NEED HELP REMOVING HOME SEARCH ASSISTANT (piojis76)

Unknown

hello all!! first let me start off by saying that i'm new to the short media family, and this is my 1st post. i've been trying to do a little reading before finally deciding to post, so i hope that i do this correctly. i really and truly need someones help. about a day or so ago, everything was working fine, then suddenly, i try to open the internet explorer, and the window opens, then suddenly closes. i searched in the control panel, add/remove programs, and saw the following 3 programs installed: 1. Shopping Wizard 2. Search Extender 3. Home Search Assistant, and when i attempt to delete any of the 3, it takes me to some random page, making it seem that it's going to uninstall the program, then the explorer window closes. mcafee then pops up and says something like, we've detected pwlxl.dll start page-du.dll trojan . so i've looked into the post on how to delete the home search assistant, and this is what i've done so far: 1. went into my computer, tools, folder options, view, and clicked on show hidden files folders 2. turned off the system restore 3. ran ad-aware se and removed anything that it found 4. ran spybot search and destroy, and "fixed" everything that it found 5. ran mcafee virusScan and deleted anything that it found 6. ran hsremove and deleted anything that came up there 7. ran CWshredder, nothing came up there 8. ran about buster and deleted the files that it found 9. and finally ran hijack this and i'm not sure if this is the correct thing to post, but here it goes:


Logfile of HijackThis v1.99.1
Scan saved at 12:13:01 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\mfcix.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {94A53935-C204-C7E0-8510-27AEF27FEAB9} - C:\WINDOWS\system32\apiew.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112160586\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0\waol.exe
O4 - HKLM\..\Run: [mfcix.exe] C:\WINDOWS\system32\mfcix.exe
O4 - HKLM\..\RunOnce: [apiqd.exe] C:\WINDOWS\system32\apiqd.exe
O4 - HKLM\..\RunOnce: [winjm.exe] C:\WINDOWS\system32\winjm.exe
O4 - HKLM\..\RunOnce: [mfcbk.exe] C:\WINDOWS\mfcbk.exe
O4 - HKLM\..\RunOnce: [crlo.exe] C:\WINDOWS\crlo.exe
O4 - HKLM\..\RunOnce: [adddl32.exe] C:\WINDOWS\system32\adddl32.exe
O4 - HKLM\..\RunOnce: [atldy.exe] C:\WINDOWS\atldy.exe
O4 - HKLM\..\RunOnce: [msit32.exe] C:\WINDOWS\msit32.exe
O4 - HKLM\..\RunOnce: [addya.exe] C:\WINDOWS\system32\addya.exe
O4 - HKLM\..\RunOnce: [crmc.exe] C:\WINDOWS\system32\crmc.exe
O4 - HKLM\..\RunOnce: [ipwv32.exe] C:\WINDOWS\ipwv32.exe
O4 - HKLM\..\RunOnce: [ntig32.exe] C:\WINDOWS\ntig32.exe
O4 - HKLM\..\RunOnce: [atlmc32.exe] C:\WINDOWS\system32\atlmc32.exe
O4 - HKLM\..\RunOnce: [netsh32.exe] C:\WINDOWS\netsh32.exe
O4 - HKLM\..\RunOnce: [msan32.exe] C:\WINDOWS\msan32.exe
O4 - HKLM\..\RunOnce: [sysid.exe] C:\WINDOWS\sysid.exe
O4 - HKLM\..\RunOnce: [sysnd32.exe] C:\WINDOWS\sysnd32.exe
O4 - HKLM\..\RunOnce: [mfcvo.exe] C:\WINDOWS\system32\mfcvo.exe
O4 - HKLM\..\RunOnce: [ieii.exe] C:\WINDOWS\system32\ieii.exe
O4 - HKLM\..\RunOnce: [sdkol32.exe] C:\WINDOWS\system32\sdkol32.exe
O4 - HKLM\..\RunOnce: [ieak.exe] C:\WINDOWS\system32\ieak.exe
O4 - HKLM\..\RunOnce: [appem.exe] C:\WINDOWS\system32\appem.exe
O4 - HKLM\..\RunOnce: [mskp.exe] C:\WINDOWS\mskp.exe
O4 - HKLM\..\RunOnce: [ntur.exe] C:\WINDOWS\system32\ntur.exe
O4 - HKLM\..\RunOnce: [atlam32.exe] C:\WINDOWS\atlam32.exe
O4 - HKLM\..\RunOnce: [winhl.exe] C:\WINDOWS\winhl.exe
O4 - HKLM\..\RunOnce: [apird.exe] C:\WINDOWS\system32\apird.exe
O4 - HKLM\..\RunOnce: [syswf32.exe] C:\WINDOWS\syswf32.exe
O4 - HKLM\..\RunOnce: [ieav32.exe] C:\WINDOWS\ieav32.exe
O4 - HKLM\..\RunOnce: [sdkfp.exe] C:\WINDOWS\sdkfp.exe
O4 - HKLM\..\RunOnce: [ntto32.exe] C:\WINDOWS\ntto32.exe
O4 - HKLM\..\RunOnce: [atlzq.exe] C:\WINDOWS\atlzq.exe
O4 - HKLM\..\RunOnce: [crho32.exe] C:\WINDOWS\system32\crho32.exe
O4 - HKLM\..\RunOnce: [netmq.exe] C:\WINDOWS\system32\netmq.exe
O4 - HKLM\..\RunOnce: [atlwr32.exe] C:\WINDOWS\system32\atlwr32.exe
O4 - HKLM\..\RunOnce: [ntrx.exe] C:\WINDOWS\system32\ntrx.exe
O4 - HKLM\..\RunOnce: [sdkum32.exe] C:\WINDOWS\sdkum32.exe
O4 - HKLM\..\RunOnce: [javafx.exe] C:\WINDOWS\system32\javafx.exe
O4 - HKLM\..\RunOnce: [iejb32.exe] C:\WINDOWS\system32\iejb32.exe
O4 - HKLM\..\RunOnce: [mfclj32.exe] C:\WINDOWS\mfclj32.exe
O4 - HKLM\..\RunOnce: [netib.exe] C:\WINDOWS\system32\netib.exe
O4 - HKLM\..\RunOnce: [nettd.exe] C:\WINDOWS\system32\nettd.exe
O4 - HKLM\..\RunOnce: [d3zt32.exe] C:\WINDOWS\d3zt32.exe
O4 - HKLM\..\RunOnce: [ievm32.exe] C:\WINDOWS\ievm32.exe
O4 - HKLM\..\RunOnce: [addhr32.exe] C:\WINDOWS\addhr32.exe
O4 - HKLM\..\RunOnce: [d3ax32.exe] C:\WINDOWS\d3ax32.exe
O4 - HKLM\..\RunOnce: [netwh32.exe] C:\WINDOWS\netwh32.exe
O4 - HKLM\..\RunOnce: [apitl32.exe] C:\WINDOWS\system32\apitl32.exe
O4 - HKLM\..\RunOnce: [msfg32.exe] C:\WINDOWS\system32\msfg32.exe
O4 - HKLM\..\RunOnce: [apirh32.exe] C:\WINDOWS\system32\apirh32.exe
O4 - HKLM\..\RunOnce: [netye32.exe] C:\WINDOWS\system32\netye32.exe
O4 - HKLM\..\RunOnce: [mfcth.exe] C:\WINDOWS\mfcth.exe
O4 - HKLM\..\RunOnce: [syssx32.exe] C:\WINDOWS\syssx32.exe
O4 - HKLM\..\RunOnce: [crqn.exe] C:\WINDOWS\system32\crqn.exe
O4 - HKLM\..\RunOnce: [apipc32.exe] C:\WINDOWS\system32\apipc32.exe
O4 - HKLM\..\RunOnce: [sdkit.exe] C:\WINDOWS\sdkit.exe
O4 - HKLM\..\RunOnce: [adduf.exe] C:\WINDOWS\system32\adduf.exe
O4 - HKLM\..\RunOnce: [mfcnf32.exe] C:\WINDOWS\mfcnf32.exe
O4 - HKLM\..\RunOnce: [ntdn.exe] C:\WINDOWS\ntdn.exe
O4 - HKLM\..\RunOnce: [ipmt.exe] C:\WINDOWS\system32\ipmt.exe
O4 - HKLM\..\RunOnce: [addlb32.exe] C:\WINDOWS\system32\addlb32.exe
O4 - HKLM\..\RunOnce: [mskq32.exe] C:\WINDOWS\mskq32.exe
O4 - HKLM\..\RunOnce: [iejg.exe] C:\WINDOWS\iejg.exe
O4 - HKLM\..\RunOnce: [mssg.exe] C:\WINDOWS\system32\mssg.exe
O4 - HKLM\..\RunOnce: [appiw32.exe] C:\WINDOWS\appiw32.exe
O4 - HKLM\..\RunOnce: [netyd32.exe] C:\WINDOWS\netyd32.exe
O4 - HKLM\..\RunOnce: [iesw32.exe] C:\WINDOWS\iesw32.exe
O4 - HKLM\..\RunOnce: [javaqm.exe] C:\WINDOWS\system32\javaqm.exe
O4 - HKLM\..\RunOnce: [addfr32.exe] C:\WINDOWS\addfr32.exe
O4 - HKLM\..\RunOnce: [appnz32.exe] C:\WINDOWS\appnz32.exe
O4 - HKLM\..\RunOnce: [netxa32.exe] C:\WINDOWS\system32\netxa32.exe
O4 - HKLM\..\RunOnce: [sysxa.exe] C:\WINDOWS\sysxa.exe
O4 - HKLM\..\RunOnce: [d3bm.exe] C:\WINDOWS\system32\d3bm.exe
O4 - HKLM\..\RunOnce: [sdklk32.exe] C:\WINDOWS\system32\sdklk32.exe
O4 - HKLM\..\RunOnce: [addls.exe] C:\WINDOWS\addls.exe
O4 - HKLM\..\RunOnce: [iepe.exe] C:\WINDOWS\system32\iepe.exe
O4 - HKLM\..\RunOnce: [mfcet32.exe] C:\WINDOWS\mfcet32.exe
O4 - HKLM\..\RunOnce: [ipub.exe] C:\WINDOWS\ipub.exe
O4 - HKLM\..\RunOnce: [cryf32.exe] C:\WINDOWS\system32\cryf32.exe
O4 - HKLM\..\RunOnce: [sdkif.exe] C:\WINDOWS\sdkif.exe
O4 - HKLM\..\RunOnce: [sdknc32.exe] C:\WINDOWS\system32\sdknc32.exe
O4 - HKLM\..\RunOnce: [sdkcz32.exe] C:\WINDOWS\sdkcz32.exe
O4 - HKLM\..\RunOnce: [atlhv32.exe] C:\WINDOWS\atlhv32.exe
O4 - HKLM\..\RunOnce: [javakh32.exe] C:\WINDOWS\system32\javakh32.exe
O4 - HKLM\..\RunOnce: [msol.exe] C:\WINDOWS\system32\msol.exe
O4 - HKLM\..\RunOnce: [crpl32.exe] C:\WINDOWS\crpl32.exe
O4 - HKLM\..\RunOnce: [crei32.exe] C:\WINDOWS\system32\crei32.exe
O4 - HKLM\..\RunOnce: [apiie.exe] C:\WINDOWS\system32\apiie.exe
O4 - HKLM\..\RunOnce: [appmq.exe] C:\WINDOWS\appmq.exe
O4 - HKLM\..\RunOnce: [ipcg32.exe] C:\WINDOWS\ipcg32.exe
O4 - HKLM\..\RunOnce: [crsn32.exe] C:\WINDOWS\crsn32.exe
O4 - HKLM\..\RunOnce: [sdknz.exe] C:\WINDOWS\sdknz.exe
O4 - HKLM\..\RunOnce: [atlug32.exe] C:\WINDOWS\atlug32.exe
O4 - HKLM\..\RunOnce: [syskw32.exe] C:\WINDOWS\system32\syskw32.exe
O4 - HKLM\..\RunOnce: [systm.exe] C:\WINDOWS\systm.exe
O4 - HKLM\..\RunOnce: [mfcib32.exe] C:\WINDOWS\system32\mfcib32.exe
O4 - HKLM\..\RunOnce: [ntzj32.exe] C:\WINDOWS\system32\ntzj32.exe
O4 - HKLM\..\RunOnce: [winhp32.exe] C:\WINDOWS\winhp32.exe
O4 - HKLM\..\RunOnce: [mfcxw32.exe] C:\WINDOWS\mfcxw32.exe
O4 - HKLM\..\RunOnce: [appsa.exe] C:\WINDOWS\appsa.exe
O4 - HKLM\..\RunOnce: [mszq32.exe] C:\WINDOWS\mszq32.exe
O4 - HKLM\..\RunOnce: [ntpf32.exe] C:\WINDOWS\system32\ntpf32.exe
O4 - HKLM\..\RunOnce: [sdkpv.exe] C:\WINDOWS\system32\sdkpv.exe
O4 - HKLM\..\RunOnce: [ntyv.exe] C:\WINDOWS\ntyv.exe
O4 - HKLM\..\RunOnce: [ienk32.exe] C:\WINDOWS\system32\ienk32.exe
O4 - HKLM\..\RunOnce: [addes32.exe] C:\WINDOWS\system32\addes32.exe
O4 - HKLM\..\RunOnce: [syshw.exe] C:\WINDOWS\syshw.exe
O4 - HKLM\..\RunOnce: [javagl32.exe] C:\WINDOWS\javagl32.exe
O4 - HKLM\..\RunOnce: [netwb32.exe] C:\WINDOWS\system32\netwb32.exe
O4 - HKLM\..\RunOnce: [netej.exe] C:\WINDOWS\netej.exe
O4 - HKLM\..\RunOnce: [apifr.exe] C:\WINDOWS\system32\apifr.exe
O4 - HKLM\..\RunOnce: [crug.exe] C:\WINDOWS\crug.exe
O4 - HKLM\..\RunOnce: [ntjv32.exe] C:\WINDOWS\ntjv32.exe
O4 - HKLM\..\RunOnce: [crxy.exe] C:\WINDOWS\crxy.exe
O4 - HKLM\..\RunOnce: [ntsc.exe] C:\WINDOWS\system32\ntsc.exe
O4 - HKLM\..\RunOnce: [msqz32.exe] C:\WINDOWS\msqz32.exe
O4 - HKLM\..\RunOnce: [addgg.exe] C:\WINDOWS\addgg.exe
O4 - HKLM\..\RunOnce: [apikc32.exe] C:\WINDOWS\system32\apikc32.exe
O4 - HKLM\..\RunOnce: [appul.exe] C:\WINDOWS\appul.exe
O4 - HKLM\..\RunOnce: [sdkut.exe] C:\WINDOWS\sdkut.exe
O4 - HKLM\..\RunOnce: [addpw32.exe] C:\WINDOWS\system32\addpw32.exe
O4 - HKLM\..\RunOnce: [apinm32.exe] C:\WINDOWS\system32\apinm32.exe
O4 - HKLM\..\RunOnce: [appiq.exe] C:\WINDOWS\system32\appiq.exe
O4 - HKLM\..\RunOnce: [mshf32.exe] C:\WINDOWS\system32\mshf32.exe
O4 - HKLM\..\RunOnce: [sdkxv32.exe] C:\WINDOWS\sdkxv32.exe
O4 - HKLM\..\RunOnce: [javafd.exe] C:\WINDOWS\javafd.exe
O4 - HKLM\..\RunOnce: [winim.exe] C:\WINDOWS\system32\winim.exe
O4 - HKLM\..\RunOnce: [crhc32.exe] C:\WINDOWS\system32\crhc32.exe
O4 - HKLM\..\RunOnce: [ipyr32.exe] C:\WINDOWS\ipyr32.exe
O4 - HKLM\..\RunOnce: [ntya32.exe] C:\WINDOWS\ntya32.exe
O4 - HKLM\..\RunOnce: [msha32.exe] C:\WINDOWS\system32\msha32.exe
O4 - HKLM\..\RunOnce: [apiha32.exe] C:\WINDOWS\apiha32.exe
O4 - HKLM\..\RunOnce: [crku32.exe] C:\WINDOWS\system32\crku32.exe
O4 - HKLM\..\RunOnce: [iepq.exe] C:\WINDOWS\iepq.exe
O4 - HKLM\..\RunOnce: [msyy32.exe] C:\WINDOWS\system32\msyy32.exe
O4 - HKLM\..\RunOnce: [d3en.exe] C:\WINDOWS\d3en.exe
O4 - HKLM\..\RunOnce: [mssk.exe] C:\WINDOWS\system32\mssk.exe
O4 - HKLM\..\RunOnce: [netxo.exe] C:\WINDOWS\netxo.exe
O4 - HKLM\..\RunOnce: [iesa.exe] C:\WINDOWS\system32\iesa.exe
O4 - HKLM\..\RunOnce: [crhh.exe] C:\WINDOWS\system32\crhh.exe
O4 - HKLM\..\RunOnce: [netsa32.exe] C:\WINDOWS\system32\netsa32.exe
O4 - HKLM\..\RunOnce: [ntlt.exe] C:\WINDOWS\ntlt.exe
O4 - HKLM\..\RunOnce: [d3hx.exe] C:\WINDOWS\d3hx.exe
O4 - HKLM\..\RunOnce: [syszq32.exe] C:\WINDOWS\syszq32.exe
O4 - HKLM\..\RunOnce: [atlqx.exe] C:\WINDOWS\atlqx.exe
O4 - HKLM\..\RunOnce: [appzd.exe] C:\WINDOWS\system32\appzd.exe
O4 - HKLM\..\RunOnce: [d3yt32.exe] C:\WINDOWS\system32\d3yt32.exe
O4 - HKLM\..\RunOnce: [ntwb32.exe] C:\WINDOWS\ntwb32.exe
O4 - HKLM\..\RunOnce: [sdkwr.exe] C:\WINDOWS\sdkwr.exe
O4 - HKLM\..\RunOnce: [ntxr.exe] C:\WINDOWS\system32\ntxr.exe
O4 - HKLM\..\RunOnce: [msug32.exe] C:\WINDOWS\msug32.exe
O4 - HKLM\..\RunOnce: [addkn32.exe] C:\WINDOWS\addkn32.exe
O4 - HKLM\..\RunOnce: [sysfz.exe] C:\WINDOWS\sysfz.exe
O4 - HKLM\..\RunOnce: [sdkep32.exe] C:\WINDOWS\sdkep32.exe
O4 - HKLM\..\RunOnce: [apidw.exe] C:\WINDOWS\system32\apidw.exe
O4 - HKLM\..\RunOnce: [wincm32.exe] C:\WINDOWS\system32\wincm32.exe
O4 - HKLM\..\RunOnce: [d3sc32.exe] C:\WINDOWS\d3sc32.exe
O4 - HKLM\..\RunOnce: [msak32.exe] C:\WINDOWS\msak32.exe
O4 - HKLM\..\RunOnce: [appjk32.exe] C:\WINDOWS\system32\appjk32.exe
O4 - HKLM\..\RunOnce: [javajs.exe] C:\WINDOWS\system32\javajs.exe
O4 - HKLM\..\RunOnce: [ipnw.exe] C:\WINDOWS\system32\ipnw.exe
O4 - HKLM\..\RunOnce: [d3cl32.exe] C:\WINDOWS\d3cl32.exe
O4 - HKLM\..\RunOnce: [wintb32.exe] C:\WINDOWS\wintb32.exe
O4 - HKLM\..\RunOnce: [ieoe.exe] C:\WINDOWS\system32\ieoe.exe
O4 - HKLM\..\RunOnce: [ntnu32.exe] C:\WINDOWS\ntnu32.exe
O4 - HKLM\..\RunOnce: [mfclk32.exe] C:\WINDOWS\system32\mfclk32.exe
O4 - HKLM\..\RunOnce: [apils.exe] C:\WINDOWS\system32\apils.exe
O4 - HKLM\..\RunOnce: [mfcus.exe] C:\WINDOWS\mfcus.exe
O4 - HKLM\..\RunOnce: [sdkjh32.exe] C:\WINDOWS\system32\sdkjh32.exe
O4 - HKLM\..\RunOnce: [mszo32.exe] C:\WINDOWS\system32\mszo32.exe
O4 - HKLM\..\RunOnce: [atlxj32.exe] C:\WINDOWS\atlxj32.exe
O4 - HKLM\..\RunOnce: [mfciv.exe] C:\WINDOWS\system32\mfciv.exe
O4 - HKLM\..\RunOnce: [ntmz.exe] C:\WINDOWS\system32\ntmz.exe
O4 - HKLM\..\RunOnce: [d3xa32.exe] C:\WINDOWS\system32\d3xa32.exe
O4 - HKLM\..\RunOnce: [sysvh.exe] C:\WINDOWS\system32\sysvh.exe
O4 - HKLM\..\RunOnce: [mfcrl32.exe] C:\WINDOWS\mfcrl32.exe
O4 - HKLM\..\RunOnce: [addbm.exe] C:\WINDOWS\system32\addbm.exe
O4 - HKLM\..\RunOnce: [appgi32.exe] C:\WINDOWS\appgi32.exe
O4 - HKLM\..\RunOnce: [addvf32.exe] C:\WINDOWS\system32\addvf32.exe
O4 - HKLM\..\RunOnce: [d3ab32.exe] C:\WINDOWS\system32\d3ab32.exe
O4 - HKLM\..\RunOnce: [appdn32.exe] C:\WINDOWS\system32\appdn32.exe
O4 - HKLM\..\RunOnce: [apikz.exe] C:\WINDOWS\system32\apikz.exe
O4 - HKLM\..\RunOnce: [ipil32.exe] C:\WINDOWS\ipil32.exe
O4 - HKLM\..\RunOnce: [mfcsl.exe] C:\WINDOWS\system32\mfcsl.exe
O4 - HKLM\..\RunOnce: [d3st.exe] C:\WINDOWS\system32\d3st.exe
O4 - HKLM\..\RunOnce: [atlnf.exe] C:\WINDOWS\system32\atlnf.exe
O4 - HKLM\..\RunOnce: [wincm.exe] C:\WINDOWS\wincm.exe
O4 - HKLM\..\RunOnce: [apibh32.exe] C:\WINDOWS\apibh32.exe
O4 - HKLM\..\RunOnce: [mfcpe.exe] C:\WINDOWS\system32\mfcpe.exe
O4 - HKLM\..\RunOnce: [apivb.exe] C:\WINDOWS\system32\apivb.exe
O4 - HKLM\..\RunOnce: [ieix.exe] C:\WINDOWS\ieix.exe
O4 - HKLM\..\RunOnce: [winid32.exe] C:\WINDOWS\system32\winid32.exe
O4 - HKLM\..\RunOnce: [crnh32.exe] C:\WINDOWS\crnh32.exe
O4 - HKLM\..\RunOnce: [addit.exe] C:\WINDOWS\system32\addit.exe
O4 - HKLM\..\RunOnce: [iemx.exe] C:\WINDOWS\iemx.exe
O4 - HKLM\..\RunOnce: [mfcbu32.exe] C:\WINDOWS\mfcbu32.exe
O4 - HKLM\..\RunOnce: [ipzc.exe] C:\WINDOWS\ipzc.exe
O4 - HKLM\..\RunOnce: [crvg32.exe] C:\WINDOWS\crvg32.exe
O4 - HKLM\..\RunOnce: [sdkfg.exe] C:\WINDOWS\sdkfg.exe
O4 - HKLM\..\RunOnce: [addnm.exe] C:\WINDOWS\system32\addnm.exe
O4 - HKLM\..\RunOnce: [d3mc32.exe] C:\WINDOWS\system32\d3mc32.exe
O4 - HKLM\..\RunOnce: [ntcj.exe] C:\WINDOWS\ntcj.exe
O4 - HKLM\..\RunOnce: [appbz32.exe] C:\WINDOWS\system32\appbz32.exe
O4 - HKLM\..\RunOnce: [ieao32.exe] C:\WINDOWS\ieao32.exe
O4 - HKLM\..\RunOnce: [syszw.exe] C:\WINDOWS\syszw.exe
O4 - HKLM\..\RunOnce: [ieif.exe] C:\WINDOWS\system32\ieif.exe
O4 - HKLM\..\RunOnce: [atlxu32.exe] C:\WINDOWS\atlxu32.exe
O4 - HKLM\..\RunOnce: [ipob32.exe] C:\WINDOWS\ipob32.exe
O4 - HKLM\..\RunOnce: [apirf.exe] C:\WINDOWS\system32\apirf.exe
O4 - HKLM\..\RunOnce: [javavx.exe] C:\WINDOWS\system32\javavx.exe
O4 - HKLM\..\RunOnce: [atlbt32.exe] C:\WINDOWS\atlbt32.exe
O4 - HKLM\..\RunOnce: [syszj32.exe] C:\WINDOWS\system32\syszj32.exe
O4 - HKLM\..\RunOnce: [apiuv32.exe] C:\WINDOWS\system32\apiuv32.exe
O4 - HKLM\..\RunOnce: [ntzz32.exe] C:\WINDOWS\ntzz32.exe
O4 - HKLM\..\RunOnce: [msdl32.exe] C:\WINDOWS\msdl32.exe
O4 - HKLM\..\RunOnce: [sdkba.exe] C:\WINDOWS\system32\sdkba.exe
O4 - HKLM\..\RunOnce: [mfcaq32.exe] C:\WINDOWS\system32\mfcaq32.exe
O4 - HKLM\..\RunOnce: [winqf32.exe] C:\WINDOWS\winqf32.exe
O4 - HKLM\..\RunOnce: [winyn.exe] C:\WINDOWS\winyn.exe
O4 - HKLM\..\RunOnce: [syszo.exe] C:\WINDOWS\system32\syszo.exe
O4 - HKLM\..\RunOnce: [apiod.exe] C:\WINDOWS\apiod.exe
O4 - HKLM\..\RunOnce: [javagb32.exe] C:\WINDOWS\system32\javagb32.exe
O4 - HKLM\..\RunOnce: [winbn32.exe] C:\WINDOWS\winbn32.exe
O4 - HKLM\..\RunOnce: [atlgr.exe] C:\WINDOWS\system32\atlgr.exe
O4 - HKLM\..\RunOnce: [appps32.exe] C:\WINDOWS\appps32.exe
O4 - HKLM\..\RunOnce: [adddp32.exe] C:\WINDOWS\system32\adddp32.exe
O4 - HKLM\..\RunOnce: [appdx32.exe] C:\WINDOWS\system32\appdx32.exe
O4 - HKLM\..\RunOnce: [apiib.exe] C:\WINDOWS\apiib.exe
O4 - HKLM\..\RunOnce: [mfcqj32.exe] C:\WINDOWS\system32\mfcqj32.exe
O4 - HKLM\..\RunOnce: [atlxy.exe] C:\WINDOWS\atlxy.exe
O4 - HKLM\..\RunOnce: [mfclv.exe] C:\WINDOWS\system32\mfclv.exe
O4 - HKLM\..\RunOnce: [msqz.exe] C:\WINDOWS\msqz.exe
O4 - HKLM\..\RunOnce: [mfckl.exe] C:\WINDOWS\mfckl.exe
O4 - HKLM\..\RunOnce: [appas.exe] C:\WINDOWS\system32\appas.exe
O4 - HKLM\..\RunOnce: [apinu.exe] C:\WINDOWS\apinu.exe
O4 - HKLM\..\RunOnce: [addjg.exe] C:\WINDOWS\system32\addjg.exe
O4 - HKLM\..\RunOnce: [ipyv32.exe] C:\WINDOWS\ipyv32.exe
O4 - HKLM\..\RunOnce: [javaxc32.exe] C:\WINDOWS\javaxc32.exe
O4 - HKLM\..\RunOnce: [ntso.exe] C:\WINDOWS\system32\ntso.exe
O4 - HKLM\..\RunOnce: [atlre32.exe] C:\WINDOWS\system32\atlre32.exe
O4 - HKLM\..\RunOnce: [winpb.exe] C:\WINDOWS\winpb.exe
O4 - HKLM\..\RunOnce: [iepc.exe] C:\WINDOWS\iepc.exe
O4 - HKLM\..\RunOnce: [netkn.exe] C:\WINDOWS\system32\netkn.exe
O4 - HKLM\..\RunOnce: [atlzu.exe] C:\WINDOWS\system32\atlzu.exe
O4 - HKLM\..\RunOnce: [syssn32.exe] C:\WINDOWS\syssn32.exe
O4 - HKLM\..\RunOnce: [windg.exe] C:\WINDOWS\system32\windg.exe
O4 - HKLM\..\RunOnce: [mfchk32.exe] C:\WINDOWS\system32\mfchk32.exe
O4 - HKLM\..\RunOnce: [apprl.exe] C:\WINDOWS\system32\apprl.exe
O4 - HKLM\..\RunOnce: [javarr.exe] C:\WINDOWS\javarr.exe
O4 - HKLM\..\RunOnce: [apiqg32.exe] C:\WINDOWS\system32\apiqg32.exe
O4 - HKLM\..\RunOnce: [addoo.exe] C:\WINDOWS\addoo.exe
O4 - HKLM\..\RunOnce: [crne32.exe] C:\WINDOWS\crne32.exe
O4 - HKLM\..\RunOnce: [ipdt32.exe] C:\WINDOWS\system32\ipdt32.exe
O4 - HKLM\..\RunOnce: [ntlb.exe] C:\WINDOWS\system32\ntlb.exe
O4 - HKLM\..\RunOnce: [ipmj.exe] C:\WINDOWS\ipmj.exe
O4 - HKLM\..\RunOnce: [d3by32.exe] C:\WINDOWS\system32\d3by32.exe
O4 - HKLM\..\RunOnce: [winag32.exe] C:\WINDOWS\system32\winag32.exe
O4 - HKLM\..\RunOnce: [ievk.exe] C:\WINDOWS\ievk.exe
O4 - HKLM\..\RunOnce: [ntuz32.exe] C:\WINDOWS\system32\ntuz32.exe
O4 - HKLM\..\RunOnce: [mfcsp32.exe] C:\WINDOWS\system32\mfcsp32.exe
O4 - HKLM\..\RunOnce: [javakm.exe] C:\WINDOWS\javakm.exe
O4 - HKLM\..\RunOnce: [netoq32.exe] C:\WINDOWS\system32\netoq32.exe
O4 - HKLM\..\RunOnce: [appff.exe] C:\WINDOWS\appff.exe
O4 - HKLM\..\RunOnce: [msev32.exe] C:\WINDOWS\msev32.exe
O4 - HKLM\..\RunOnce: [sdkck32.exe] C:\WINDOWS\system32\sdkck32.exe
O4 - HKLM\..\RunOnce: [sdkcs.exe] C:\WINDOWS\system32\sdkcs.exe
O4 - HKLM\..\RunOnce: [ntks.exe] C:\WINDOWS\ntks.exe
O4 - HKLM\..\RunOnce: [ieai.exe] C:\WINDOWS\system32\ieai.exe
O4 - HKLM\..\RunOnce: [crpx32.exe] C:\WINDOWS\system32\crpx32.exe
O4 - HKLM\..\RunOnce: [ipok32.exe] C:\WINDOWS\ipok32.exe
O4 - HKLM\..\RunOnce: [ntzv.exe] C:\WINDOWS\system32\ntzv.exe
O4 - HKLM\..\RunOnce: [msdz.exe] C:\WINDOWS\system32\msdz.exe
O4 - HKLM\..\RunOnce: [winoa32.exe] C:\WINDOWS\system32\winoa32.exe
O4 - HKLM\..\RunOnce: [mfcmi.exe] C:\WINDOWS\system32\mfcmi.exe
O4 - HKLM\..\RunOnce: [ntim32.exe] C:\WINDOWS\system32\ntim32.exe
O4 - HKLM\..\RunOnce: [netfj32.exe] C:\WINDOWS\system32\netfj32.exe
O4 - HKLM\..\RunOnce: [apimg32.exe] C:\WINDOWS\apimg32.exe
O4 - HKLM\..\RunOnce: [winqc32.exe] C:\WINDOWS\system32\winqc32.exe
O4 - HKLM\..\RunOnce: [ieox.exe] C:\WINDOWS\system32\ieox.exe
O4 - HKLM\..\RunOnce: [ntnf32.exe] C:\WINDOWS\system32\ntnf32.exe
O4 - HKLM\..\RunOnce: [sysut.exe] C:\WINDOWS\system32\sysut.exe
O4 - HKLM\..\RunOnce: [addtb.exe] C:\WINDOWS\addtb.exe
O4 - HKLM\..\RunOnce: [mfclc.exe] C:\WINDOWS\mfclc.exe
O4 - HKLM\..\RunOnce: [ieck32.exe] C:\WINDOWS\ieck32.exe
O4 - HKLM\..\RunOnce: [apirz32.exe] C:\WINDOWS\apirz32.exe
O4 - HKLM\..\RunOnce: [javavl.exe] C:\WINDOWS\javavl.exe
O4 - HKLM\..\RunOnce: [atlah32.exe] C:\WINDOWS\system32\atlah32.exe
O4 - HKLM\..\RunOnce: [adddt.exe] C:\WINDOWS\adddt.exe
O4 - HKLM\..\RunOnce: [d3cj32.exe] C:\WINDOWS\d3cj32.exe
O4 - HKLM\..\RunOnce: [nttq32.exe] C:\WINDOWS\system32\nttq32.exe
O4 - HKLM\..\RunOnce: [atlga32.exe] C:\WINDOWS\system32\atlga32.exe
O4 - HKLM\..\RunOnce: [javavf32.exe] C:\WINDOWS\javavf32.exe
O4 - HKLM\..\RunOnce: [nettv32.exe] C:\WINDOWS\system32\nettv32.exe
O4 - HKLM\..\RunOnce: [nettd32.exe] C:\WINDOWS\system32\nettd32.exe
O4 - HKLM\..\RunOnce: [crdd32.exe] C:\WINDOWS\system32\crdd32.exe
O4 - HKLM\..\RunOnce: [mfcdd.exe] C:\WINDOWS\mfcdd.exe
O4 - HKLM\..\RunOnce: [wingp.exe] C:\WINDOWS\wingp.exe
O4 - HKLM\..\RunOnce: [netwf32.exe] C:\WINDOWS\system32\netwf32.exe
O4 - HKLM\..\RunOnce: [javaum32.exe] C:\WINDOWS\system32\javaum32.exe
O4 - HKLM\..\RunOnce: [ntpy.exe] C:\WINDOWS\system32\ntpy.exe
O4 - HKLM\..\RunOnce: [crih32.exe] C:\WINDOWS\crih32.exe
O4 - HKLM\..\RunOnce: [apicy.exe] C:\WINDOWS\system32\apicy.exe
O4 - HKLM\..\RunOnce: [sdkgc32.exe] C:\WINDOWS\sdkgc32.exe
O4 - HKLM\..\RunOnce: [netqd.exe] C:\WINDOWS\system32\netqd.exe
O4 - HKLM\..\RunOnce: [ipvz32.exe] C:\WINDOWS\ipvz32.exe
O4 - HKLM\..\RunOnce: [netkw32.exe] C:\WINDOWS\system32\netkw32.exe
O4 - HKLM\..\RunOnce: [addps32.exe] C:\WINDOWS\system32\addps32.exe
O4 - HKLM\..\RunOnce: [javaoi32.exe] C:\WINDOWS\javaoi32.exe
O4 - HKLM\..\RunOnce: [appwq.exe] C:\WINDOWS\system32\appwq.exe
O4 - HKLM\..\RunOnce: [winvu.exe] C:\WINDOWS\system32\winvu.exe
O4 - HKLM\..\RunOnce: [sdkiy32.exe] C:\WINDOWS\sdkiy32.exe
O4 - HKLM\..\RunOnce: [cruj32.exe] C:\WINDOWS\system32\cruj32.exe
O4 - HKLM\..\RunOnce: [apiyo32.exe] C:\WINDOWS\system32\apiyo32.exe
O4 - HKLM\..\RunOnce: [d3bz.exe] C:\WINDOWS\system32\d3bz.exe
O4 - HKLM\..\RunOnce: [ntxd32.exe] C:\WINDOWS\ntxd32.exe
O4 - HKLM\..\RunOnce: [mfcwt.exe] C:\WINDOWS\system32\mfcwt.exe
O4 - HKLM\..\RunOnce: [sysvi32.exe] C:\WINDOWS\system32\sysvi32.exe
O4 - HKLM\..\RunOnce: [crly32.exe] C:\WINDOWS\crly32.exe
O4 - HKLM\..\RunOnce: [crtg.exe] C:\WINDOWS\crtg.exe
O4 - HKLM\..\RunOnce: [javatg.exe] C:\WINDOWS\system32\javatg.exe
O4 - HKLM\..\RunOnce: [winrv32.exe] C:\WINDOWS\winrv32.exe
O4 - HKLM\..\RunOnce: [apibu32.exe] C:\WINDOWS\system32\apibu32.exe
O4 - HKLM\..\RunOnce: [iebk.exe] C:\WINDOWS\system32\iebk.exe
O4 - HKLM\..\RunOnce: [msjk32.exe] C:\WINDOWS\msjk32.exe
O4 - HKLM\..\RunOnce: [d3yh32.exe] C:\WINDOWS\system32\d3yh32.exe
O4 - HKLM\..\RunOnce: [ipdd.exe] C:\WINDOWS\ipdd.exe
O4 - HKLM\..\RunOnce: [atlzp.exe] C:\WINDOWS\system32\atlzp.exe
O4 - HKLM\..\RunOnce: [sdkwe32.exe] C:\WINDOWS\sdkwe32.exe
O4 - HKLM\..\RunOnce: [d3mm32.exe] C:\WINDOWS\d3mm32.exe
O4 - HKLM\..\RunOnce: [javahy.exe] C:\WINDOWS\system32\javahy.exe
O4 - HKLM\..\RunOnce: [apign32.exe] C:\WINDOWS\system32\apign32.exe
O4 - HKLM\..\RunOnce: [addev32.exe] C:\WINDOWS\addev32.exe
O4 - HKLM\..\RunOnce: [appel.exe] C:\WINDOWS\system32\appel.exe
O4 - HKLM\..\RunOnce: [ipwr32.exe] C:\WINDOWS\ipwr32.exe
O4 - HKLM\..\RunOnce: [atlmh.exe] C:\WINDOWS\system32\atlmh.exe
O4 - HKLM\..\RunOnce: [ielw32.exe] C:\WINDOWS\system32\ielw32.exe
O4 - HKLM\..\RunOnce: [javake32.exe] C:\WINDOWS\javake32.exe
O4 - HKLM\..\RunOnce: [crku.exe] C:\WINDOWS\crku.exe
O4 - HKLM\..\RunOnce: [sdksu.exe] C:\WINDOWS\sdksu.exe
O4 - HKLM\..\RunOnce: [sysij32.exe] C:\WINDOWS\sysij32.exe
O4 - HKLM\..\RunOnce: [atlyr32.exe] C:\WINDOWS\atlyr32.exe
O4 - HKLM\..\RunOnce: [wintc.exe] C:\WINDOWS\wintc.exe
O4 - HKLM\..\RunOnce: [syslj32.exe] C:\WINDOWS\syslj32.exe
O4 - HKLM\..\RunOnce: [crjy32.exe] C:\WINDOWS\system32\crjy32.exe
O4 - HKLM\..\RunOnce: [addek.exe] C:\WINDOWS\addek.exe
O4 - HKLM\..\RunOnce: [javayl.exe] C:\WINDOWS\javayl.exe
O4 - HKLM\..\RunOnce: [mfcxt32.exe] C:\WINDOWS\mfcxt32.exe
O4 - HKLM\..\RunOnce: [addvz.exe] C:\WINDOWS\system32\addvz.exe
O4 - HKLM\..\RunOnce: [appjn32.exe] C:\WINDOWS\system32\appjn32.exe
O4 - HKLM\..\RunOnce: [d3dm.exe] C:\WINDOWS\system32\d3dm.exe
O4 - HKLM\..\RunOnce: [d3xy32.exe] C:\WINDOWS\d3xy32.exe
O4 - HKLM\..\RunOnce: [msir.exe] C:\WINDOWS\system32\msir.exe
O4 - HKLM\..\RunOnce: [addmv.exe] C:\WINDOWS\addmv.exe
O4 - HKLM\..\RunOnce: [apixo32.exe] C:\WINDOWS\system32\apixo32.exe
O4 - HKLM\..\RunOnce: [ntvv.exe] C:\WINDOWS\system32\ntvv.exe
O4 - HKLM\..\RunOnce: [msrz32.exe] C:\WINDOWS\msrz32.exe
O4 - HKLM\..\RunOnce: [javaaa.exe] C:\WINDOWS\system32\javaaa.exe
O4 - HKLM\..\RunOnce: [crow32.exe] C:\WINDOWS\crow32.exe
O4 - HKLM\..\RunOnce: [javavt32.exe] C:\WINDOWS\system32\javavt32.exe
O4 - HKLM\..\RunOnce: [d3cz.exe] C:\WINDOWS\d3cz.exe
O4 - HKLM\..\RunOnce: [javaso.exe] C:\WINDOWS\javaso.exe
O4 - HKLM\..\RunOnce: [netna.exe] C:\WINDOWS\system32\netna.exe
O4 - HKLM\..\RunOnce: [javarw.exe] C:\WINDOWS\javarw.exe
O4 - HKLM\..\RunOnce: [iecx32.exe] C:\WINDOWS\system32\iecx32.exe
O4 - HKLM\..\RunOnce: [appae.exe] C:\WINDOWS\appae.exe
O4 - HKLM\..\RunOnce: [netwi32.exe] C:\WINDOWS\netwi32.exe
O4 - HKLM\..\RunOnce: [atlgj.exe] C:\WINDOWS\atlgj.exe
O4 - HKLM\..\RunOnce: [mfctf32.exe] C:\WINDOWS\mfctf32.exe
O4 - HKLM\..\RunOnce: [atlac32.exe] C:\WINDOWS\system32\atlac32.exe
O4 - HKLM\..\RunOnce: [iefz32.exe] C:\WINDOWS\iefz32.exe
O4 - HKLM\..\RunOnce: [mfcik32.exe] C:\WINDOWS\system32\mfcik32.exe
O4 - HKLM\..\RunOnce: [ipmp.exe] C:\WINDOWS\ipmp.exe
O4 - HKLM\..\RunOnce: [msqg.exe] C:\WINDOWS\msqg.exe
O4 - HKLM\..\RunOnce: [mfcdw.exe] C:\WINDOWS\mfcdw.exe
O4 - HKLM\..\RunOnce: [ntbr32.exe] C:\WINDOWS\ntbr32.exe
O4 - HKLM\..\RunOnce: [iela32.exe] C:\WINDOWS\iela32.exe
O4 - HKLM\..\RunOnce: [netli.exe] C:\WINDOWS\system32\netli.exe
O4 - HKLM\..\RunOnce: [atlom.exe] C:\WINDOWS\atlom.exe
O4 - HKLM\..\RunOnce: [nteb32.exe] C:\WINDOWS\nteb32.exe
O4 - HKLM\..\RunOnce: [d3uq32.exe] C:\WINDOWS\d3uq32.exe
O4 - HKLM\..\RunOnce: [javaxu.exe] C:\WINDOWS\javaxu.exe
O4 - HKLM\..\RunOnce: [mfcwk32.exe] C:\WINDOWS\mfcwk32.exe
O4 - HKLM\..\RunOnce: [crst32.exe] C:\WINDOWS\system32\crst32.exe
O4 - HKLM\..\RunOnce: [atlmf.exe] C:\WINDOWS\atlmf.exe
O4 - HKLM\..\RunOnce: [neteg32.exe] C:\WINDOWS\neteg32.exe
O4 - HKLM\..\RunOnce: [nettb.exe] C:\WINDOWS\system32\nettb.exe
O4 - HKLM\..\RunOnce: [iphf.exe] C:\WINDOWS\system32\iphf.exe
O4 - HKLM\..\RunOnce: [ipbr32.exe] C:\WINDOWS\ipbr32.exe
O4 - HKLM\..\RunOnce: [ntbh32.exe] C:\WINDOWS\ntbh32.exe
O4 - HKLM\..\RunOnce: [atlau32.exe] C:\WINDOWS\atlau32.exe
O4 - HKLM\..\RunOnce: [msun32.exe] C:\WINDOWS\msun32.exe
O4 - HKLM\..\RunOnce: [iebv.exe] C:\WINDOWS\system32\iebv.exe
O4 - HKLM\..\RunOnce: [d3cw.exe] C:\WINDOWS\d3cw.exe
O4 - HKLM\..\RunOnce: [appst32.exe] C:\WINDOWS\system32\appst32.exe
O4 - HKLM\..\RunOnce: [apiqa32.exe] C:\WINDOWS\system32\apiqa32.exe
O4 - HKLM\..\RunOnce: [ieku32.exe] C:\WINDOWS\ieku32.exe
O4 - HKLM\..\RunOnce: [javaaj32.exe] C:\WINDOWS\system32\javaaj32.exe
O4 - HKLM\..\RunOnce: [crir.exe] C:\WINDOWS\system32\crir.exe
O4 - HKLM\..\RunOnce: [sdkjr.exe] C:\WINDOWS\system32\sdkjr.exe
O4 - HKLM\..\RunOnce: [mscq.exe] C:\WINDOWS\system32\mscq.exe
O4 - HKLM\..\RunOnce: [ntmj32.exe] C:\WINDOWS\ntmj32.exe
O4 - HKLM\..\RunOnce: [javagc.exe] C:\WINDOWS\javagc.exe
O4 - HKLM\..\RunOnce: [iecg.exe] C:\WINDOWS\system32\iecg.exe
O4 - HKLM\..\RunOnce: [appuz32.exe] C:\WINDOWS\appuz32.exe
O4 - HKLM\..\RunOnce: [apikg.exe] C:\WINDOWS\system32\apikg.exe
O4 - HKLM\..\RunOnce: [ntmv32.exe] C:\WINDOWS\system32\ntmv32.exe
O4 - HKLM\..\RunOnce: [msvo.exe] C:\WINDOWS\msvo.exe
O4 - HKLM\..\RunOnce: [d3lb32.exe] C:\WINDOWS\system32\d3lb32.exe
O4 - HKLM\..\RunOnce: [sysxf.exe] C:\WINDOWS\system32\sysxf.exe
O4 - HKLM\..\RunOnce: [ieyg32.exe] C:\WINDOWS\system32\ieyg32.exe
O4 - HKLM\..\RunOnce: [msnd32.exe] C:\WINDOWS\system32\msnd32.exe
O4 - HKLM\..\RunOnce: [ntrz32.exe] C:\WINDOWS\system32\ntrz32.exe
O4 - HKLM\..\RunOnce: [ntan.exe] C:\WINDOWS\system32\ntan.exe
O4 - HKLM\..\RunOnce: [sdkuy32.exe] C:\WINDOWS\sdkuy32.exe
O4 - HKLM\..\RunOnce: [appfr32.exe] C:\WINDOWS\appfr32.exe
O4 - HKLM\..\RunOnce: [atlnh32.exe] C:\WINDOWS\atlnh32.exe
O4 - HKLM\..\RunOnce: [addxi.exe] C:\WINDOWS\system32\addxi.exe
O4 - HKLM\..\RunOnce: [msam.exe] C:\WINDOWS\system32\msam.exe
O4 - HKLM\..\RunOnce: [atlqj32.exe] C:\WINDOWS\atlqj32.exe
O4 - HKLM\..\RunOnce: [sysak32.exe] C:\WINDOWS\sysak32.exe
O4 - HKLM\..\RunOnce: [cryz32.exe] C:\WINDOWS\system32\cryz32.exe
O4 - HKLM\..\RunOnce: [winse32.exe] C:\WINDOWS\system32\winse32.exe
O4 - HKLM\..\RunOnce: [sdklx32.exe] C:\WINDOWS\sdklx32.exe
O4 - HKLM\..\RunOnce: [javaln32.exe] C:\WINDOWS\javaln32.exe
O4 - HKLM\..\RunOnce: [sysug32.exe] C:\WINDOWS\system32\sysug32.exe
O4 - HKLM\..\RunOnce: [ntco.exe] C:\WINDOWS\ntco.exe
O4 - HKLM\..\RunOnce: [mfcya.exe] C:\WINDOWS\system32\mfcya.exe
O4 - HKLM\..\RunOnce: [javaop32.exe] C:\WINDOWS\javaop32.exe
O4 - HKLM\..\RunOnce: [msmw.exe] C:\WINDOWS\msmw.exe
O4 - HKLM\..\RunOnce: [sdkfd32.exe] C:\WINDOWS\system32\sdkfd32.exe
O4 - HKLM\..\RunOnce: [ipah.exe] C:\WINDOWS\system32\ipah.exe
O4 - HKLM\..\RunOnce: [appzx32.exe] C:\WINDOWS\system32\appzx32.exe
O4 - HKLM\..\RunOnce: [iepm.exe] C:\WINDOWS\iepm.exe
O4 - HKLM\..\RunOnce: [ntwu32.exe] C:\WINDOWS\ntwu32.exe
O4 - HKLM\..\RunOnce: [mfcmj32.exe] C:\WINDOWS\system32\mfcmj32.exe
O4 - HKLM\..\RunOnce: [winzt32.exe] C:\WINDOWS\system32\winzt32.exe
O4 - HKLM\..\RunOnce: [d3qj.exe] C:\WINDOWS\d3qj.exe
O4 - HKLM\..\RunOnce: [addut.exe] C:\WINDOWS\addut.exe
O4 - HKLM\..\RunOnce: [appch.exe] C:\WINDOWS\appch.exe
O4 - HKLM\..\RunOnce: [sdkln32.exe] C:\WINDOWS\sdkln32.exe
O4 - HKLM\..\RunOnce: [d3qr.exe] C:\WINDOWS\system32\d3qr.exe
O4 - HKLM\..\RunOnce: [apiem32.exe] C:\WINDOWS\apiem32.exe
O4 - HKLM\..\RunOnce: [ntjq32.exe] C:\WINDOWS\ntjq32.exe
O4 - HKLM\..\RunOnce: [crws32.exe] C:\WINDOWS\system32\crws32.exe
O4 - HKLM\..\RunOnce: [apipl32.exe] C:\WINDOWS\system32\apipl32.exe
O4 - HKLM\..\RunOnce: [sdkmn32.exe] C:\WINDOWS\system32\sdkmn32.exe
O4 - HKLM\..\RunOnce: [sdkak.exe] C:\WINDOWS\sdkak.exe
O4 - HKLM\..\RunOnce: [sysff32.exe] C:\WINDOWS\sysff32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



i apologize if this is super long, i'm not sure as to what exactly should be included and what shouldn't is this super long?? is this normal?? is my computer totally infected?? :bawling: PLEASE OH PLEASE help me!! i don't feel comfortable enough to delete anything on my own, hence, why i'm here asking for some help. anything you guys can help me with is extremely appreciated! thank you sooo much!!! oh and, since i turned off my system restore and have my hidden files showing...does this pose a threat of any sort?? what should i do?? thanks again!! cynthia

Crunchie

Download CWShredder 2.15 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

===============

Download AboutBuster 5:

http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip

Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.

Click Update. This will start updating AboutBuster with the latest definition database.

Once it's done updating and you see that dialog, click Ok.

Close AboutBuster.

Reboot into safe mode following the instructions here.

Start AboutBuster and click Begin Removal.

When the scan is done, click Ok.

======

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

piojis76

hello and thank you so much for responding!! i just followed your word to the letter, just finished running hijack this, and this is the new log:



Logfile of HijackThis v1.99.1
Scan saved at 10:47:03 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\winjm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\WINDOWS\system32\mfcix.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {94A53935-C204-C7E0-8510-27AEF27FEAB9} - C:\WINDOWS\system32\apiew.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112160586\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0\waol.exe
O4 - HKLM\..\Run: [mfcix.exe] C:\WINDOWS\system32\mfcix.exe
O4 - HKLM\..\RunOnce: [apiqd.exe] C:\WINDOWS\system32\apiqd.exe
O4 - HKLM\..\RunOnce: [winjm.exe] C:\WINDOWS\system32\winjm.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiqd.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



one quick side note, it took unusually long to log back in under "normal" mode....is that normal? since all of the above listed looks like chicken scratch to me, i'm not sure if it's ok now. also, can you please let me know once it is safe to turn my system restore back on? THANK YOU SOOOO MUCH ONCE AGAIN!!!! Cynthia

Crunchie

You have some entries there that need removing.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u apiew.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis then:

1. Click "Open the Misc Tools Section"
2. Click "Open Process manager"

-

Next, while holding down the CTRL key, locate (if present) and click on (highlight) each of the following:

C:\WINDOWS\system32\winjm.exe

Now double-check and make sure that only those item(s) above are highlighted, then click "Kill process". Now, click "Refresh", check again, and repeat this step if any remain.

===============

Still in HiJackThis, click "Scan", then check(tick) the following, if present:


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {94A53935-C204-C7E0-8510-27AEF27FEAB9} - C:\WINDOWS\system32\apiew.dll

O4 - HKLM\..\RunOnce: [apiqd.exe] C:\WINDOWS\system32\apiqd.exe
O4 - HKLM\..\RunOnce: [winjm.exe] C:\WINDOWS\system32\winjm.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\apiqd.exe" /s (file missing)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\system32\winjm.exe
C:\WINDOWS\system32\apiew.dll
C:\WINDOWS\system32\apiqd.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

piojis76

hello crunchie!! i hope your day went well, and really, thanks again for everything that you're doing for me; i really do appreciate it! ok, so i followed the above to the letter. i still cannot open the explorer window, without it closing up on me, and then a message from mcafee appears saying: kduiq.dll was infected by the start page-du.dll trojan. before this, it was the pwlxl.dll this happens everytime that i open the darn explorer, a similar message will appear...perhaps different "file" or dll names, but the same thing re: start page-du.dll tojan. this is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 9:22:08 PM, on 7/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\mfcix.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {69DCBAC8-9290-CC20-9EE6-CC486DABBD24} - C:\WINDOWS\winqg.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112160586\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0\waol.exe
O4 - HKLM\..\Run: [mfcix.exe] C:\WINDOWS\system32\mfcix.exe
O4 - HKLM\..\RunOnce: [syszw32.exe] C:\WINDOWS\syszw32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syszw32.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


is all of this because of the explorer or did i receive an infected file?? thanks once again and have a great evening!! cynthia

Crunchie

Internet Explorer is very susceptible to these infections. That's why I use the Opera browser .

Reboot into safe mode following the instructions here and then run CWShredder twice. After that, run aboutbuster twice as well. Run Adaware again whilst still in safe mode.

Still in safe mode, please do the following; (not all will be found, so do not worry)

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kduiq.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\kduiq.dll/sp.html#93256

O2 - BHO: Class - {69DCBAC8-9290-CC20-9EE6-CC486DABBD24} - C:\WINDOWS\winqg.dll

O4 - HKLM\..\Run: [mfcix.exe] C:\WINDOWS\system32\mfcix.exe
O4 - HKLM\..\RunOnce: [syszw32.exe] C:\WINDOWS\syszw32.exe

O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\syszw32.exe" /s (file missing)

-

After hitting the fix button in hijackthis, still in hijackthis, on the bottom right, go to Config/Misc Tools/Delete an NT Service and paste in Network Security Service (NSS) and hit ok.

-

Reboot normally after doing the above, rescan with hijackthis, then post that log here please.

piojis76

hello!! how are you today?? so you use the opera browser? does this affect how the files and folders open in XP? i might want to try and look into that, a different browser, but i wouldn't really know how to go about it. also, would it be better to just wait until this deal is fixed before proceeding to look into a different browser? there are those 3 things in the add/remove window that i still can't remove: shopping wizard, search extender, and home search assistant. ok, so once again, i followed everything above to the letter, only, when i went into the Config/Misc Tools/Delete and NT Service, it said : that it was not found in the registry and to make sure that i entered the short name of the service. i can't seem to get rid of this one: O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appxf.exe" /s (file missing); when i attempt to delete, it always comes back with a different .exe. This is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 5:55:18 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\iesi32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {55A1824A-46C9-FB34-DF74-C122BEDC7F1F} - C:\WINDOWS\system32\sysuv32.dll
O2 - BHO: Class - {805B5372-5E8D-06EA-8F76-4E177E2F0426} - C:\WINDOWS\javajz.dll
O2 - BHO: Class - {84A6699D-3390-E792-6F21-462788E62709} - C:\WINDOWS\apiqc.dll
O2 - BHO: Class - {BC866979-4FC7-8956-2B63-286817663144} - C:\WINDOWS\javazp.dll
O2 - BHO: Class - {EE7118D1-F99F-AAF0-2F73-A1C63E7FE7B3} - C:\WINDOWS\mfcmj32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112160586\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0\waol.exe
O4 - HKLM\..\RunOnce: [appxf.exe] C:\WINDOWS\appxf.exe
O4 - HKLM\..\RunOnce: [d3zu.exe] C:\WINDOWS\d3zu.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
O4 - HKLM\..\RunOnce: [ieqe32.exe] C:\WINDOWS\system32\ieqe32.exe
O4 - HKLM\..\RunOnce: [netne.exe] C:\WINDOWS\system32\netne.exe
O4 - HKLM\..\RunOnce: [addsh.exe] C:\WINDOWS\system32\addsh.exe
O4 - HKLM\..\RunOnce: [netvh.exe] C:\WINDOWS\system32\netvh.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [iesi32.exe] C:\WINDOWS\system32\iesi32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service (NSS) ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appxf.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


If i did decide to use a different browser, would i just have to remove explorer?? would this take care of the problem?? thank you so much!! cynthia

Crunchie

We need to get your PC clean first . Internet explorer cannot be uninstalled and is in fact, needed for your Windows Updates .
Using a different browser is as simple as downloading and installing it. I have been using Opera for almost 2 years and have never had a virus or been hijacked. Because IE is so widely used, it is the one that is targetted by the nasties.

-

How do you feel about removing this infection the old way?

-

Can you please download this file from here:

Getservice.zip

Extract the file to the c:\ drive. Then navigate to the c:\getservices and double-click on the getservices.bat file. A notepad will open up. Please paste the contents of that notepad into this post with another hijackthis log.

piojis76

hello crunchie!! i hope that your weekend has been going well. as for removing this infection the old way, i'm not quite sure on what that is, but WHATEVER you decide you'd like to try, i'm totally with you! ok, so this is the text from the Get Services notepad (it's super long):


PsService v1.1 - local and remote services viewer/controller
Copyright (C) 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Alerter
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Windows Firewall.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\alg.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Layer Gateway Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AOL ACS
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AOL Connectivity Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AOL TopSpeedMonitor
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : AOL TopSpeed Monitor
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 3600 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 1000 seconds
: Restart DELAY: 1000 seconds
: Restart DELAY: 1000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Application Management
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ASP.NET State Service
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : AudioGroup
TAG : 0
DISPLAY_NAME : Windows Audio
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Background Intelligent Transfer Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Computer Browser
DEPENDENCIES : LanmanWorkstation
: LanmanServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\cisvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Indexing Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\clipsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ClipBook
DEPENDENCIES : NetDDE
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : COM+ System Application
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 30 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds
: Restart DELAY: 5000 seconds
: None DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Cryptographic Services
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: DcomLaunch
Provides launch functionality for DCOM services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k DcomLaunch
LOAD_ORDER_GROUP : Event Log
TAG : 0
DISPLAY_NAME : DCOM Server Process Launcher
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DHCP Client
DEPENDENCIES : Tcpip
: Afd
: NetBT
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\dmadmin.exe /com
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager Administrative Service
DEPENDENCIES : RpcSs
: PlugPlay
: DmServer
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Logical Disk Manager
DEPENDENCIES : RpcSs
: PlugPlay
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k NetworkService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : DNS Client
DEPENDENCIES : Tcpip
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Error Reporting Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : Event log
TAG : 0
DISPLAY_NAME : Event Log
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : COM+ Event System
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fast User Switching Compatibility
DEPENDENCIES : TermService
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\fxssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Fax
DEPENDENCIES : TapiSrv
: RpcSs
: PlugPlay
: Spooler
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Help and Support
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 100 seconds
: Restart DELAY: 100 seconds
: None DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Human Interface Device Access
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: HTTPFilter
This service implements the secure hypertext transfer protocol (HTTPS) for the HTTP service, using the Secure Socket Layer (SSL). If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k HTTPFilter
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HTTP SSL
DEPENDENCIES : HTTP
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\imapi.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IMAPI CD-Burning COM Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Server
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : Workstation
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : TCP/IP NetBIOS Helper
DEPENDENCIES : NetBT
: Afd
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: McShield
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\PROGRA~1\mcafee.com\vso\mcshield.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee.com McShield
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mcupdmgr.exe
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee SecurityCenter Update Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MCVSRte
(null)
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe /Embedding
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee.com VirusScan Online Realtime Engine
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Messenger
DEPENDENCIES : LanmanWorkstation
: NetBIOS
: PlugPlay
: RpcSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\mnmsrvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NetMeeting Remote Desktop Sharing
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MpfService
(null)
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : McAfee Personal Firewall Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
COMMAND : cAfee.com\PERSON~1\MPFSER~1.EXE" /servicecrash /fail=%1%
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Run command DELAY: 5000 seconds

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\msdtc.exe
LOAD_ORDER_GROUP : MS Transactions
TAG : 0
DISPLAY_NAME : Distributed Transaction Coordinator
DEPENDENCIES : RPCSS
: SamSS
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: MSIServer
Adds, modifies, and removes applications provided as a Windows Installer (*.msi) package. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\msiexec.exe /V
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Installer
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP : NetDDEGroup
TAG : 0
DISPLAY_NAME : Network DDE
DEPENDENCIES : NetDDEDSDM
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\netdde.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network DDE DSDM
DEPENDENCIES :
: EGrLocalSystem
: Network DDE DSDM
: etwork DDE
: workService
: Distributed Transaction Coordinator
: 1
: %
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : RemoteValidation
TAG : 0
DISPLAY_NAME : Net Logon
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Connections
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetSvc
Supports Intel(R) PROSet for Wired Connections.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Intel NCS NetService
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Location Awareness (NLA)
DEPENDENCIES : Tcpip
: Afd
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : NT LM Security Support Provider
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Removable Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Office Source Engine
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\services.exe
LOAD_ORDER_GROUP : PlugPlay
TAG : 0
DISPLAY_NAME : Plug and Play
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : IPSEC Services
DEPENDENCIES : RPCSS
: Tcpip
: IPSec
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Protected Storage
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Auto Connection Manager
DEPENDENCIES : RasMan
: Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Access Connection Manager
DEPENDENCIES : Tapisrv
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\sessmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Desktop Help Session Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 4 DISABLED
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Routing and Remote Access
DEPENDENCIES : RpcSS
: +NetBIOSGroup
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\locator.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Locator
DEPENDENCIES : LanmanWorkstation
SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost -k rpcss
LOAD_ORDER_GROUP : COM Infrastructure
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC)
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\NetworkService
FAIL_RESET_PERIOD : 0 seconds
FAILURE_ACTIONS : Reboot DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\rsvp.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : QoS RSVP
DEPENDENCIES : TcpIp
: Afd
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\lsass.exe
LOAD_ORDER_GROUP : LocalValidation
TAG : 0
DISPLAY_NAME : Security Accounts Manager
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\SCardSvr.exe
LOAD_ORDER_GROUP : SmartCardGroup
TAG : 0
DISPLAY_NAME : Smart Card
DEPENDENCIES : PlugPlay
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : SchedulerGroup
TAG : 0
DISPLAY_NAME : Task Scheduler
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 6000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Secondary Logon
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : Network
TAG : 0
DISPLAY_NAME : System Event Notification
DEPENDENCIES : EventSystem
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SharedAccess
Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Firewall/Internet Connection Sharing (ICS)
DEPENDENCIES : Netman
: WinMgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
Provides notifications for AutoPlay hardware events.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : ShellSvcGroup
TAG : 0
DISPLAY_NAME : Shell Hardware Detection
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
TYPE : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\spoolsv.exe
LOAD_ORDER_GROUP : SpoolerGroup
TAG : 0
DISPLAY_NAME : Print Spooler
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : System Restore Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : SSDP Discovery Service
DEPENDENCIES : HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k imgsvc
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Image Acquisition (WIA)
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\dllhost.exe /Processid:{A445BD1E-49EE-4607-B370-5CCA447377C4}
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : MS Software Shadow Copy Provider
DEPENDENCIES : rpcss
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\smlogsvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Performance Logs and Alerts
DEPENDENCIES :
SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Telephony
DEPENDENCIES : PlugPlay
: RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost -k DComLaunch
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Terminal Services
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : UIGroup
TAG : 0
DISPLAY_NAME : Themes
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds
: None DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Distributed Link Tracking Client
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UMWdf
Enables Windows user mode drivers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\wdfmgr.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows User Mode Driver Framework
DEPENDENCIES : RpcSs
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Universal Plug and Play Device Host
DEPENDENCIES : SSDPSRV
: HTTP
SERVICE_START_NAME: NT AUTHORITY\LocalService
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\ups.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Uninterruptible Power Supply
DEPENDENCIES :
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\vssvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Volume Shadow Copy
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: w32time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Time
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k LocalService
LOAD_ORDER_GROUP : NetworkProvider
TAG : 0
DISPLAY_NAME : WebClient
DEPENDENCIES : MRxDAV
SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Windows Management Instrumentation
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : 86400 seconds
FAILURE_ACTIONS : Restart DELAY: 60000 seconds
: Restart DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Portable Media Serial Number Service
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\wbem\wmiapsrv.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : WMI Performance Adapter
DEPENDENCIES : RPCSS
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wscsvc
Monitors system security settings and configurations.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Security Center
DEPENDENCIES : RpcSs
: winmgmt
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\system32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Automatic Updates
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP : TDI
TAG : 0
DISPLAY_NAME : Wireless Zero Configuration
DEPENDENCIES : RpcSs
: Ndisuio
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: xmlprov
Manages XML configuration files on a domain basis for automatic network provisioning.
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\WINDOWS\System32\svchost.exe -k netsvcs
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Network Provisioning Service
DEPENDENCIES : RpcSs
SERVICE_START_NAME: LocalSystem

SERVICE_NAME: 11Fßä#·ºÄÖ`I
(null)
TYPE : 20 WIN32_SHARE_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\WINDOWS\appxf.exe" /s
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Remote Procedure Call (RPC) Helper
DEPENDENCIES :
SERVICE_START_NAME: LocalSystem
FAIL_RESET_PERIOD : -1 seconds
FAILURE_ACTIONS : Restart DELAY: 1000 seconds

piojis76

and this is the new log in hijack this (sorry, i needed to paste that in a new message, since i received an error that the other one was too long and that it all wouldn't fit):

Logfile of HijackThis v1.99.1
Scan saved at 1:07:08 PM, on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\mfcix.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {147C0B30-AF21-31CA-8710-729D602064B3} - C:\WINDOWS\system32\javaxo.dll
O2 - BHO: Class - {3C14482F-CF46-FEFF-C35C-99CDA3BF02AB} - C:\WINDOWS\javazx.dll
O2 - BHO: Class - {58BA44D2-4E05-CF21-D46C-343B479557D8} - C:\WINDOWS\system32\mfccq32.dll
O2 - BHO: Class - {6CD27622-433E-7933-47AD-5AC97903406A} - C:\WINDOWS\system32\javabh32.dll
O2 - BHO: Class - {A89630A0-A2FA-322C-0FBE-630AC13A1A75} - C:\WINDOWS\system32\apigb.dll
O2 - BHO: Class - {CE9F8009-C44E-E5EA-C0CB-75CE8EB66346} - C:\WINDOWS\system32\atlvj32.dll
O2 - BHO: Class - {CF0DB4C8-F2F7-EF01-C711-E29AA80B3432} - C:\WINDOWS\apier.dll
O2 - BHO: Class - {E15DD854-133F-0338-F25B-C7118EE63F1C} - C:\WINDOWS\crnn.dll
O2 - BHO: Class - {E616513A-40E1-2657-5238-EAF908483D9A} - C:\WINDOWS\system32\sysju32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112160586\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0\waol.exe
O4 - HKLM\..\Run: [mfcix.exe] C:\WINDOWS\system32\mfcix.exe
O4 - HKLM\..\RunOnce: [appxf.exe] C:\WINDOWS\appxf.exe
O4 - HKLM\..\RunOnce: [d3zu.exe] C:\WINDOWS\d3zu.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
O4 - HKLM\..\RunOnce: [ieqe32.exe] C:\WINDOWS\system32\ieqe32.exe
O4 - HKLM\..\RunOnce: [netne.exe] C:\WINDOWS\system32\netne.exe
O4 - HKLM\..\RunOnce: [addsh.exe] C:\WINDOWS\system32\addsh.exe
O4 - HKLM\..\RunOnce: [netvh.exe] C:\WINDOWS\system32\netvh.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [iesi32.exe] C:\WINDOWS\system32\iesi32.exe
O4 - HKLM\..\RunOnce: [crdf32.exe] C:\WINDOWS\crdf32.exe
O4 - HKLM\..\RunOnce: [addim32.exe] C:\WINDOWS\system32\addim32.exe
O4 - HKLM\..\RunOnce: [sdkwj.exe] C:\WINDOWS\sdkwj.exe
O4 - HKLM\..\RunOnce: [appwp.exe] C:\WINDOWS\system32\appwp.exe
O4 - HKLM\..\RunOnce: [applk32.exe] C:\WINDOWS\applk32.exe
O4 - HKLM\..\RunOnce: [mstd.exe] C:\WINDOWS\system32\mstd.exe
O4 - HKLM\..\RunOnce: [netei.exe] C:\WINDOWS\netei.exe
O4 - HKLM\..\RunOnce: [winjk.exe] C:\WINDOWS\winjk.exe
O4 - HKLM\..\RunOnce: [javaol.exe] C:\WINDOWS\javaol.exe
O4 - HKLM\..\RunOnce: [apitf.exe] C:\WINDOWS\system32\apitf.exe
O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\appxr32.exe
O4 - HKLM\..\RunOnce: [syshq.exe] C:\WINDOWS\syshq.exe
O4 - HKLM\..\RunOnce: [javavs32.exe] C:\WINDOWS\javavs32.exe
O4 - HKLM\..\RunOnce: [apilz32.exe] C:\WINDOWS\system32\apilz32.exe
O4 - HKLM\..\RunOnce: [mfcoj.exe] C:\WINDOWS\mfcoj.exe
O4 - HKLM\..\RunOnce: [sdkzf32.exe] C:\WINDOWS\system32\sdkzf32.exe
O4 - HKLM\..\RunOnce: [winnw.exe] C:\WINDOWS\system32\winnw.exe
O4 - HKLM\..\RunOnce: [javasq32.exe] C:\WINDOWS\system32\javasq32.exe
O4 - HKLM\..\RunOnce: [ieou.exe] C:\WINDOWS\ieou.exe
O4 - HKLM\..\RunOnce: [sdknk32.exe] C:\WINDOWS\system32\sdknk32.exe
O4 - HKLM\..\RunOnce: [atlbm.exe] C:\WINDOWS\atlbm.exe
O4 - HKLM\..\RunOnce: [mfcbu.exe] C:\WINDOWS\mfcbu.exe
O4 - HKLM\..\RunOnce: [ipjg32.exe] C:\WINDOWS\system32\ipjg32.exe
O4 - HKLM\..\RunOnce: [sdkao32.exe] C:\WINDOWS\sdkao32.exe
O4 - HKLM\..\RunOnce: [mfcny.exe] C:\WINDOWS\mfcny.exe
O4 - HKLM\..\RunOnce: [javahw32.exe] C:\WINDOWS\system32\javahw32.exe
O4 - HKLM\..\RunOnce: [netmf.exe] C:\WINDOWS\system32\netmf.exe
O4 - HKLM\..\RunOnce: [javawy32.exe] C:\WINDOWS\javawy32.exe
O4 - HKLM\..\RunOnce: [apika.exe] C:\WINDOWS\system32\apika.exe
O4 - HKLM\..\RunOnce: [winvr.exe] C:\WINDOWS\winvr.exe
O4 - HKLM\..\RunOnce: [apieu32.exe] C:\WINDOWS\apieu32.exe
O4 - HKLM\..\RunOnce: [sysjo.exe] C:\WINDOWS\system32\sysjo.exe
O4 - HKLM\..\RunOnce: [netpf32.exe] C:\WINDOWS\system32\netpf32.exe
O4 - HKLM\..\RunOnce: [crzd32.exe] C:\WINDOWS\crzd32.exe
O4 - HKLM\..\RunOnce: [netny.exe] C:\WINDOWS\netny.exe
O4 - HKLM\..\RunOnce: [mfcct.exe] C:\WINDOWS\mfcct.exe
O4 - HKLM\..\RunOnce: [sdkxz.exe] C:\WINDOWS\sdkxz.exe
O4 - HKLM\..\RunOnce: [atlwy32.exe] C:\WINDOWS\atlwy32.exe
O4 - HKLM\..\RunOnce: [ieba.exe] C:\WINDOWS\ieba.exe
O4 - HKLM\..\RunOnce: [appfe32.exe] C:\WINDOWS\system32\appfe32.exe
O4 - HKLM\..\RunOnce: [d3lz.exe] C:\WINDOWS\system32\d3lz.exe
O4 - HKLM\..\RunOnce: [syspf.exe] C:\WINDOWS\syspf.exe
O4 - HKLM\..\RunOnce: [javauz32.exe] C:\WINDOWS\system32\javauz32.exe
O4 - HKLM\..\RunOnce: [winku.exe] C:\WINDOWS\winku.exe
O4 - HKLM\..\RunOnce: [atlxw.exe] C:\WINDOWS\system32\atlxw.exe
O4 - HKLM\..\RunOnce: [msdz32.exe] C:\WINDOWS\system32\msdz32.exe
O4 - HKLM\..\RunOnce: [sdkqb32.exe] C:\WINDOWS\sdkqb32.exe
O4 - HKLM\..\RunOnce: [atlvd.exe] C:\WINDOWS\atlvd.exe
O4 - HKLM\..\RunOnce: [mspu32.exe] C:\WINDOWS\mspu32.exe
O4 - HKLM\..\RunOnce: [sdkoh32.exe] C:\WINDOWS\system32\sdkoh32.exe
O4 - HKLM\..\RunOnce: [mfctj.exe] C:\WINDOWS\system32\mfctj.exe
O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe
O4 - HKLM\..\RunOnce: [nettp.exe] C:\WINDOWS\nettp.exe
O4 - HKLM\..\RunOnce: [sdkdc.exe] C:\WINDOWS\sdkdc.exe
O4 - HKLM\..\RunOnce: [atlie.exe] C:\WINDOWS\atlie.exe
O4 - HKLM\..\RunOnce: [apihm32.exe] C:\WINDOWS\system32\apihm32.exe
O4 - HKLM\..\RunOnce: [winug32.exe] C:\WINDOWS\winug32.exe
O4 - HKLM\..\RunOnce: [mfcri32.exe] C:\WINDOWS\mfcri32.exe
O4 - HKLM\..\RunOnce: [sysek.exe] C:\WINDOWS\system32\sysek.exe
O4 - HKLM\..\RunOnce: [crdx.exe] C:\WINDOWS\crdx.exe
O4 - HKLM\..\RunOnce: [apiis32.exe] C:\WINDOWS\apiis32.exe
O4 - HKLM\..\RunOnce: [iptl32.exe] C:\WINDOWS\system32\iptl32.exe
O4 - HKLM\..\RunOnce: [addyh32.exe] C:\WINDOWS\system32\addyh32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appxf.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


ok, please let me know the latest and if there is anything else i should or shouldn't be doing (ie turn system restore back on, leave it off, etc). THANK YOU!!!

Crunchie

You may want to print out these directions as the Internet will not be available. Please continue with the next step if you run into a problem with the current one. Just be sure to let us know what the problem was when you reply.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Reboot your computer into Safe Mode and follow these steps:

Step 1:

Click on start, then control panel, then administrative programs, then services. Look for a service called Remote Procedure Call (RPC) Helper. Double click on that service and click stop and then set the startup to disabled. Also write down the name and path of the file listed in the Path to executable field. This filename must be deleted below.

Step 2:

Press control-alt-delete to get into the task manager and end the follow processes if they exist:

C:\WINDOWS\system32\mfcix.exe

Step 3:
I now need you to delete the following files:

C:\WINDOWS\system32\mfcix.exe << This file
C:\WINDOWS\appxf.exe << This file
C:\WINDOWS\system32\tybvs.dll << This file
C:\WINDOWS\system32\sysju32.dll << This file
C:\WINDOWS\crnn.dll << This file
C:\WINDOWS\apier.dll << This file
C:\WINDOWS\system32\atlvj32.dll << This file
C:\WINDOWS\system32\apigb.dll << This file
C:\WINDOWS\system32\javabh32.dll << This file
C:\WINDOWS\system32\mfccq32.dll << This file
C:\WINDOWS\javazx.dll << This file
C:\WINDOWS\system32\javaxo.dll << This file
C:\WINDOWS\system32\addyh32.exe << This file
C:\WINDOWS\system32\iptl32.exe << This file
C:\WINDOWS\apiis32.exe << This file
C:\WINDOWS\crdx.exe << This file
C:\WINDOWS\system32\sysek.exe << This file
C:\WINDOWS\mfcri32.exe << This file
C:\WINDOWS\winug32.exe << This file
C:\WINDOWS\system32\apihm32.exe << This file
C:\WINDOWS\atlie.exe << This file
C:\WINDOWS\sdkdc.exe << This file
C:\WINDOWS\nettp.exe << This file
C:\WINDOWS\crnn.exe << This file
C:\WINDOWS\system32\mfctj.exe << This file
C:\WINDOWS\system32\sdkoh32.exe << This file
C:\WINDOWS\mspu32.exe << This file
C:\WINDOWS\atlvd.exe << This file
C:\WINDOWS\sdkqb32.exe << This file
C:\WINDOWS\system32\msdz32.exe << This file
C:\WINDOWS\system32\atlxw.exe << This file
C:\WINDOWS\winku.exe << This file
C:\WINDOWS\system32\javauz32.exe << This file
C:\WINDOWS\syspf.exe << This file
C:\WINDOWS\system32\d3lz.exe << This file
C:\WINDOWS\system32\appfe32.exe << This file
C:\WINDOWS\ieba.exe << This file
C:\WINDOWS\atlwy32.exe << This file
C:\WINDOWS\sdkxz.exe << This file
C:\WINDOWS\mfcct.exe << This file
C:\WINDOWS\netny.exe << This file
C:\WINDOWS\crzd32.exe << This file
C:\WINDOWS\system32\netpf32.exe << This file
C:\WINDOWS\system32\sysjo.exe << This file
C:\WINDOWS\apieu32.exe << This file
C:\WINDOWS\winvr.exe << This file
C:\WINDOWS\system32\apika.exe << This file
C:\WINDOWS\javawy32.exe << This file
C:\WINDOWS\system32\netmf.exe << This file
C:\WINDOWS\system32\javahw32.exe << This file
C:\WINDOWS\mfcny.exe << This file
C:\WINDOWS\sdkao32.exe << This file
C:\WINDOWS\system32\ipjg32.exe << This file
C:\WINDOWS\mfcbu.exe << This file
C:\WINDOWS\atlbm.exe << This file
C:\WINDOWS\system32\sdknk32.exe << This file
C:\WINDOWS\ieou.exe << This file
C:\WINDOWS\system32\javasq32.exe << This file
C:\WINDOWS\system32\winnw.exe << This file
C:\WINDOWS\system32\sdkzf32.exe << This file
C:\WINDOWS\mfcoj.exe << This file
C:\WINDOWS\system32\apilz32.exe << This file
C:\WINDOWS\javavs32.exe << This file
C:\WINDOWS\syshq.exe << This file
C:\WINDOWS\appxr32.exe << This file
C:\WINDOWS\system32\apitf.exe << This file
C:\WINDOWS\javaol.exe << This file
C:\WINDOWS\winjk.exe << This file
C:\WINDOWS\netei.exe << This file
C:\WINDOWS\system32\mstd.exe << This file
C:\WINDOWS\applk32.exe << This file
C:\WINDOWS\system32\appwp.exe << This file
C:\WINDOWS\sdkwj.exe << This file
C:\WINDOWS\system32\addim32.exe << This file
C:\WINDOWS\crdf32.exe << This file
C:\WINDOWS\system32\iesi32.exe << This file
C:\WINDOWS\system32\winij32.exe << This file
C:\WINDOWS\system32\netvh.exe << This file
C:\WINDOWS\system32\addsh.exe << This file
C:\WINDOWS\system32\netne.exe << This file
C:\WINDOWS\system32\ieqe32.exe << This file
C:\WINDOWS\system32\ntmw.exe << This file
C:\WINDOWS\d3zu.exe << This file


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.

Step 4:
Then close all programs and windows and run hijackthis. Put a checkmark next to each of these entries and press the fix button when ready:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tybvs.dll/sp.html#93256

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {147C0B30-AF21-31CA-8710-729D602064B3} - C:\WINDOWS\system32\javaxo.dll
O2 - BHO: Class - {3C14482F-CF46-FEFF-C35C-99CDA3BF02AB} - C:\WINDOWS\javazx.dll
O2 - BHO: Class - {58BA44D2-4E05-CF21-D46C-343B479557D8} - C:\WINDOWS\system32\mfccq32.dll
O2 - BHO: Class - {6CD27622-433E-7933-47AD-5AC97903406A} - C:\WINDOWS\system32\javabh32.dll
O2 - BHO: Class - {A89630A0-A2FA-322C-0FBE-630AC13A1A75} - C:\WINDOWS\system32\apigb.dll
O2 - BHO: Class - {CE9F8009-C44E-E5EA-C0CB-75CE8EB66346} - C:\WINDOWS\system32\atlvj32.dll
O2 - BHO: Class - {CF0DB4C8-F2F7-EF01-C711-E29AA80B3432} - C:\WINDOWS\apier.dll
O2 - BHO: Class - {E15DD854-133F-0338-F25B-C7118EE63F1C} - C:\WINDOWS\crnn.dll
O2 - BHO: Class - {E616513A-40E1-2657-5238-EAF908483D9A} - C:\WINDOWS\system32\sysju32.dll

O4 - HKLM\..\Run: [mfcix.exe] C:\WINDOWS\system32\mfcix.exe
O4 - HKLM\..\RunOnce: [appxf.exe] C:\WINDOWS\appxf.exe
O4 - HKLM\..\RunOnce: [d3zu.exe] C:\WINDOWS\d3zu.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\system32\ntmw.exe
O4 - HKLM\..\RunOnce: [ieqe32.exe] C:\WINDOWS\system32\ieqe32.exe
O4 - HKLM\..\RunOnce: [netne.exe] C:\WINDOWS\system32\netne.exe
O4 - HKLM\..\RunOnce: [addsh.exe] C:\WINDOWS\system32\addsh.exe
O4 - HKLM\..\RunOnce: [netvh.exe] C:\WINDOWS\system32\netvh.exe
O4 - HKLM\..\RunOnce: [winij32.exe] C:\WINDOWS\system32\winij32.exe
O4 - HKLM\..\RunOnce: [iesi32.exe] C:\WINDOWS\system32\iesi32.exe
O4 - HKLM\..\RunOnce: [crdf32.exe] C:\WINDOWS\crdf32.exe
O4 - HKLM\..\RunOnce: [addim32.exe] C:\WINDOWS\system32\addim32.exe
O4 - HKLM\..\RunOnce: [sdkwj.exe] C:\WINDOWS\sdkwj.exe
O4 - HKLM\..\RunOnce: [appwp.exe] C:\WINDOWS\system32\appwp.exe
O4 - HKLM\..\RunOnce: [applk32.exe] C:\WINDOWS\applk32.exe
O4 - HKLM\..\RunOnce: [mstd.exe] C:\WINDOWS\system32\mstd.exe
O4 - HKLM\..\RunOnce: [netei.exe] C:\WINDOWS\netei.exe
O4 - HKLM\..\RunOnce: [winjk.exe] C:\WINDOWS\winjk.exe
O4 - HKLM\..\RunOnce: [javaol.exe] C:\WINDOWS\javaol.exe
O4 - HKLM\..\RunOnce: [apitf.exe] C:\WINDOWS\system32\apitf.exe
O4 - HKLM\..\RunOnce: [appxr32.exe] C:\WINDOWS\appxr32.exe
O4 - HKLM\..\RunOnce: [syshq.exe] C:\WINDOWS\syshq.exe
O4 - HKLM\..\RunOnce: [javavs32.exe] C:\WINDOWS\javavs32.exe
O4 - HKLM\..\RunOnce: [apilz32.exe] C:\WINDOWS\system32\apilz32.exe
O4 - HKLM\..\RunOnce: [mfcoj.exe] C:\WINDOWS\mfcoj.exe
O4 - HKLM\..\RunOnce: [sdkzf32.exe] C:\WINDOWS\system32\sdkzf32.exe
O4 - HKLM\..\RunOnce: [winnw.exe] C:\WINDOWS\system32\winnw.exe
O4 - HKLM\..\RunOnce: [javasq32.exe] C:\WINDOWS\system32\javasq32.exe
O4 - HKLM\..\RunOnce: [ieou.exe] C:\WINDOWS\ieou.exe
O4 - HKLM\..\RunOnce: [sdknk32.exe] C:\WINDOWS\system32\sdknk32.exe
O4 - HKLM\..\RunOnce: [atlbm.exe] C:\WINDOWS\atlbm.exe
O4 - HKLM\..\RunOnce: [mfcbu.exe] C:\WINDOWS\mfcbu.exe
O4 - HKLM\..\RunOnce: [ipjg32.exe] C:\WINDOWS\system32\ipjg32.exe
O4 - HKLM\..\RunOnce: [sdkao32.exe] C:\WINDOWS\sdkao32.exe
O4 - HKLM\..\RunOnce: [mfcny.exe] C:\WINDOWS\mfcny.exe
O4 - HKLM\..\RunOnce: [javahw32.exe] C:\WINDOWS\system32\javahw32.exe
O4 - HKLM\..\RunOnce: [netmf.exe] C:\WINDOWS\system32\netmf.exe
O4 - HKLM\..\RunOnce: [javawy32.exe] C:\WINDOWS\javawy32.exe
O4 - HKLM\..\RunOnce: [apika.exe] C:\WINDOWS\system32\apika.exe
O4 - HKLM\..\RunOnce: [winvr.exe] C:\WINDOWS\winvr.exe
O4 - HKLM\..\RunOnce: [apieu32.exe] C:\WINDOWS\apieu32.exe
O4 - HKLM\..\RunOnce: [sysjo.exe] C:\WINDOWS\system32\sysjo.exe
O4 - HKLM\..\RunOnce: [netpf32.exe] C:\WINDOWS\system32\netpf32.exe
O4 - HKLM\..\RunOnce: [crzd32.exe] C:\WINDOWS\crzd32.exe
O4 - HKLM\..\RunOnce: [netny.exe] C:\WINDOWS\netny.exe
O4 - HKLM\..\RunOnce: [mfcct.exe] C:\WINDOWS\mfcct.exe
O4 - HKLM\..\RunOnce: [sdkxz.exe] C:\WINDOWS\sdkxz.exe
O4 - HKLM\..\RunOnce: [atlwy32.exe] C:\WINDOWS\atlwy32.exe
O4 - HKLM\..\RunOnce: [ieba.exe] C:\WINDOWS\ieba.exe
O4 - HKLM\..\RunOnce: [appfe32.exe] C:\WINDOWS\system32\appfe32.exe
O4 - HKLM\..\RunOnce: [d3lz.exe] C:\WINDOWS\system32\d3lz.exe
O4 - HKLM\..\RunOnce: [syspf.exe] C:\WINDOWS\syspf.exe
O4 - HKLM\..\RunOnce: [javauz32.exe] C:\WINDOWS\system32\javauz32.exe
O4 - HKLM\..\RunOnce: [winku.exe] C:\WINDOWS\winku.exe
O4 - HKLM\..\RunOnce: [atlxw.exe] C:\WINDOWS\system32\atlxw.exe
O4 - HKLM\..\RunOnce: [msdz32.exe] C:\WINDOWS\system32\msdz32.exe
O4 - HKLM\..\RunOnce: [sdkqb32.exe] C:\WINDOWS\sdkqb32.exe
O4 - HKLM\..\RunOnce: [atlvd.exe] C:\WINDOWS\atlvd.exe
O4 - HKLM\..\RunOnce: [mspu32.exe] C:\WINDOWS\mspu32.exe
O4 - HKLM\..\RunOnce: [sdkoh32.exe] C:\WINDOWS\system32\sdkoh32.exe
O4 - HKLM\..\RunOnce: [mfctj.exe] C:\WINDOWS\system32\mfctj.exe
O4 - HKLM\..\RunOnce: [crnn.exe] C:\WINDOWS\crnn.exe
O4 - HKLM\..\RunOnce: [nettp.exe] C:\WINDOWS\nettp.exe
O4 - HKLM\..\RunOnce: [sdkdc.exe] C:\WINDOWS\sdkdc.exe
O4 - HKLM\..\RunOnce: [atlie.exe] C:\WINDOWS\atlie.exe
O4 - HKLM\..\RunOnce: [apihm32.exe] C:\WINDOWS\system32\apihm32.exe
O4 - HKLM\..\RunOnce: [winug32.exe] C:\WINDOWS\winug32.exe
O4 - HKLM\..\RunOnce: [mfcri32.exe] C:\WINDOWS\mfcri32.exe
O4 - HKLM\..\RunOnce: [sysek.exe] C:\WINDOWS\system32\sysek.exe
O4 - HKLM\..\RunOnce: [crdx.exe] C:\WINDOWS\crdx.exe
O4 - HKLM\..\RunOnce: [apiis32.exe] C:\WINDOWS\apiis32.exe
O4 - HKLM\..\RunOnce: [iptl32.exe] C:\WINDOWS\system32\iptl32.exe
O4 - HKLM\..\RunOnce: [addyh32.exe] C:\WINDOWS\system32\addyh32.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\appxf.exe" /s (file missing)

Step 5:

In the next step we are going to remove a service that gets installed by this malware.

Go to Start>Run and type regedit.

Press enter.

Navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Remote Procedure Call (RPC) Helper

If Remote Procedure Call (RPC) Helper exists , right click on it and choose delete from the menu.

Now navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_Remote Procedure Call (RPC) Helper

If LEGACY_Remote Procedure Call (RPC) Helper exists then right click on it and choose delete from the menu.

If you have trouble deleting a key. Then click once on the key name to highlight it and click on the Permission menu option under Security or Edit. Then Uncheck "Allow inheritible permissions" and press copy. Then click on everyone and put a checkmark in "full control". Then press apply and ok and attempt to delete the key again.


Step 6:

This is the step where we will use About:Buster that you had downloaded previously.

Navigate to the c:\aboutbuster directory and double-click on aboutbuster.exe When the tool is open press the OK button, then the Start button, then the OK button, and then finally the Yes button. It will start scanning your computer for files. If it asks if you would like to do a second pass, allow it to do so.

When it completed move on to step 7.

Step 7:

Copy the contents of the Quote Box below to Notepad.
Name the file as fix.reg
Change the Save as Type to All Files
Save this file on the desktop

REGEDIT4


[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.

Step 8:
Reboot your computer back to normal mode so that we can see if we need to restore some deleted files:

• Download the Hoster from here. Press "Restore Original Hosts" and press "OK". Exit Program. This will restore the original deleted Hosts file.
• If you have Spybot S&D installed you will also need to replace one file. Go here: Merijn's Files (sdhelper) and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy). Then click Start > Run > regsvr32 "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" and press the OK button
• If you are using Windows 95, 98, or ME it is possible that the malware deleted your control.exe. Please check for the existence of this file by going to to Merijn Files control.exe and examine where the file should be for your operating system. If the file is missing then download the appropriate file and place it in the proper place according to this information.
• Open IE, go to Tools>Internet Options>then click on the security tab, then click on custon label. Check the following settings:
  • Download Signed ActiveX controls-set to Prompt.
  • Download Un-Signed ActiveX controls-set to Disable.
  • Initialize and script ActiveX controls marked as unsafe-set to disable.
  
  Step 9:
  
  Run an online antivirus scan at:
  
  http://housecall.antivirus.com/
  
  Reboot and post another hijackthis log.

piojis76

Hello Crunchie! Hope your day is going well...as for me? aaaugh!! Ok...this time around was a little more of a pain in the butt...i attempted to follow everything to the letter. Under Step 1. I didn't find Remote Procedure Call (RPC) Helper...I only found: Remote Procedure Call (RPC) and Remote Procedure Call (RPC) Locator...is this the same thing?? I didn't remove these. Under Step 2. I didn't find the C:\Windows\system32\mfcix.exe. Under Step 3., the only one that I couldn't find and remove, was C:\windows\system32\tybvs.dll . All went well, up to Step 8. (by the way, do i remove the fix.reg file now, or leave it on the desktop? also, do i click on empty, for all of the files that i had sent to the trash can?)...so by the time that I got to Step 8., I couldn't download the Hoster by clicking on the space provided...an error appeared, telling me something like...cannot open this web page to begin download from AOL, or something to that effect. I cannot open the Internet Explorer, I only made sure to set those settings you listed, by right clicking on it, and going to properties. At restarting the computer, it does tell me that I have some files missing, but like I said, I can't seem to go to the Hoster download page, to replace those missing host files. Did the online antivirus scan, and removed any viruses, trojans, etc...that it found. This is the new hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 4:40:47 PM, on 7/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\mskw32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {013F24B1-25D3-D680-A8D0-B7907A9877AB} - C:\WINDOWS\javatr32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {1786759F-BABF-3C1F-C683-643B7BAA6EFD} - C:\WINDOWS\system32\sysgx.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Class - {5AE85150-CC38-B626-9067-463150E44F68} - C:\WINDOWS\system32\netmv.dll
O2 - BHO: Class - {C0E590F8-92A7-8A8F-B621-507AEDA3404F} - C:\WINDOWS\sdktc32.dll
O2 - BHO: Class - {E8A24F81-F9FE-B428-CFF6-913E5B4C1A5F} - C:\WINDOWS\mfccd32.dll
O2 - BHO: Class - {FEE73D5B-75B8-1330-363E-B5C6A764481D} - C:\WINDOWS\system32\apibv32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1112160586\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [waol.exe] C:\Program Files\America Online 9.0\waol.exe
O4 - HKLM\..\Run: [apibv32.exe] C:\WINDOWS\system32\apibv32.exe
O4 - HKLM\..\Run: [mskw32.exe] C:\WINDOWS\mskw32.exe
O4 - HKLM\..\RunOnce: [ntbt.exe] C:\WINDOWS\ntbt.exe
O4 - HKLM\..\RunOnce: [apphn32.exe] C:\WINDOWS\system32\apphn32.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\iefc.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe
O4 - HKLM\..\RunOnce: [winwa.exe] C:\WINDOWS\system32\winwa.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntbt.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



As i mentioned before, I can't seem to get rid of this one: O23 - Service: RemoteProcedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntbt.exe" /s (file missing) ...this part seems to always change, but whenever I attempt to remove this in safe mode, it doesn't even show up. Would I be able to just reinstall Windows XP?? would this solve anything?? Thank you!!!! Cynthia

Crunchie

The only other way to remove this is to reformat. A reinstall over the top will not work.
Let's try it this way;

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\ccojk.dll/sp.html#93256

R3 - Default URLSearchHook is missing
O2 - BHO: Class - {013F24B1-25D3-D680-A8D0-B7907A9877AB} - C:\WINDOWS\javatr32.dll
O2 - BHO: Class - {1786759F-BABF-3C1F-C683-643B7BAA6EFD} - C:\WINDOWS\system32\sysgx.dll
O2 - BHO: Class - {5AE85150-CC38-B626-9067-463150E44F68} - C:\WINDOWS\system32\netmv.dll
O2 - BHO: Class - {C0E590F8-92A7-8A8F-B621-507AEDA3404F} - C:\WINDOWS\sdktc32.dll
O2 - BHO: Class - {E8A24F81-F9FE-B428-CFF6-913E5B4C1A5F} - C:\WINDOWS\mfccd32.dll
O2 - BHO: Class - {FEE73D5B-75B8-1330-363E-B5C6A764481D} - C:\WINDOWS\system32\apibv32.dll

O4 - HKLM\..\Run: [apibv32.exe] C:\WINDOWS\system32\apibv32.exe
O4 - HKLM\..\Run: [mskw32.exe] C:\WINDOWS\mskw32.exe
O4 - HKLM\..\RunOnce: [ntbt.exe] C:\WINDOWS\ntbt.exe
O4 - HKLM\..\RunOnce: [apphn32.exe] C:\WINDOWS\system32\apphn32.exe
O4 - HKLM\..\RunOnce: [iefc.exe] C:\WINDOWS\iefc.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\system32\sdkqt.exe
O4 - HKLM\..\RunOnce: [winwa.exe] C:\WINDOWS\system32\winwa.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\ntbt.exe" /s (file missing)

=====

Now make sure you have all hidden files showing and delete the following;

C:\WINDOWS\ntbt.exe << This file
C:\WINDOWS\system32\winwa.exe << This file
C:\WINDOWS\system32\sdkqt.exe << This file
C:\WINDOWS\iefc.exe << This file
C:\WINDOWS\system32\apphn32.exe << This file
C:\WINDOWS\ntbt.exe << This file
C:\WINDOWS\mskw32.exe << This file
C:\WINDOWS\system32\apibv32.exe << This file
C:\WINDOWS\system32\apibv32.dll << This file
C:\WINDOWS\mfccd32.dll << This file
C:\WINDOWS\sdktc32.dll << This file
C:\WINDOWS\system32\netmv.dll << This file
C:\WINDOWS\system32\ccojk.dll << This file
C:\WINDOWS\mskw32.exe << This file


Now I need you to reboot, but not the normal way. Just cut the power off at the supply by pulling the plug out. Just pull it straight out .
When done, power up your PC again and post me a new log.

This may need to be done a few times, but it does work.

piojis76

Hello!! Ok, after having removed the above mentioned, I pulled the plug like you said, and restarted the computer...did this about 4 times. When the computer was starting up again, this message window appeared: The application or DLL C:\Windows\sdlkuz.dll is not a valid windows image. Please check this against your installation diskette. Now, you can substitute the "sdlkuz.dll" for any of the following which appeared later: addng32.dll, sysku32.dll, mseu32.dll, apica.dll, netng32.dll, sdkje.dll, etc... This is the new hijack this log:


Logfile of HijackThis v1.99.1
Scan saved at 4:30:09 AM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\netng32.exe
C:\WINDOWS\appcr32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {2F7660FB-0CEA-4B11-A8C5-3175CFDBA441} - C:\WINDOWS\system32\windj32.dll
O2 - BHO: Class - {3994D006-1B85-818F-01F5-E63FEB7A0D79} - C:\WINDOWS\system32\crie.dll
O2 - BHO: Class - {67963FF8-29E8-0CE5-8A74-A47B4CB75963} - C:\WINDOWS\system32\netng32.dll
O2 - BHO: Class - {F9A5B906-BB1D-3F82-4F5F-40683B5388DB} - C:\WINDOWS\crkn.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [netng32.exe] C:\WINDOWS\system32\netng32.exe
O4 - HKLM\..\RunOnce: [addug.exe] C:\WINDOWS\system32\addug.exe
O4 - HKLM\..\RunOnce: [mfcig.exe] C:\WINDOWS\mfcig.exe
O4 - HKLM\..\RunOnce: [mfclg32.exe] C:\WINDOWS\mfclg32.exe
O4 - HKLM\..\RunOnce: [javaeq32.exe] C:\WINDOWS\system32\javaeq32.exe
O4 - HKLM\..\RunOnce: [appcr32.exe] C:\WINDOWS\appcr32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addug.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


Some of the files that I've removed, keep coming back, I don't understand. This is so frustrating!! I can only imagine what a pain it is for you. Thank you once again! Cynthia

Crunchie

I need you to reboot (by unplugging your pc) just the once, then post a new log. The reason being the file name changes, as you have seen . I should have been more clear where I wrote this may take a few tries .

Sooooooo, scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {2F7660FB-0CEA-4B11-A8C5-3175CFDBA441} - C:\WINDOWS\system32\windj32.dll
O2 - BHO: Class - {3994D006-1B85-818F-01F5-E63FEB7A0D79} - C:\WINDOWS\system32\crie.dll
O2 - BHO: Class - {67963FF8-29E8-0CE5-8A74-A47B4CB75963} - C:\WINDOWS\system32\netng32.dll
O2 - BHO: Class - {F9A5B906-BB1D-3F82-4F5F-40683B5388DB} - C:\WINDOWS\crkn.dll

O4 - HKLM\..\Run: [netng32.exe] C:\WINDOWS\system32\netng32.exe
O4 - HKLM\..\RunOnce: [addug.exe] C:\WINDOWS\system32\addug.exe
O4 - HKLM\..\RunOnce: [mfcig.exe] C:\WINDOWS\mfcig.exe
O4 - HKLM\..\RunOnce: [mfclg32.exe] C:\WINDOWS\mfclg32.exe
O4 - HKLM\..\RunOnce: [javaeq32.exe] C:\WINDOWS\system32\javaeq32.exe
O4 - HKLM\..\RunOnce: [appcr32.exe] C:\WINDOWS\appcr32.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addug.exe" /s (file missing)

Once you have hit the 'fix checked,' with IE closed, manually delete the following;

C:\WINDOWS\crkn.dll << This file
C:\WINDOWS\system32\netng32.dll << This file
C:\WINDOWS\system32\crie.dll << This file
C:\WINDOWS\system32\windj32.dll << This file
C:\WINDOWS\appcr32.exe << This file
C:\WINDOWS\system32\javaeq32.exe << This file
C:\WINDOWS\mfclg32.exe << This file
C:\WINDOWS\mfcig.exe << This file
C:\WINDOWS\system32\addug.exe << This file
C:\WINDOWS\system32\netng32.exe << This file
C:\WINDOWS\system32\addug.exe << This file

now, pull the plug on your PC, boot up again, rescan with hijackthis and post the new log.

Don't worry, it's not a pain for me . This is how I wind down after 11 hours at work .

piojis76

after 11 hours of work?? lol, you're a better person than I crunchie, a better person than I!

Ok...I unplugged my pc, rebooted, ran hijack this, deleted the above mentioned, then manually deleted the files in the windows folder (not all were found), pulled the plug on the pc, rebooted, (at reboot, like 2 or 3 times, the same window popped up again; the "The application or dll c:\windows\?????.dll is not a valid windows image. Please check this against your insatallation diskette" [of course the ????? being whatever name it changed to this time]) scanned again with hijack this, and this is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 12:55:47 PM, on 7/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\ipdf.exe
C:\WINDOWS\msfz.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\America Online 9.0\waol.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {05563232-5F02-763A-E92E-D32E0B4BF53F} - C:\WINDOWS\crhh.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {0D9DA35A-C512-C97C-CC71-F48764CADFB4} - C:\WINDOWS\system32\ipdf.dll
O2 - BHO: Class - {16D93A20-4593-E7A7-4A6A-2D8F46FA9784} - C:\WINDOWS\ipzm32.dll
O2 - BHO: Class - {17430854-4E14-06E8-8573-05BB1F5E5DF6} - C:\WINDOWS\d3vu.dll
O2 - BHO: Class - {3708CD34-8174-A47E-9567-68786B0AE85F} - C:\WINDOWS\system32\d3jj.dll
O2 - BHO: Class - {43DB29D4-B055-B011-24C0-044F81AC210D} - C:\WINDOWS\addcf.dll
O2 - BHO: Class - {758EC25A-11D7-6312-0626-180A669A98BF} - C:\WINDOWS\addeo32.dll
O2 - BHO: Class - {9B293A2D-7FF9-2CB8-C184-A394A6D55F31} - C:\WINDOWS\system32\netpl32.dll
O2 - BHO: Class - {DF7AF568-EF3E-A828-A764-D93713B760D7} - C:\WINDOWS\netmb32.dll
O2 - BHO: Class - {E7B7CDD4-4537-5090-F6CC-5CC180B3DD91} - C:\WINDOWS\system32\addav.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ipdf.exe] C:\WINDOWS\system32\ipdf.exe
O4 - HKLM\..\RunOnce: [msab.exe] C:\WINDOWS\system32\msab.exe
O4 - HKLM\..\RunOnce: [atlbd.exe] C:\WINDOWS\system32\atlbd.exe
O4 - HKLM\..\RunOnce: [atlrk.exe] C:\WINDOWS\system32\atlrk.exe
O4 - HKLM\..\RunOnce: [d3mi.exe] C:\WINDOWS\d3mi.exe
O4 - HKLM\..\RunOnce: [apprs.exe] C:\WINDOWS\system32\apprs.exe
O4 - HKLM\..\RunOnce: [ipdi.exe] C:\WINDOWS\system32\ipdi.exe
O4 - HKLM\..\RunOnce: [apphr.exe] C:\WINDOWS\system32\apphr.exe
O4 - HKLM\..\RunOnce: [ieqa.exe] C:\WINDOWS\ieqa.exe
O4 - HKLM\..\RunOnce: [addej.exe] C:\WINDOWS\system32\addej.exe
O4 - HKLM\..\RunOnce: [addgq32.exe] C:\WINDOWS\system32\addgq32.exe
O4 - HKLM\..\RunOnce: [crzg.exe] C:\WINDOWS\system32\crzg.exe
O4 - HKLM\..\RunOnce: [addly.exe] C:\WINDOWS\addly.exe
O4 - HKLM\..\RunOnce: [msys.exe] C:\WINDOWS\msys.exe
O4 - HKLM\..\RunOnce: [appdu.exe] C:\WINDOWS\system32\appdu.exe
O4 - HKLM\..\RunOnce: [ieby.exe] C:\WINDOWS\ieby.exe
O4 - HKLM\..\RunOnce: [ipho32.exe] C:\WINDOWS\system32\ipho32.exe
O4 - HKLM\..\RunOnce: [javamt.exe] C:\WINDOWS\system32\javamt.exe
O4 - HKLM\..\RunOnce: [netca.exe] C:\WINDOWS\netca.exe
O4 - HKLM\..\RunOnce: [iefa.exe] C:\WINDOWS\system32\iefa.exe
O4 - HKLM\..\RunOnce: [ntqn.exe] C:\WINDOWS\system32\ntqn.exe
O4 - HKLM\..\RunOnce: [d3au.exe] C:\WINDOWS\system32\d3au.exe
O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\msfz.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addug.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


Ok, happy unwinding! Cynthia

Crunchie

. I need to stress that you should only unplug once before posting another log. These files end up multiplying, as you can see .
Also, once you have posted, leave your pc turned on until you see my reply to your last post. Do not run any other removers such as Adaware etc as this too will cause the files to muliply. They are like rabbits .

=

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O2 - BHO: Class - {05563232-5F02-763A-E92E-D32E0B4BF53F} - C:\WINDOWS\crhh.dll
O2 - BHO: Class - {0D9DA35A-C512-C97C-CC71-F48764CADFB4} - C:\WINDOWS\system32\ipdf.dll
O2 - BHO: Class - {16D93A20-4593-E7A7-4A6A-2D8F46FA9784} - C:\WINDOWS\ipzm32.dll
O2 - BHO: Class - {17430854-4E14-06E8-8573-05BB1F5E5DF6} - C:\WINDOWS\d3vu.dll
O2 - BHO: Class - {3708CD34-8174-A47E-9567-68786B0AE85F} - C:\WINDOWS\system32\d3jj.dll
O2 - BHO: Class - {43DB29D4-B055-B011-24C0-044F81AC210D} - C:\WINDOWS\addcf.dll
O2 - BHO: Class - {758EC25A-11D7-6312-0626-180A669A98BF} - C:\WINDOWS\addeo32.dll
O2 - BHO: Class - {9B293A2D-7FF9-2CB8-C184-A394A6D55F31} - C:\WINDOWS\system32\netpl32.dll
O2 - BHO: Class - {DF7AF568-EF3E-A828-A764-D93713B760D7} - C:\WINDOWS\netmb32.dll
O2 - BHO: Class - {E7B7CDD4-4537-5090-F6CC-5CC180B3DD91} - C:\WINDOWS\system32\addav.dll

O4 - HKLM\..\Run: [ipdf.exe] C:\WINDOWS\system32\ipdf.exe
O4 - HKLM\..\RunOnce: [msab.exe] C:\WINDOWS\system32\msab.exe
O4 - HKLM\..\RunOnce: [atlbd.exe] C:\WINDOWS\system32\atlbd.exe
O4 - HKLM\..\RunOnce: [atlrk.exe] C:\WINDOWS\system32\atlrk.exe
O4 - HKLM\..\RunOnce: [d3mi.exe] C:\WINDOWS\d3mi.exe
O4 - HKLM\..\RunOnce: [apprs.exe] C:\WINDOWS\system32\apprs.exe
O4 - HKLM\..\RunOnce: [ipdi.exe] C:\WINDOWS\system32\ipdi.exe
O4 - HKLM\..\RunOnce: [apphr.exe] C:\WINDOWS\system32\apphr.exe
O4 - HKLM\..\RunOnce: [ieqa.exe] C:\WINDOWS\ieqa.exe
O4 - HKLM\..\RunOnce: [addej.exe] C:\WINDOWS\system32\addej.exe
O4 - HKLM\..\RunOnce: [addgq32.exe] C:\WINDOWS\system32\addgq32.exe
O4 - HKLM\..\RunOnce: [crzg.exe] C:\WINDOWS\system32\crzg.exe
O4 - HKLM\..\RunOnce: [addly.exe] C:\WINDOWS\addly.exe
O4 - HKLM\..\RunOnce: [msys.exe] C:\WINDOWS\msys.exe
O4 - HKLM\..\RunOnce: [appdu.exe] C:\WINDOWS\system32\appdu.exe
O4 - HKLM\..\RunOnce: [ieby.exe] C:\WINDOWS\ieby.exe
O4 - HKLM\..\RunOnce: [ipho32.exe] C:\WINDOWS\system32\ipho32.exe
O4 - HKLM\..\RunOnce: [javamt.exe] C:\WINDOWS\system32\javamt.exe
O4 - HKLM\..\RunOnce: [netca.exe] C:\WINDOWS\netca.exe
O4 - HKLM\..\RunOnce: [iefa.exe] C:\WINDOWS\system32\iefa.exe
O4 - HKLM\..\RunOnce: [ntqn.exe] C:\WINDOWS\system32\ntqn.exe
O4 - HKLM\..\RunOnce: [d3au.exe] C:\WINDOWS\system32\d3au.exe
O4 - HKLM\..\RunOnce: [msfz.exe] C:\WINDOWS\msfz.exe

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\addug.exe" /s (file missing

=========

Manually delete these;

C:\WINDOWS\system32\addug.exe << This file
C:\WINDOWS\msfz.exe << This file
C:\WINDOWS\system32\d3au.exe << This file
C:\WINDOWS\system32\ntqn.exe << This file
C:\WINDOWS\system32\iefa.exe << This file
C:\WINDOWS\netca.exe << This file
C:\WINDOWS\system32\javamt.exe << This file
C:\WINDOWS\system32\ipho32.exe << This file
C:\WINDOWS\ieby.exe << This file
C:\WINDOWS\system32\appdu.exe << This file
C:\WINDOWS\msys.exe << This file
C:\WINDOWS\addly.exe << This file
C:\WINDOWS\system32\crzg.exe << This file
C:\WINDOWS\system32\addgq32.exe << This file
C:\WINDOWS\system32\addej.exe << This file
C:\WINDOWS\ieqa.exe << This file
C:\WINDOWS\system32\apphr.exe << This file
C:\WINDOWS\system32\ipdi.exe << This file
C:\WINDOWS\system32\apprs.exe << This file
C:\WINDOWS\d3mi.exe << This file
C:\WINDOWS\system32\atlrk.exe << This file
C:\WINDOWS\system32\atlbd.exe << This file
C:\WINDOWS\system32\msab.exe << This file
C:\WINDOWS\system32\ipdf.exe << This file
C:\WINDOWS\system32\addav.dll << This file
C:\WINDOWS\netmb32.dll << This file
C:\WINDOWS\system32\netpl32.dll << This file
C:\WINDOWS\addeo32.dll << This file
C:\WINDOWS\addcf.dll << This file
C:\WINDOWS\system32\d3jj.dll << This file
C:\WINDOWS\d3vu.dll << This file
C:\WINDOWS\ipzm32.dll << This file
C:\WINDOWS\system32\ipdf.dll << This file
C:\WINDOWS\crhh.dll << This file

Make certain to have hidden files showing.

Now.........pull that plug boot up, post a log and wait for meeeeeeeeeeeeeeeee .

piojis76

i am sooo sorry!!! haha, i guess i'm just so wanting to get these little maggots off of my pc!!

ok, so i did everything that you said, not all of the files were found, and onlly pulled the plug once , and this is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 2:41:21 AM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\sdkeh.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\winiw.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {070C0DA5-4571-4CFF-83F7-EC2132306285} - C:\WINDOWS\system32\atleu.dll
O2 - BHO: Class - {3E7E5F4A-D54C-BA7F-16E3-59118D0D4537} - C:\WINDOWS\system32\sdktk32.dll
O2 - BHO: Class - {64E2E47A-49FE-6602-0901-F8F3172B36FC} - C:\WINDOWS\ntra32.dll
O2 - BHO: Class - {7C395C70-4770-1EBB-BEF0-A0B7926007FF} - C:\WINDOWS\mfcin.dll
O2 - BHO: Class - {B74D7ADF-0D9A-236B-88D0-5341D065D6CE} - C:\WINDOWS\system32\iejx32.dll
O2 - BHO: Class - {B78461F4-0E43-85FE-00B7-C15B18B07B4E} - C:\WINDOWS\system32\appru32.dll
O2 - BHO: Class - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3fo.dll
O2 - BHO: Class - {D3C119CE-37D6-4D5A-80A7-E1232404F760} - C:\WINDOWS\sdkhu32.dll
O2 - BHO: Class - {E5F499C9-52D4-E935-124C-655897AC38DF} - C:\WINDOWS\atlge.dll
O2 - BHO: Class - {E7D961DF-2ED7-0D81-86BF-69B1F3AC4663} - C:\WINDOWS\ielg32.dll
O2 - BHO: Class - {FD1BCAC3-5623-81C6-D10D-ABBD18FA773A} - C:\WINDOWS\ntpr32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [ippy.exe] C:\WINDOWS\ippy.exe
O4 - HKLM\..\Run: [winiw.exe] C:\WINDOWS\winiw.exe
O4 - HKLM\..\Run: [d3wb.exe] C:\WINDOWS\system32\d3wb.exe
O4 - HKLM\..\RunOnce: [javaoq32.exe] C:\WINDOWS\system32\javaoq32.exe
O4 - HKLM\..\RunOnce: [sdkic.exe] C:\WINDOWS\system32\sdkic.exe
O4 - HKLM\..\RunOnce: [sdklc32.exe] C:\WINDOWS\system32\sdklc32.exe
O4 - HKLM\..\RunOnce: [mfcwk.exe] C:\WINDOWS\mfcwk.exe
O4 - HKLM\..\RunOnce: [appja.exe] C:\WINDOWS\system32\appja.exe
O4 - HKLM\..\RunOnce: [appbu.exe] C:\WINDOWS\system32\appbu.exe
O4 - HKLM\..\RunOnce: [syscz32.exe] C:\WINDOWS\system32\syscz32.exe
O4 - HKLM\..\RunOnce: [msrd32.exe] C:\WINDOWS\msrd32.exe
O4 - HKLM\..\RunOnce: [ntjb.exe] C:\WINDOWS\ntjb.exe
O4 - HKLM\..\RunOnce: [sdkrn32.exe] C:\WINDOWS\sdkrn32.exe
O4 - HKLM\..\RunOnce: [ipkn.exe] C:\WINDOWS\ipkn.exe
O4 - HKLM\..\RunOnce: [mfcao.exe] C:\WINDOWS\mfcao.exe
O4 - HKLM\..\RunOnce: [msxf.exe] C:\WINDOWS\msxf.exe
O4 - HKLM\..\RunOnce: [iegx.exe] C:\WINDOWS\system32\iegx.exe
O4 - HKLM\..\RunOnce: [ieyn.exe] C:\WINDOWS\system32\ieyn.exe
O4 - HKLM\..\RunOnce: [d3wg32.exe] C:\WINDOWS\system32\d3wg32.exe
O4 - HKLM\..\RunOnce: [mfcns.exe] C:\WINDOWS\system32\mfcns.exe
O4 - HKLM\..\RunOnce: [sdkmv32.exe] C:\WINDOWS\system32\sdkmv32.exe
O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\system32\sdkeh.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msab.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe



ok, i'll wait for you!! cynthia

Crunchie

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

O2 - BHO: Class - {070C0DA5-4571-4CFF-83F7-EC2132306285} - C:\WINDOWS\system32\atleu.dll
O2 - BHO: Class - {3E7E5F4A-D54C-BA7F-16E3-59118D0D4537} - C:\WINDOWS\system32\sdktk32.dll
O2 - BHO: Class - {64E2E47A-49FE-6602-0901-F8F3172B36FC} - C:\WINDOWS\ntra32.dll
O2 - BHO: Class - {7C395C70-4770-1EBB-BEF0-A0B7926007FF} - C:\WINDOWS\mfcin.dll
O2 - BHO: Class - {B74D7ADF-0D9A-236B-88D0-5341D065D6CE} - C:\WINDOWS\system32\iejx32.dll
O2 - BHO: Class - {B78461F4-0E43-85FE-00B7-C15B18B07B4E} - C:\WINDOWS\system32\appru32.dll
O2 - BHO: Class - {BF696D27-7E68-2CD9-8E87-785201D029CB} - C:\WINDOWS\system32\d3fo.dll
O2 - BHO: Class - {D3C119CE-37D6-4D5A-80A7-E1232404F760} - C:\WINDOWS\sdkhu32.dll
O2 - BHO: Class - {E5F499C9-52D4-E935-124C-655897AC38DF} - C:\WINDOWS\atlge.dll
O2 - BHO: Class - {E7D961DF-2ED7-0D81-86BF-69B1F3AC4663} - C:\WINDOWS\ielg32.dll
O2 - BHO: Class - {FD1BCAC3-5623-81C6-D10D-ABBD18FA773A} - C:\WINDOWS\ntpr32.dll

O4 - HKLM\..\Run: [ippy.exe] C:\WINDOWS\ippy.exe
O4 - HKLM\..\Run: [winiw.exe] C:\WINDOWS\winiw.exe
O4 - HKLM\..\Run: [d3wb.exe] C:\WINDOWS\system32\d3wb.exe
O4 - HKLM\..\RunOnce: [javaoq32.exe] C:\WINDOWS\system32\javaoq32.exe
O4 - HKLM\..\RunOnce: [sdkic.exe] C:\WINDOWS\system32\sdkic.exe
O4 - HKLM\..\RunOnce: [sdklc32.exe] C:\WINDOWS\system32\sdklc32.exe
O4 - HKLM\..\RunOnce: [mfcwk.exe] C:\WINDOWS\mfcwk.exe
O4 - HKLM\..\RunOnce: [appja.exe] C:\WINDOWS\system32\appja.exe
O4 - HKLM\..\RunOnce: [appbu.exe] C:\WINDOWS\system32\appbu.exe
O4 - HKLM\..\RunOnce: [syscz32.exe] C:\WINDOWS\system32\syscz32.exe
O4 - HKLM\..\RunOnce: [msrd32.exe] C:\WINDOWS\msrd32.exe
O4 - HKLM\..\RunOnce: [ntjb.exe] C:\WINDOWS\ntjb.exe
O4 - HKLM\..\RunOnce: [sdkrn32.exe] C:\WINDOWS\sdkrn32.exe
O4 - HKLM\..\RunOnce: [ipkn.exe] C:\WINDOWS\ipkn.exe
O4 - HKLM\..\RunOnce: [mfcao.exe] C:\WINDOWS\mfcao.exe
O4 - HKLM\..\RunOnce: [msxf.exe] C:\WINDOWS\msxf.exe
O4 - HKLM\..\RunOnce: [iegx.exe] C:\WINDOWS\system32\iegx.exe
O4 - HKLM\..\RunOnce: [ieyn.exe] C:\WINDOWS\system32\ieyn.exe
O4 - HKLM\..\RunOnce: [d3wg32.exe] C:\WINDOWS\system32\d3wg32.exe
O4 - HKLM\..\RunOnce: [mfcns.exe] C:\WINDOWS\system32\mfcns.exe
O4 - HKLM\..\RunOnce: [sdkmv32.exe] C:\WINDOWS\system32\sdkmv32.exe
O4 - HKLM\..\RunOnce: [sdkeh.exe] C:\WINDOWS\system32\sdkeh.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msab.exe" /s (file missing)

Now manually delete these please;

C:\WINDOWS\system32\msab.exe << This file
C:\WINDOWS\system32\sdkeh.exe << This file
C:\WINDOWS\system32\sdkmv32.exe << This file
C:\WINDOWS\system32\mfcns.exe << This file
C:\WINDOWS\system32\d3wg32.exe << This file
C:\WINDOWS\system32\ieyn.exe << This file
C:\WINDOWS\system32\iegx.exe << This file
C:\WINDOWS\msxf.exe << This file
C:\WINDOWS\mfcao.exe << This file
C:\WINDOWS\ipkn.exe << This file
C:\WINDOWS\sdkrn32.exe << This file
C:\WINDOWS\ntjb.exe << This file
C:\WINDOWS\msrd32.exe << This file
C:\WINDOWS\system32\syscz32.exe << This file
C:\WINDOWS\system32\appbu.exe << This file
C:\WINDOWS\system32\appja.exe << This file
C:\WINDOWS\mfcwk.exe << This file
C:\WINDOWS\system32\sdklc32.exe << This file
C:\WINDOWS\system32\sdkic.exe << This file
C:\WINDOWS\system32\javaoq32.exe << This file
C:\WINDOWS\system32\d3wb.exe << This file
C:\WINDOWS\winiw.exe << This file
C:\WINDOWS\ippy.exe << This file
C:\WINDOWS\ntpr32.dll << This file
C:\WINDOWS\ielg32.dll << This file
C:\WINDOWS\atlge.dll << This file
C:\WINDOWS\sdkhu32.dll << This file
C:\WINDOWS\system32\d3fo.dll << This file
C:\WINDOWS\system32\appru32.dll << This file
C:\WINDOWS\system32\iejx32.dll << This file
C:\WINDOWS\mfcin.dll << This file
C:\WINDOWS\ntra32.dll << This file
C:\WINDOWS\system32\sdktk32.dll << This file
C:\WINDOWS\system32\atleu.dll << This file

Now, pull that plug again and we will go another round .

piojis76

good morning! ok, this is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 5:28:15 AM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\atltm.exe
C:\WINDOWS\ipmg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\system32\wuauclt.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {8A1767C4-2CF5-234A-F1BC-5C0E51691546} - C:\WINDOWS\atltm.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [atltm.exe] C:\WINDOWS\atltm.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\system32\appcd32.exe
O4 - HKLM\..\RunOnce: [ipmg.exe] C:\WINDOWS\ipmg.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msab.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


thank you and have a good day!! cynthia

Crunchie

Good morning . It's just about my bedtime here .
The files are disappearing now. That's good.

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows and hit the "Fix checked" button.

R3 - Default URLSearchHook is missing

O2 - BHO: Class - {8A1767C4-2CF5-234A-F1BC-5C0E51691546} - C:\WINDOWS\atltm.dll

O4 - HKLM\..\Run: [atltm.exe] C:\WINDOWS\atltm.exe
O4 - HKLM\..\RunOnce: [appcd32.exe] C:\WINDOWS\system32\appcd32.exe
O4 - HKLM\..\RunOnce: [ipmg.exe] C:\WINDOWS\ipmg.exe

O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msab.exe" /s (file missing)

Manually delete these;

C:\WINDOWS\system32\msab.exe << This file
C:\WINDOWS\ipmg.exe << This file
C:\WINDOWS\system32\appcd32.exe << This file
C:\WINDOWS\atltm.exe << This file
C:\WINDOWS\atltm.dll << This file

You know the routine by now . Hopefully this will be the last one.

piojis76

hello!! hopefully the last time?? don't get my hopes up! haha...especially not since i've seen the way that these things do multiply. before, you had mentioned something about reformatting then reinstalling? ok, whatever you see as best. thanks!! cynthia



Logfile of HijackThis v1.99.1
Scan saved at 4:34:14 PM, on 7/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\apihr32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {026DEDBF-DB64-0143-D3F3-260B28824F6B} - C:\WINDOWS\atlzi32.dll
O2 - BHO: Class - {02AEE941-B1DB-3EAC-10FE-5DE07E619636} - C:\WINDOWS\ievg32.dll
O2 - BHO: Class - {06174100-CAF8-CE60-F6D9-08763BA72C17} - C:\WINDOWS\atllt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {07BF4602-E2FB-340F-985F-24FA453D5964} - C:\WINDOWS\mfcrn.dll
O2 - BHO: Class - {0A644696-8F0D-3061-6A0B-EB8E60093173} - C:\WINDOWS\system32\javaov32.dll
O2 - BHO: Class - {248F4AA0-2FBE-AC94-9343-FA3E8832F5B2} - C:\WINDOWS\ntug.dll
O2 - BHO: Class - {2912C8B2-64D9-3DD4-6CBD-88EDB5B90BB3} - C:\WINDOWS\system32\sdkkk32.dll
O2 - BHO: Class - {2EFCBC86-74FE-6822-AD06-6DD1C36A6CEB} - C:\WINDOWS\system32\msom32.dll
O2 - BHO: Class - {41987358-FF78-2F11-FF4A-259601DF8EA1} - C:\WINDOWS\system32\mfctx32.dll
O2 - BHO: Class - {522DCDB2-3199-3427-AF7A-5B84CDB03151} - C:\WINDOWS\system32\sysxi.dll
O2 - BHO: Class - {64E5E8FA-69A1-48F4-8963-F00907CAAF17} - C:\WINDOWS\system32\ntwp.dll
O2 - BHO: Class - {68DE9027-1CBD-5899-FC4F-E5B84A8F6BE4} - C:\WINDOWS\sysjb.dll
O2 - BHO: Class - {7381F5E4-F3AE-9126-6767-3BFBA4EB86B1} - C:\WINDOWS\system32\javaqe32.dll
O2 - BHO: Class - {8A3A1428-A50F-394F-7CFB-789596227CC4} - C:\WINDOWS\sdkmt32.dll
O2 - BHO: Class - {960130C2-7AFF-4036-AC76-1E709CC49FD6} - C:\WINDOWS\system32\msec32.dll
O2 - BHO: Class - {964A4012-CC20-8074-D81C-7B1ADC8C94FC} - C:\WINDOWS\winnm.dll
O2 - BHO: Class - {9ABD69B7-3078-E340-94CB-F16AA6983B61} - C:\WINDOWS\system32\appxz32.dll
O2 - BHO: Class - {A12F8C71-8266-116B-4118-FD5124D815E9} - C:\WINDOWS\sdkaa32.dll
O2 - BHO: Class - {AF5FDECD-1ED9-A1EC-D3B8-8211759346FD} - C:\WINDOWS\ieqv32.dll
O2 - BHO: Class - {BC7DB33E-B485-74E1-3215-A22E5CE36789} - C:\WINDOWS\ipiv.dll
O2 - BHO: Class - {C8C966DD-1537-9AB7-2EF4-DFEF1A1C8D24} - C:\WINDOWS\system32\mfcpe.dll
O2 - BHO: Class - {C964E137-AC20-F832-469A-869B7E738F46} - C:\WINDOWS\system32\apihr32.dll
O2 - BHO: Class - {CA46CB74-D4B2-9E7F-A17F-D83F0FCBE44D} - C:\WINDOWS\apidy32.dll
O2 - BHO: Class - {D017A1A4-51FE-686D-883E-896573BFFC91} - C:\WINDOWS\system32\atlbj.dll
O2 - BHO: Class - {D9C0B1C1-84B5-7F4A-70E8-5A3C089B2899} - C:\WINDOWS\system32\sdkyz.dll
O2 - BHO: Class - {DCAB9C0C-A653-82EF-F2B8-5AF28CEE929C} - C:\WINDOWS\mscb.dll
O2 - BHO: Class - {DED97D10-10D8-9715-F48F-206EC1143F3F} - C:\WINDOWS\system32\ntse.dll
O2 - BHO: Class - {F69DCEAD-6CC6-CBB5-F9DA-5E5C2429FD6E} - C:\WINDOWS\system32\iesx32.dll
O2 - BHO: Class - {F81F861E-BD6D-4CF2-2AC2-69DCF3E68324} - C:\WINDOWS\system32\atlnc.dll
O2 - BHO: Class - {F853A78A-343F-AC2C-6EC1-7AD1A007D9CD} - C:\WINDOWS\system32\syshr.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [apihr32.exe] C:\WINDOWS\system32\apihr32.exe
O4 - HKLM\..\RunOnce: [ipgw32.exe] C:\WINDOWS\system32\ipgw32.exe
O4 - HKLM\..\RunOnce: [ntug.exe] C:\WINDOWS\system32\ntug.exe
O4 - HKLM\..\RunOnce: [javaij32.exe] C:\WINDOWS\system32\javaij32.exe
O4 - HKLM\..\RunOnce: [crvn32.exe] C:\WINDOWS\system32\crvn32.exe
O4 - HKLM\..\RunOnce: [netjy32.exe] C:\WINDOWS\netjy32.exe
O4 - HKLM\..\RunOnce: [mslo32.exe] C:\WINDOWS\system32\mslo32.exe
O4 - HKLM\..\RunOnce: [ieol32.exe] C:\WINDOWS\ieol32.exe
O4 - HKLM\..\RunOnce: [winhm.exe] C:\WINDOWS\winhm.exe
O4 - HKLM\..\RunOnce: [netqv.exe] C:\WINDOWS\system32\netqv.exe
O4 - HKLM\..\RunOnce: [ipnq32.exe] C:\WINDOWS\system32\ipnq32.exe
O4 - HKLM\..\RunOnce: [sdkug32.exe] C:\WINDOWS\system32\sdkug32.exe
O4 - HKLM\..\RunOnce: [mfcuj.exe] C:\WINDOWS\system32\mfcuj.exe
O4 - HKLM\..\RunOnce: [apprh.exe] C:\WINDOWS\system32\apprh.exe
O4 - HKLM\..\RunOnce: [ntbn.exe] C:\WINDOWS\ntbn.exe
O4 - HKLM\..\RunOnce: [sysya.exe] C:\WINDOWS\sysya.exe
O4 - HKLM\..\RunOnce: [ipmx32.exe] C:\WINDOWS\ipmx32.exe
O4 - HKLM\..\RunOnce: [d3mw.exe] C:\WINDOWS\system32\d3mw.exe
O4 - HKLM\..\RunOnce: [iesb32.exe] C:\WINDOWS\iesb32.exe
O4 - HKLM\..\RunOnce: [sdkua32.exe] C:\WINDOWS\system32\sdkua32.exe
O4 - HKLM\..\RunOnce: [mfcsf.exe] C:\WINDOWS\system32\mfcsf.exe
O4 - HKLM\..\RunOnce: [crbo.exe] C:\WINDOWS\crbo.exe
O4 - HKLM\..\RunOnce: [d3pb32.exe] C:\WINDOWS\system32\d3pb32.exe
O4 - HKLM\..\RunOnce: [ipxz.exe] C:\WINDOWS\system32\ipxz.exe
O4 - HKLM\..\RunOnce: [sdktr.exe] C:\WINDOWS\system32\sdktr.exe
O4 - HKLM\..\RunOnce: [sysca.exe] C:\WINDOWS\sysca.exe
O4 - HKLM\..\RunOnce: [winky32.exe] C:\WINDOWS\winky32.exe
O4 - HKLM\..\RunOnce: [mfcok.exe] C:\WINDOWS\system32\mfcok.exe
O4 - HKLM\..\RunOnce: [msjd.exe] C:\WINDOWS\system32\msjd.exe
O4 - HKLM\..\RunOnce: [sdkbk32.exe] C:\WINDOWS\sdkbk32.exe
O4 - HKLM\..\RunOnce: [apioc32.exe] C:\WINDOWS\system32\apioc32.exe
O4 - HKLM\..\RunOnce: [ipcp32.exe] C:\WINDOWS\system32\ipcp32.exe
O4 - HKLM\..\RunOnce: [msiu32.exe] C:\WINDOWS\system32\msiu32.exe
O4 - HKLM\..\RunOnce: [apiql32.exe] C:\WINDOWS\system32\apiql32.exe
O4 - HKLM\..\RunOnce: [javaoq.exe] C:\WINDOWS\javaoq.exe
O4 - HKLM\..\RunOnce: [mfcoe.exe] C:\WINDOWS\mfcoe.exe
O4 - HKLM\..\RunOnce: [mfcwu32.exe] C:\WINDOWS\system32\mfcwu32.exe
O4 - HKLM\..\RunOnce: [addao32.exe] C:\WINDOWS\addao32.exe
O4 - HKLM\..\RunOnce: [apina.exe] C:\WINDOWS\system32\apina.exe
O4 - HKLM\..\RunOnce: [ntmw.exe] C:\WINDOWS\ntmw.exe
O4 - HKLM\..\RunOnce: [mskl.exe] C:\WINDOWS\mskl.exe
O4 - HKLM\..\RunOnce: [sdkcc32.exe] C:\WINDOWS\sdkcc32.exe
O4 - HKLM\..\RunOnce: [ipmd32.exe] C:\WINDOWS\ipmd32.exe
O4 - HKLM\..\RunOnce: [winut.exe] C:\WINDOWS\winut.exe
O4 - HKLM\..\RunOnce: [syspn.exe] C:\WINDOWS\system32\syspn.exe
O4 - HKLM\..\RunOnce: [apiht32.exe] C:\WINDOWS\system32\apiht32.exe
O4 - HKLM\..\RunOnce: [mfcey.exe] C:\WINDOWS\system32\mfcey.exe
O4 - HKLM\..\RunOnce: [crtl.exe] C:\WINDOWS\crtl.exe
O4 - HKLM\..\RunOnce: [d3gq32.exe] C:\WINDOWS\d3gq32.exe
O4 - HKLM\..\RunOnce: [sysfo.exe] C:\WINDOWS\sysfo.exe
O4 - HKLM\..\RunOnce: [apisy.exe] C:\WINDOWS\system32\apisy.exe
O4 - HKLM\..\RunOnce: [ntws32.exe] C:\WINDOWS\ntws32.exe
O4 - HKLM\..\RunOnce: [appyt.exe] C:\WINDOWS\appyt.exe
O4 - HKLM\..\RunOnce: [syswh32.exe] C:\WINDOWS\system32\syswh32.exe
O4 - HKLM\..\RunOnce: [mfcum32.exe] C:\WINDOWS\mfcum32.exe
O4 - HKLM\..\RunOnce: [mfcjh.exe] C:\WINDOWS\system32\mfcjh.exe
O4 - HKLM\..\RunOnce: [netci32.exe] C:\WINDOWS\netci32.exe
O4 - HKLM\..\RunOnce: [netqn.exe] C:\WINDOWS\system32\netqn.exe
O4 - HKLM\..\RunOnce: [mfcxq.exe] C:\WINDOWS\system32\mfcxq.exe
O4 - HKLM\..\RunOnce: [winww32.exe] C:\WINDOWS\system32\winww32.exe
O4 - HKLM\..\RunOnce: [appsh32.exe] C:\WINDOWS\system32\appsh32.exe
O4 - HKLM\..\RunOnce: [sdkui.exe] C:\WINDOWS\sdkui.exe
O4 - HKLM\..\RunOnce: [ietw32.exe] C:\WINDOWS\ietw32.exe
O4 - HKLM\..\RunOnce: [javajl32.exe] C:\WINDOWS\system32\javajl32.exe
O4 - HKLM\..\RunOnce: [msij32.exe] C:\WINDOWS\msij32.exe
O4 - HKLM\..\RunOnce: [sysvv32.exe] C:\WINDOWS\sysvv32.exe
O4 - HKLM\..\RunOnce: [sysem.exe] C:\WINDOWS\sysem.exe
O4 - HKLM\..\RunOnce: [addaw.exe] C:\WINDOWS\addaw.exe
O4 - HKLM\..\RunOnce: [d3tf.exe] C:\WINDOWS\d3tf.exe
O4 - HKLM\..\RunOnce: [netsv32.exe] C:\WINDOWS\system32\netsv32.exe
O4 - HKLM\..\RunOnce: [ipvu32.exe] C:\WINDOWS\system32\ipvu32.exe
O4 - HKLM\..\RunOnce: [appow.exe] C:\WINDOWS\appow.exe
O4 - HKLM\..\RunOnce: [netmt32.exe] C:\WINDOWS\netmt32.exe
O4 - HKLM\..\RunOnce: [atlqv.exe] C:\WINDOWS\system32\atlqv.exe
O4 - HKLM\..\RunOnce: [apiwz.exe] C:\WINDOWS\system32\apiwz.exe
O4 - HKLM\..\RunOnce: [sysvp32.exe] C:\WINDOWS\system32\sysvp32.exe
O4 - HKLM\..\RunOnce: [ipdf32.exe] C:\WINDOWS\system32\ipdf32.exe
O4 - HKLM\..\RunOnce: [ntaq32.exe] C:\WINDOWS\ntaq32.exe
O4 - HKLM\..\RunOnce: [d3sz32.exe] C:\WINDOWS\system32\d3sz32.exe
O4 - HKLM\..\RunOnce: [d3bh.exe] C:\WINDOWS\d3bh.exe
O4 - HKLM\..\RunOnce: [apihm32.exe] C:\WINDOWS\system32\apihm32.exe
O4 - HKLM\..\RunOnce: [addue32.exe] C:\WINDOWS\system32\addue32.exe
O4 - HKLM\..\RunOnce: [atlnf.exe] C:\WINDOWS\system32\atlnf.exe
O4 - HKLM\..\RunOnce: [d3hz.exe] C:\WINDOWS\d3hz.exe
O4 - HKLM\..\RunOnce: [appee32.exe] C:\WINDOWS\system32\appee32.exe
O4 - HKLM\..\RunOnce: [mfcek.exe] C:\WINDOWS\mfcek.exe
O4 - HKLM\..\RunOnce: [ntwk32.exe] C:\WINDOWS\system32\ntwk32.exe
O4 - HKLM\..\RunOnce: [winiw32.exe] C:\WINDOWS\winiw32.exe
O4 - HKLM\..\RunOnce: [iegt32.exe] C:\WINDOWS\iegt32.exe
O4 - HKLM\..\RunOnce: [ntzm32.exe] C:\WINDOWS\system32\ntzm32.exe
O4 - HKLM\..\RunOnce: [addzc.exe] C:\WINDOWS\addzc.exe
O4 - HKLM\..\RunOnce: [apisb.exe] C:\WINDOWS\apisb.exe
O4 - HKLM\..\RunOnce: [javaur32.exe] C:\WINDOWS\system32\javaur32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msab.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

Crunchie

Wowsers Penny, . Where do you want to go from here? Keep going this way, or a reformat?
I don't understand why the normal removal tools did not do anything. You definitely ran them all in safe mod, didn't you??

piojis76

huh?? ummmm, haha...what would a reformat do exactly, and is it complicated for the technically challenged?? hey, if you're willing to lead, i'm willing to follow; so lead away! cyn

Crunchie

I have to say that a reformat would definitely fix it, but I am not the best person to lead you . I do not use XP and am not familiar with it at all.

I would like you to try something else though in the meantime.

Can you run HSRemove again, in safe mode. Also in safe mode run the sp.hml fix that you will download after reading this .

HSRemove - http://www.majorgeeks.com/HSRemove_d4286.html
Sp.html-Se.dll Hijack Fix - http://www.majorgeeks.com/Sp.html-S...00XP_d4617.html

Boot back into normal and show me a clean log, pleeeeeeeeeeeeeease.

piojis76

ok...i did all of the above...as for the Sp.html-Se.dll Hijack Fix, i downloaded the program, and in safe mode (after having run the hsremove), opened the zipped file, dragged the exe onto the desktop, then double clicked on it, and click on something like, clean and fix, or something to that effect. it seemed to not do anything, then i checked the box that says, log, and it says that nothing was found...rebooted, and this is the new log:


Logfile of HijackThis v1.99.1
Scan saved at 4:26:55 AM, on 7/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\msdv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111216~1\EE\AOLServiceHost.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Downloaded programs\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.msn.com
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Class - {401249DD-FC9A-788E-2A42-6F9CF15DDAD5} - C:\WINDOWS\apppb32.dll
O2 - BHO: Class - {8499E75E-1EBB-BCDC-0322-32C871231766} - C:\WINDOWS\msdv.dll
O2 - BHO: Class - {967C12E3-4C8C-1DEE-C47A-331C94FA3713} - C:\WINDOWS\ntix32.dll
O2 - BHO: Class - {C24DF449-6E92-EE5A-3AB6-7339624FBDA9} - C:\WINDOWS\ntac32.dll
O2 - BHO: Class - {FD00640A-25C5-1166-CC13-F7669822B594} - C:\WINDOWS\system32\atlhg32.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iezt.exe] C:\WINDOWS\system32\iezt.exe
O4 - HKLM\..\Run: [msdv.exe] C:\WINDOWS\msdv.exe
O4 - HKLM\..\RunOnce: [ntug.exe] C:\WINDOWS\system32\ntug.exe
O4 - HKLM\..\RunOnce: [sysya.exe] C:\WINDOWS\sysya.exe
O4 - HKLM\..\RunOnce: [crbo.exe] C:\WINDOWS\crbo.exe
O4 - HKLM\..\RunOnce: [javaoq.exe] C:\WINDOWS\javaoq.exe
O4 - HKLM\..\RunOnce: [systh32.exe] C:\WINDOWS\system32\systh32.exe
O4 - HKLM\..\RunOnce: [ieic.exe] C:\WINDOWS\ieic.exe
O4 - HKLM\..\RunOnce: [sysct32.exe] C:\WINDOWS\system32\sysct32.exe
O4 - HKLM\..\RunOnce: [crmd.exe] C:\WINDOWS\system32\crmd.exe
O4 - HKLM\..\RunOnce: [ntrw32.exe] C:\WINDOWS\system32\ntrw32.exe
O4 - HKLM\..\RunOnce: [appvs32.exe] C:\WINDOWS\system32\appvs32.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt3_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkId=39204&clcid=0x409
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-24.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://aolsvc.aol.com/onlinegames/bejeweled2/popcaploader_v7.cab
O16 - DPF: {FC6FA170-A89D-4AC7-A198-34E279960EBA} (PhotosCtrlMX Class) - http://mx.photos.groups.yahoo.com/ocx/mx/yexplorer1_9mx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\msab.exe" /s (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe


as for the reformat, would you know with whom i can speak with re: this? or maybe a web site that can sort of guide me on how to do this?? thanks!!!!

Crunchie

A good tutorial is here http://www.resnet.uni.edu/docs/reformatxp.html

Or we can persevere with cleaning this up . I don't like quitting.

piojis76

hello crunchie!! sorry i've taken so long to respond, but as you can probably imagine, i opted for the 'faster route' via reformatting and reinstalling. little did i know, that um, uh, haha, i had the drivers already installed, and well, i kind of sort of deleted them, and well...haha, installing xp was no problem, but then since there were no drivers, i couldn't find an internet connection....needless to say, i finally had to go back to my old pc (the one i'm using now), while i wait for dell to send me the drivers, etc... :shakehead that's what i get for wanting an easy fix, no? hehehe.....BUT, however, thank you sooo very much for all that you helped me with, and for being super patient, even those times where i seemed less than clueless!! . i don't suppose your a whiz at retreiving saved pictures from the hard drive after windows xp has been reinstalled?? haha (this is on this old computer)...i don't even think it's possible. anyhow...i'll keep you posted as soon as i get the drivers, to see if it infact is all gone, etc...THANKS again!! cynthia

Crunchie

Hi again. Reformatting the HD will erase everything on there, so unless the pictures were saved to another partition, they are gone .

You are welcome Cynthia