSTEM32\dnj8011ue.dll

C:\WINDOWS\SYSTEM32\dnl4013qe.dll

C:\WINDOWS\SYSTEM32\dnnm0151e.dll

C:\WINDOWS\SYSTEM32\dnp2017oe.dll

C:\WINDOWS\SYSTEM32\dnr0019me.dll

C:\WINDOWS\SYSTEM32\eicapi.dll

C:\WINDOWS\SYSTEM32\en02l1do1.dll

C:\WINDOWS\SYSTEM32\f62m0gf1e62.dll

C:\WINDOWS\SYSTEM32\ftclient.dll

C:\WINDOWS\SYSTEM32\fwifs.dll

C:\WINDOWS\SYSTEM32\g4402ehmgh4a2.dll

C:\WINDOWS\SYSTEM32\gpnol3531.dll

C:\WINDOWS\SYSTEM32\h02o0af3ed2.dll

C:\WINDOWS\SYSTEM32\hr8u05l9e.dll

C:\WINDOWS\SYSTEM32\hrn2055oe.dll

C:\WINDOWS\SYSTEM32\irr2l59o1.dll

C:\WINDOWS\SYSTEM32\jt0o07d3e.dll

C:\WINDOWS\SYSTEM32\jt4607hse.dll

C:\WINDOWS\SYSTEM32\jtp2077oe.dll

C:\WINDOWS\SYSTEM32\k0lq0a35ed.dll

C:\WINDOWS\SYSTEM32\k0pm0a71ed.dll

C:\WINDOWS\SYSTEM32\kedinbe1.dll

C:\WINDOWS\SYSTEM32\kt8ol7l31.dll

C:\WINDOWS\SYSTEM32\ktr4l79q1.dll

C:\WINDOWS\SYSTEM32\l28mlcl11fq.dll

C:\WINDOWS\SYSTEM32\m2640cjqefoe0.dll

C:\WINDOWS\SYSTEM32\mv42l9ho1.dll

C:\WINDOWS\SYSTEM32\mvrml9911.dll

C:\WINDOWS\SYSTEM32\n64slgh7164.dll

C:\WINDOWS\SYSTEM32\nfdenb32.dll

C:\WINDOWS\SYSTEM32\nkwrsno.dll

C:\WINDOWS\SYSTEM32\p26s0cj7efo.dll

C:\WINDOWS\SYSTEM32\q4nu0e59eh.dll

C:\WINDOWS\SYSTEM32\rfm.dll

C:\WINDOWS\SYSTEM32\s6rslg9716.dll

C:\WINDOWS\SYSTEM32\sns.dll

C:\WINDOWS\SYSTEM32\wofeman.dll



For the files that it either couldn't find or couldn't delete, run killbox again, but this time, put a mark next to "Delete on Reboot". Copy and paste each file into the file name box, then click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No" until after you've pasted the last file name, at which time you should answer "Yes".

When it reboots, please post a new Find.bat log and a new Hijack This log.

Here are the logs:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat:

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 22:10 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ042ÿ265ÿ088 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

10/12/2004 22:10 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ042ÿ265ÿ088 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 08:57 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ042ÿ265ÿ088 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------

===============================================

Hijack this:

Logfile of HijackThis v1.98.2
Scan saved at 09:00:01, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]

Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".


Next, start Killbox again and put a mark next to delete on reboot. Copy and paste this line into the "Full Path of File to Delete" box, clicking the red button with the white X on it. Then answer Yes to reboot:

C:\WINDOWS\system32\mv42l9ho1.dll




Then open VX2Finder which you ran earlier.

1) Click "Click To find Find VX2.Abetterinternet"

2) Click "User Agent$"

3) Click "Restore Policy" (requires reboot to apply).

After the above ...

4) Click "Click To find Find VX2.Abetterinternet" and post the log



Please post a new hijackthis log, find.bat log, and the VX2 Finder log. How is your computer running?

I did everything you wrote, however once I click on the white X I get first the question whether I want to delete and reboot. I click yes, then I get:
"PendingFileRenameOperations RegistryData has been removed by external process!
OK"
So the process who indicated me does not work untill the end. What do you think?

I did what you wrote but when I try to delete and reboot I get this:
"PendingFileRenameOperationsRegistryData has been removed by external process! OK"
What do you think? I did not reboot the computer manually so far.

Please post a new log for find.bat and a new hijackthis log.

Here is find bat:

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 19:08 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ037ÿ792ÿ256 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 19:08 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ037ÿ792ÿ256 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 08:57 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ037ÿ792ÿ256 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------

===========================================================

Here is Hijack:


Logfile of HijackThis v1.98.2
Scan saved at 22:14:52, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

Let's try it again.

Next, start Killbox again and put a mark next to delete on reboot. Copy and paste this line into the "Full Path of File to Delete" box, clicking the red button with the white X on it. Then answer Yes to reboot:

C:\WINDOWS\system32\mv42l9ho1.dll

Reboot manually if it doesn't reboot automatically.


After reboot post a new hijackthis log and find.bat log.

The same happened. Here is Hijack:

Logfile of HijackThis v1.98.2
Scan saved at 22:44:58, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\My Downloads\trojan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

==================================

[B]Find bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 22:39 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ047ÿ077ÿ888 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 22:39 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ047ÿ077ÿ888 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 22:43 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ047ÿ077ÿ888 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------


Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch



Show hidden files
http://www.short-media.com/forum/showpost.php?p=172588&postcount=3


See if you can find and delete this file:
C:\WINDOWS\system32\mv42l9ho1.dll

Let me know if you can't find it.


Reboot and post a new find.bat log and hijackthis log.

No mv42l9ho1.dll in system32.
Here are the logs:

Logfile of HijackThis v1.98.2
Scan saved at 23:00:10, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = ˜/µ
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

=======================

[B]Find bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 23:00 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ043ÿ862ÿ528 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 23:00 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ043ÿ862ÿ528 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 22:43 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ043ÿ862ÿ528 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------


Sorry I forgot to reboot, here are the logs after reboot:

Logfile of HijackThis v1.98.2
Scan saved at 23:05:03, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\My Downloads\trojan\HijackThis.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

================================

[B]Find bat

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 23:06 <DIR> dllcache
29/10/2004 20:38 <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 63ÿ045ÿ488ÿ640 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 23:06 <DIR> dllcache
09/12/2002 21:35 488 logonui.exe.manifest
09/12/2002 21:35 488 WindowsLogon.manifest
09/12/2002 21:35 749 nwc.cpl.manifest
09/12/2002 21:35 749 sapi.cpl.manifest
09/12/2002 21:35 749 ncpa.cpl.manifest
09/12/2002 21:35 749 wuaucpl.cpl.manifest
09/12/2002 21:35 749 cdplayer.exe.manifest
7 File(s) 4ÿ721 bytes
1 Dir(s) 63ÿ045ÿ488ÿ640 bytes free

---------- Files Named "Guard" -------------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32


--------- Temp Files in System32 Directory --------

Volume in drive C has no label.
Volume Serial Number is B8F2-BEF1

Directory of C:\WINDOWS\System32

11/12/2004 23:04 1ÿ688 TRJ_NTAUTO.TMP
04/08/2004 08:56 713ÿ216 SET1D5.tmp
29/08/2002 13:00 2ÿ577 CONFIG.TMP
3 File(s) 717ÿ481 bytes
0 Dir(s) 63ÿ045ÿ488ÿ640 bytes free

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{F1102748-C700-4A72-B672-35005F373415}"=""


------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mv42l9ho1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


---------------- Xfind Results -----------------

'Xfind' is not recognized as an internal or external command,
operable program or batch file.

-------------- Locate.com Results ---------------


Ok, we're looking better now. How's your computer running?

I want to run one more scan to possibly pick up any remnants that we missed.

Download and install Adaware. Once installed, look in the bottom right corner and click on Check for updates now and download the latest reference files.

http://www.lavasoftusa.com/software/adaware/


Download and install the VX2 Cleaner addon for Adaware. Instructions are on this page.
http://www.lavasoftusa.com/software/addons/vx2cleaner.shtml

Reboot and post a hijackthis log.

I still get Alerts from perfect process as Divx4 codec 'c:\windows\system32\devldr32.exe
added as the result of an unknown virus' then I click on delete, but the window keeps appearing every now and then, as well as spysweeper telling me that my ie home adress has been changed, etc..

Logfile of HijackThis v1.98.2
Scan saved at 23:25:53, on 11/12/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\e-Wallet\InterPay.exe
C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe
C:\Program Files\Perfect Process\ppshield.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasDtServ.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\My Downloads\trojan\HijackThis.exe

O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [ABN AMRO e-Wallet] C:\Program Files\e-Wallet\InterPay.exe /dontopenmycards
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTek\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\GIANT Company Software\GIANT AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Perfect Process shield] C:\Program Files\Perfect Process\ppshield.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: Interpay - %VAR_IE_TOOLBAR_BUTTON_GUID% - C:\Program Files\e-Wallet\InterPay.exe
O9 - Extra button: TREND MICRO HouseCall - {2B5EA4F8-620A-4A8B-B003-4C8C5EBEA826} - http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php (file missing)
O9 - Extra button: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Failsafe\GuardIE\PnIE.dll,-100 - {BDD75188-2FC0-4099-909F-AA8D432BE037} - C:\Program Files\Failsafe\GuardIE\PnIE.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0990D180-4226-4530-9777-AB82315505B9} - https://ewallet.abnamro.nl/AABdownload/oinstall.cab
O16 - DPF: {2A32B14F-4D29-4EA3-AC54-E9B19F436CE7} (Scanner Class) - http://www.windowsecurity.com/trojanscan/TDECntrl.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {7ED7005B-4AF6-4CFF-9AE0-F243C4B8260F} (HouseCallButton.setup) - http://de.trendmicro-europe.com/file_downloads/common/housecall/HouseCallButton.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {C81B5180-AFD1-41A3-97E1-99E8D254DB98} (CSS Web Installer Class) - http://www.freedom.net/viruscenter/onlineviruscheck/cabs/cssweb.cab

Your log looks clean. There's a few more things you might do.

Boot into safe mode and empty the contents of each of these folders:
C:\Windows\Prefetch
C:\Windows\temp
C:\temp


Flush your system restore.
http://www.short-media.com/forum/showpost.php?p=172591&postcount=4


Make sure to keep your antivirus and anti-spyware apps fully updated.

Your log looks clean. There's a few more things you might do.

Boot into safe mode and empty the contents of each of these folders:
C:\Windows\Prefetch
C:\Windows\temp
C:\temp


Flush your system restore.
http://www.short-media.com/forum/showpost.php?p=172591&postcount=4


Make sure to keep your antivirus and anti-spyware apps fully updated.

I deleted in safe mode C:\Windows\Prefetch and C:\temp, however I could not access some files within C:\Windows\temp as cookies, history and temporary internet files as well as a file called ~700000.tmp. The following window appeared when I tried them:
"...is not accessible. Access is denied".
But the most important is that the computer seems to have recovered from its ‘anarchical promenade’ on the web, there is no wild pop ups anymore, only Perfect Process complaining for a new virus every now and then, but I don’t think that is a real thread since I ran several online antiviruses with success. Spy sweeper keeps cool more than one minute! I think you did a great job! Even if you are ‘just doin' my job maam!’ I hope that this has provided you with interesting observations that you will be able to use for other cases. I will advertise your forum.

:thumbsup:

Hi Buckeye_Sam! I am back because I just saw that my recycle bin is still stuck with 6 items while there is nothing inside. I still try to empty these items, but they still come back! Did we forget to fix anything?
:cool:

Yes, we did forget to fix that.


Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.



Let me know if that does the trick.

Well there is some kind of improvement since I do not get the message 'do you want to delete these 6 items?' anymore. But when I create a document and try to delete it afterwards, nothing get to the bin, which remains empty.


Yes, we did forget to fix that.


Click Start, Run and type cmd. Press OK.

A DOS window will open.

Type the following and then press Enter after typing each one:

attrib -h -s c:\recycler

del c:\recycler

Close the window and REBOOT.



Let me know if that does the trick.

Download this regfile and save to your desktop.

http://www.kellys-korner-xp.com/regs_edits/restorerecyclebin.reg


Double-click it, and then Ok it merging to the registry. Reboot and see if your recycle bin is working.

The bin is still not working.

Hmmmm....

Ok, let's try this.


Go to Start > Run and enter cmd This will open a command shell. Type or Copy and Paste in the following command and press Enter.

rd /s c:\recycler

Recycle bin's still stuck! :crazy:

My recycle bin is working now! I don't understand what happened… Maybe it was afraid of being swept by the magic intervention of Buckeye_Sam! Anyway thank you. :thumbsup: