lsass.exe amongst other things...
hi there
i wonder if anyone could help - i stupidly recently clicked on an .exe file i shouldnt have from an untrusted site and bang, my computer goes all over the place. i managed to run ad aware and spybot, both of which managed to delete a lot of problems, but there still remains odd happenings with my browser in particular. Also, i have a new folder in My Documents that contains "lsass.exe". When I looked at the system processes in the task manager, this lsass.exe seems to be using the majority of my computers power and i dont know what its doing. its sont let me uninstall, delete or remove by any ways that i know of. this is my HJT log.....
Logfile of HijackThis v1.99.1
Scan saved at 11:07:37 pm, on 05/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\hidserv.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\system32\UMonit2k.exe
E:\Program Files\NavNT\vptray.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINNT\Mixer.exe
E:\WINNT\system32\hkcmd.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINNT\system32\carpserv.exe
E:\WINNT\vsnpstd.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\DOCUME~1\ADMINI~1\APPLIC~1\CROSOF~1\mmc.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINNT\system32\monitorbk.exe
E:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\LASS~1.EXE
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 127.0.0.41 active-max.com
O1 - Hosts: 127.0.0.238 www.active-max.com
O1 - Hosts: 127.0.0.84 allaboutsearching.com
O1 - Hosts: 127.0.0.230 amazingautossearch.com
O1 - Hosts: 127.0.0.48 www.amazingautossearch.com
O1 - Hosts: 127.0.0.38 www.contexualsearch.com
O1 - Hosts: 127.0.0.80 crap2.com
O1 - Hosts: 127.0.0.205 www.dialup2.com
O1 - Hosts: 127.0.0.63 www.ecpm.com
O1 - Hosts: 127.0.0.55 find-quick.com
O1 - Hosts: 127.0.0.237 www.find-quick.com
O1 - Hosts: 127.0.0.201 lop.com
O1 - Hosts: 127.0.0.4 ao.lop.com
O1 - Hosts: 127.0.0.92 srch.lop.com
O1 - Hosts: 127.0.0.38 www.lop2.com
O1 - Hosts: 127.0.0.83 search200.com
O1 - Hosts: 127.0.0.39 www.mysearchnow.com
O1 - Hosts: 127.0.0.91 www.netsearchsoft.com
O1 - Hosts: 127.0.0.242 www.rub.to
O1 - Hosts: 127.0.0.80 searchexe.com
O1 - Hosts: 127.0.0.92 www.searchweb2.com
O1 - Hosts: 127.0.0.91 www.spawnet.com
O1 - Hosts: 127.0.0.59 tdmy.com
O1 - Hosts: 127.0.0.212 www.tfil.com
O1 - Hosts: 127.0.0.245 www.tdko.com
O1 - Hosts: 127.0.0.225 wrn.net
O1 - Hosts: 127.0.0.87 www.wrn.net
O1 - Hosts: 127.0.0.89 www.mp3search.com
O1 - Hosts: 127.0.0.97 www.lyricsdomain.com
O1 - Hosts: 127.0.0.241 omega-search.com
O1 - Hosts: 127.0.0.92 www.omega-search.com
O1 - Hosts: 127.0.0.72 trinityacquisitions.com
O1 - Hosts: 127.0.0.36 www.trinityacquisitions.com
O1 - Hosts: 127.0.0.253 wethere.com
O1 - Hosts: 127.0.0.88 asearchforyou.org
O1 - Hosts: 127.0.0.37 www.asearchforyou.org
O1 - Hosts: 127.0.0.24 intelesearch.com
O1 - Hosts: 127.0.0.205 www.intelesearch.com
O1 - Hosts: 127.0.0.83 www.isearchhere.com
O1 - Hosts: 127.0.0.80 www.iwantosearch.com
O1 - Hosts: 127.0.0.236 opensearch.org
O1 - Hosts: 127.0.0.7 searchbee.net
O1 - Hosts: 127.0.0.227 searchhotsex.com
O1 - Hosts: 127.0.0.50 www.searchhotsex.com
O1 - Hosts: 127.0.0.221 ifsearch.com
O1 - Hosts: 127.0.0.35 www.ifsearch.com
O1 - Hosts: 127.0.0.203 mastersearcher.com
O1 - Hosts: 127.0.0.40 look-today.com
O1 - Hosts: 127.0.0.250 aavc.com
O1 - Hosts: 127.0.0.247 www.aavc.com
O1 - Hosts: 127.0.0.56 acjp.com
O1 - Hosts: 127.0.0.86 www.acjp.com
O1 - Hosts: 127.0.0.225 www.ecmh.com
O1 - Hosts: 127.0.0.34 wabu.com
O1 - Hosts: 127.0.0.59 wabq.com
O1 - Hosts: 127.0.0.97 maximumexperience.com
O1 - Hosts: 127.0.0.27 www.maximumexperience.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Gene USB Monitor] E:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IgfxTray] E:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WinAmpBar] "E:\Program Files\WinAmpBar\WinAmpBar.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [snpstd] E:\WINNT\vsnpstd.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] E:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Uihw] "E:\DOCUME~1\ADMINI~1\APPLIC~1\CROSOF~1\mmc.exe" -vt yax
O4 - HKCU\..\Run: [Xez] E:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\LASS~1.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = E:\WINNT\system32\monitorbk.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = E:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O15 - Trusted Zone: www.suprnova.org
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://www.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28bc7f1c9aeb093e2d01/netzip/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O20 - AppInit_DLLs: E:\WINNT\system32\scanregw.dll
O20 - Winlogon Notify: NavLogon - E:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - E:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winxkp32 - E:\WINNT\SYSTEM32\winxkp32.dll
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINNT\system32\ZONELABS\vsmon.exe
It seems to have lots of weird searching stuff in it, none of which i want. Can anyone help!!!!???!!!
Thanks very much in advance. I have used this site once before, a couple of years ago, and the guys were fantastic. Been folding ever since!
Cheers
Rich
i wonder if anyone could help - i stupidly recently clicked on an .exe file i shouldnt have from an untrusted site and bang, my computer goes all over the place. i managed to run ad aware and spybot, both of which managed to delete a lot of problems, but there still remains odd happenings with my browser in particular. Also, i have a new folder in My Documents that contains "lsass.exe". When I looked at the system processes in the task manager, this lsass.exe seems to be using the majority of my computers power and i dont know what its doing. its sont let me uninstall, delete or remove by any ways that i know of. this is my HJT log.....
Logfile of HijackThis v1.99.1
Scan saved at 11:07:37 pm, on 05/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\hidserv.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\system32\UMonit2k.exe
E:\Program Files\NavNT\vptray.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINNT\Mixer.exe
E:\WINNT\system32\hkcmd.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINNT\system32\carpserv.exe
E:\WINNT\vsnpstd.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\DOCUME~1\ADMINI~1\APPLIC~1\CROSOF~1\mmc.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINNT\system32\monitorbk.exe
E:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\LASS~1.EXE
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 127.0.0.41 active-max.com
O1 - Hosts: 127.0.0.238 www.active-max.com
O1 - Hosts: 127.0.0.84 allaboutsearching.com
O1 - Hosts: 127.0.0.230 amazingautossearch.com
O1 - Hosts: 127.0.0.48 www.amazingautossearch.com
O1 - Hosts: 127.0.0.38 www.contexualsearch.com
O1 - Hosts: 127.0.0.80 crap2.com
O1 - Hosts: 127.0.0.205 www.dialup2.com
O1 - Hosts: 127.0.0.63 www.ecpm.com
O1 - Hosts: 127.0.0.55 find-quick.com
O1 - Hosts: 127.0.0.237 www.find-quick.com
O1 - Hosts: 127.0.0.201 lop.com
O1 - Hosts: 127.0.0.4 ao.lop.com
O1 - Hosts: 127.0.0.92 srch.lop.com
O1 - Hosts: 127.0.0.38 www.lop2.com
O1 - Hosts: 127.0.0.83 search200.com
O1 - Hosts: 127.0.0.39 www.mysearchnow.com
O1 - Hosts: 127.0.0.91 www.netsearchsoft.com
O1 - Hosts: 127.0.0.242 www.rub.to
O1 - Hosts: 127.0.0.80 searchexe.com
O1 - Hosts: 127.0.0.92 www.searchweb2.com
O1 - Hosts: 127.0.0.91 www.spawnet.com
O1 - Hosts: 127.0.0.59 tdmy.com
O1 - Hosts: 127.0.0.212 www.tfil.com
O1 - Hosts: 127.0.0.245 www.tdko.com
O1 - Hosts: 127.0.0.225 wrn.net
O1 - Hosts: 127.0.0.87 www.wrn.net
O1 - Hosts: 127.0.0.89 www.mp3search.com
O1 - Hosts: 127.0.0.97 www.lyricsdomain.com
O1 - Hosts: 127.0.0.241 omega-search.com
O1 - Hosts: 127.0.0.92 www.omega-search.com
O1 - Hosts: 127.0.0.72 trinityacquisitions.com
O1 - Hosts: 127.0.0.36 www.trinityacquisitions.com
O1 - Hosts: 127.0.0.253 wethere.com
O1 - Hosts: 127.0.0.88 asearchforyou.org
O1 - Hosts: 127.0.0.37 www.asearchforyou.org
O1 - Hosts: 127.0.0.24 intelesearch.com
O1 - Hosts: 127.0.0.205 www.intelesearch.com
O1 - Hosts: 127.0.0.83 www.isearchhere.com
O1 - Hosts: 127.0.0.80 www.iwantosearch.com
O1 - Hosts: 127.0.0.236 opensearch.org
O1 - Hosts: 127.0.0.7 searchbee.net
O1 - Hosts: 127.0.0.227 searchhotsex.com
O1 - Hosts: 127.0.0.50 www.searchhotsex.com
O1 - Hosts: 127.0.0.221 ifsearch.com
O1 - Hosts: 127.0.0.35 www.ifsearch.com
O1 - Hosts: 127.0.0.203 mastersearcher.com
O1 - Hosts: 127.0.0.40 look-today.com
O1 - Hosts: 127.0.0.250 aavc.com
O1 - Hosts: 127.0.0.247 www.aavc.com
O1 - Hosts: 127.0.0.56 acjp.com
O1 - Hosts: 127.0.0.86 www.acjp.com
O1 - Hosts: 127.0.0.225 www.ecmh.com
O1 - Hosts: 127.0.0.34 wabu.com
O1 - Hosts: 127.0.0.59 wabq.com
O1 - Hosts: 127.0.0.97 maximumexperience.com
O1 - Hosts: 127.0.0.27 www.maximumexperience.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Gene USB Monitor] E:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IgfxTray] E:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WinAmpBar] "E:\Program Files\WinAmpBar\WinAmpBar.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [snpstd] E:\WINNT\vsnpstd.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] E:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [Uihw] "E:\DOCUME~1\ADMINI~1\APPLIC~1\CROSOF~1\mmc.exe" -vt yax
O4 - HKCU\..\Run: [Xez] E:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\LASS~1.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = E:\WINNT\system32\monitorbk.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = E:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O15 - Trusted Zone: www.suprnova.org
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://www.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28bc7f1c9aeb093e2d01/netzip/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1162
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O20 - AppInit_DLLs: E:\WINNT\system32\scanregw.dll
O20 - Winlogon Notify: NavLogon - E:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - E:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winxkp32 - E:\WINNT\SYSTEM32\winxkp32.dll
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINNT\system32\ZONELABS\vsmon.exe
It seems to have lots of weird searching stuff in it, none of which i want. Can anyone help!!!!???!!!
Thanks very much in advance. I have used this site once before, a couple of years ago, and the guys were fantastic. Been folding ever since!
Cheers
Rich
0
This discussion has been closed.
Comments
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 127.0.0.41 active-max.com
O1 - Hosts: 127.0.0.238 www.active-max.com
O1 - Hosts: 127.0.0.84 allaboutsearching.com
O1 - Hosts: 127.0.0.230 amazingautossearch.com
O1 - Hosts: 127.0.0.48 www.amazingautossearch.com
O1 - Hosts: 127.0.0.38 www.contexualsearch.com
O1 - Hosts: 127.0.0.80 crap2.com
O1 - Hosts: 127.0.0.205 www.dialup2.com
O1 - Hosts: 127.0.0.63 www.ecpm.com
O1 - Hosts: 127.0.0.55 find-quick.com
O1 - Hosts: 127.0.0.237 www.find-quick.com
O1 - Hosts: 127.0.0.201 lop.com
O1 - Hosts: 127.0.0.4 ao.lop.com
O1 - Hosts: 127.0.0.92 srch.lop.com
O1 - Hosts: 127.0.0.38 www.lop2.com
O1 - Hosts: 127.0.0.83 search200.com
O1 - Hosts: 127.0.0.39 www.mysearchnow.com
O1 - Hosts: 127.0.0.91 www.netsearchsoft.com
O1 - Hosts: 127.0.0.242 www.rub.to
O1 - Hosts: 127.0.0.80 searchexe.com
O1 - Hosts: 127.0.0.92 www.searchweb2.com
O1 - Hosts: 127.0.0.91 www.spawnet.com
O1 - Hosts: 127.0.0.59 tdmy.com
O1 - Hosts: 127.0.0.212 www.tfil.com
O1 - Hosts: 127.0.0.245 www.tdko.com
O1 - Hosts: 127.0.0.225 wrn.net
O1 - Hosts: 127.0.0.87 www.wrn.net
O1 - Hosts: 127.0.0.89 www.mp3search.com
O1 - Hosts: 127.0.0.97 www.lyricsdomain.com
O1 - Hosts: 127.0.0.241 omega-search.com
O1 - Hosts: 127.0.0.92 www.omega-search.com
O1 - Hosts: 127.0.0.72 trinityacquisitions.com
O1 - Hosts: 127.0.0.36 www.trinityacquisitions.com
O1 - Hosts: 127.0.0.253 wethere.com
O1 - Hosts: 127.0.0.88 asearchforyou.org
O1 - Hosts: 127.0.0.37 www.asearchforyou.org
O1 - Hosts: 127.0.0.24 intelesearch.com
O1 - Hosts: 127.0.0.205 www.intelesearch.com
O1 - Hosts: 127.0.0.83 www.isearchhere.com
O1 - Hosts: 127.0.0.80 www.iwantosearch.com
O1 - Hosts: 127.0.0.236 opensearch.org
O1 - Hosts: 127.0.0.7 searchbee.net
O1 - Hosts: 127.0.0.227 searchhotsex.com
O1 - Hosts: 127.0.0.50 www.searchhotsex.com
O1 - Hosts: 127.0.0.221 ifsearch.com
O1 - Hosts: 127.0.0.35 www.ifsearch.com
O1 - Hosts: 127.0.0.203 mastersearcher.com
O1 - Hosts: 127.0.0.40 look-today.com
O1 - Hosts: 127.0.0.250 aavc.com
O1 - Hosts: 127.0.0.247 www.aavc.com
O1 - Hosts: 127.0.0.56 acjp.com
O1 - Hosts: 127.0.0.86 www.acjp.com
O1 - Hosts: 127.0.0.225 www.ecmh.com
O1 - Hosts: 127.0.0.34 wabu.com
O1 - Hosts: 127.0.0.59 wabq.com
O1 - Hosts: 127.0.0.97 maximumexperience.com
O1 - Hosts: 127.0.0.27 www.maximumexperience.com
O4 - HKCU\..\Run: [Uihw] "E:\DOCUME~1\ADMINI~1\APPLIC~1\CROSOF~1\mmc.ex e" -vt yax
O4 - HKCU\..\Run: [Xez] E:\DOCUME~1\ADMINI~1\MYDOCU~1\WNSXS~1\LASS~1.EXE
O15 - Trusted Zone: www.suprnova.org
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/28bc7f1c...p/RdxIE601.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1162
Close all other windows and press "Fix Checked". Then close HijackThis and restart the computer.
I found this file pretty suspicious, please locate it:
E:\WINNT\system32\scanregw.dll
Right-click on it and choose "Properties", then click on the "Version" tab at the top. Click on "Comments", "Company", "File Version", and "Internal Name" and please post whatever the text in the box immediately to the right says for each.
Please do the same for:
E:\WINNT\SYSTEM32\nwprovau.dll
E:\WINNT\SYSTEM32\winxkp32.dll
Please post these in your next reply:
1) A new HijackThis log
2) File properties of the three suspicious files
Logfile of HijackThis v1.99.1
Scan saved at 10:34:43 pm, on 06/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\hidserv.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\system32\UMonit2k.exe
E:\Program Files\NavNT\vptray.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINNT\Mixer.exe
E:\WINNT\system32\hkcmd.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINNT\system32\carpserv.exe
E:\WINNT\vsnpstd.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINNT\system32\monitorbk.exe
E:\Program Files\Folding@Home\winfah.exe
E:\Program Files\Folding@Home\FahCore_65.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Gene USB Monitor] E:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IgfxTray] E:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WinAmpBar] "E:\Program Files\WinAmpBar\WinAmpBar.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [snpstd] E:\WINNT\vsnpstd.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] E:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Folding@Home 5.02.lnk = E:\Program Files\Folding@Home\winfah.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = E:\WINNT\system32\monitorbk.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = E:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://www.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O20 - AppInit_DLLs: E:\WINNT\system32\scanregw.dll
O20 - Winlogon Notify: NavLogon - E:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - E:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winxkp32 - E:\WINNT\SYSTEM32\winxkp32.dll
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINNT\system32\ZONELABS\vsmon.exe
I found the three suspicious files you highlighted:
E:\WINNT\system32\scanregw.dll
When I click on the properties, it only gives a "General" tab and not a "Version" tab so I cant give you any of that information.
E:\WINNT\SYSTEM32\winxkp32.dll
Same with this one.
E:\WINNT\SYSTEM32\nwprovau.dll
Description: Client Service for NetWare Provider and Authentication Package DLL
Company Name: Microsoft Corporation
Internal Name: nwprovau.dll
Language: English (United States)
Original Filename: nwprovau.dll
Product Name: Microsoft(R) Windows (R) 2000 Operating System
Product Version: 5.00.2195.6610
Thanks a lot.
E:\WINNT\system32\scanregw.dll
Then click Submit. Allow the file to be scanned, and then please copy and paste the results here.
Do the same for E:\WINNT\SYSTEM32\winxkp32.dll
Thank you.
File: scanregw.dll
Status: INFECTED/MALWARE
MD5 64161b46092184b2b85bb14e25582223
Packers detected: -
Scanner results
AntiVir Found Adware-Spyware/PurityScan.EN.1 adware
ArcaVir Found Trojan.Bho.Agent.Jha
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found Adware.ClickSpring
F-Prot Antivirus Found nothing
Fortinet Found Adware/PurityScan
Kaspersky Anti-Virus Found not-a-virus:AdWare.Win32.PurityScan.en
NOD32 Found nothing
Norman Virus Control Found W32/PurityScan.YM
UNA Found nothing
VirusBuster Found nothing
VBA32 Found AdWare.Win32.PurityScan.en
File: winxkp32.dll
Status: INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 f01e608f90b7cb5cbff3c94e53cfd779
Packers detected: NSPACK
Scanner results
AntiVir Found nothing
ArcaVir Found Trojan.Agent.Qt
Avast Found Win32:Trojano-BJ
AVG Antivirus Found BackDoor.Generic2.XNE
BitDefender Found Trojan.Agent.NS
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found BDoor.CVT!tr.bdr
Kaspersky Anti-Virus Found Trojan.Win32.Agent.qt
NOD32 Found Win32/TrojanDownloader.Small.CML
Norman Virus Control Found W32/Agent.ADEX
UNA Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Win32.Agent.qt
They look a bit dodgy.. should I just delete them or do they need to removed a different way?
Thanks again.
Now delete these two files:
E:\WINNT\system32\scanregw.dll
E:\WINNT\SYSTEM32\winxkp32.dll
After the deletions, Click Start again. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Do not Show hidden files and folders. Recheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK.
Now restart the computer. Upon reboot, rescan with HijackThis and post the new log in your next reply.
scanregw.dll - "Cannot delete scanregw: The specified file is being used by Windows"
winxkp32.dll - "Cannot delete winxkp32: Access is denied. The source file may be in use"
I closed down all programs and things running in the system tray and tried again, but still got the same messages.
Er?
Please boot into safe mode by restarting your computer. As the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
Once in safe mode, attempt to delete the following two files again:
E:\WINNT\system32\scanregw.dll
E:\WINNT\SYSTEM32\winxkp32.dll
After the file deletions, you can boot back to normal mode by restarting the computer.
Download Avenger from here:
http://swandog46.geekstogo.com/
Open the program. Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, paste this:
Files to delete:
E:\WINNT\system32\scanregw.dll
E:\WINNT\SYSTEM32\winxkp32.dll
and click 'Done'
Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC.
Post the Avenger output.txt, which you can find at C:\Avenger\.txt
followed your instructions and avenger seemed to do the trick of deleting those files. i had cut the .txt output file but then noticed a strange looking webpage in my internet history (www.winantivirus.com) and clicked on it and then the computer went nuts opening about 6000 internet explorer windows before i could pull the plug out.
so i lost the .txt file sorry.
on restart it seems to be ok, but has lost the "active desktop" - too nervous to try and restore it.
also hijackthis won't run properly and keeps crashing when i run it. i have managed to get the following out of it, but not sure if its complete...
Logfile of HijackThis v1.99.1
Scan saved at 10:44:29 pm, on 19/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\hidserv.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\system32\UMonit2k.exe
E:\Program Files\NavNT\vptray.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINNT\Mixer.exe
E:\WINNT\system32\hkcmd.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINNT\system32\carpserv.exe
E:\WINNT\vsnpstd.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINNT\system32\monitorbk.exe
E:\WINNT\system32\wuauclt.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Gene USB Monitor] E:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IgfxTray] E:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WinAmpBar] "E:\Program Files\WinAmpBar\WinAmpBar.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [snpstd] E:\WINNT\vsnpstd.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] E:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Folding@Home 5.02.lnk = E:\Program Files\Folding@Home\winfah.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = E:\WINNT\system32\monitorbk.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = E:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://www.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O20 - AppInit_DLLs: E:\WINNT\system32\scanregw.dll
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINNT\system32\ZONELABS\vsmon.exe
thanks
- Close all instances of Outlook Express and Internet Explorer
- Go to Control Panel > Internet Options > General tab
- Click the "Delete Cookies" button
- Next to it, Click the "Delete Files" button
- When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):- Go to Tools > Options.
- Click Privacy in the menu on the left side of the Options window.
- Click the Clear button located to the right of each option (History, Cookies, Cache).
- Click OK to close the Options window
* Clean other Temporary files + Recycle binAlternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.
Next run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
- In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
- When you get the Windows dialog asking if you want to install this software, click the "Install" button.
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
- Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.KASPERSKY ON-LINE SCANNER REPORT
Sunday, June 25, 2006 12:29:56 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 25/06/2006
Kaspersky Anti-Virus database records: 202594
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 61267
Number of viruses found: 9
Number of infected objects: 25
Number of suspicious objects: 0
Duration of the scan process: 01:36:21
Infected Object Name / Virus Name / Last Action
E:\WINNT\system32\oins.exe Infected: Trojan-Downloader.Win32.PurityScan.cp skipped
E:\WINNT\system32\cbxwvwv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bs skipped
E:\WINNT\Temp\win1E4.tmp.exe Infected: Trojan-Downloader.Win32.Small.cvw skipped
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe NSIS: infected - 2 skipped
E:\Documents and Settings\Administrator\Application Data\Μіcrosoft\mmc.exe Infected: Trojan-Downloader.Win32.PurityScan.cn skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698110.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698116.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698121.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698127.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698132.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698274.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698278.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698284.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698289.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698294.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094698360.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\downloader.hc1094700076.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094700076.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094700076.dl_ Infected: Trojan-Downloader.Win32.Swizzor.fg skipped
E:\Program Files\OmegaKiller1[1].2\backup\file1094700085.ex_ Infected: not-a-virus:AdWare.Win32.Lop skipped
E:\avenger\backup.zip/avenger/scanregw.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
E:\avenger\backup.zip/avenger/winxkp32.dll Infected: Trojan.Win32.Agent.qt skipped
E:\avenger\backup.zip ZIP: infected - 2 skipped
Scan process completed.
There didnt seem to be a way to quarantine or get rid of these files with Kaspersky, so I'm not sure how to delete them.
Also, there is still a folder called Winsys containing an application called lsass.exe in my My Documents folder that looks a bit suspect. I am also still getting random pop-up internet explorer windows about winantiviruspro.
Thanks again....
VundoFix V4.2.84
Running as SYSTEM
from E:\\VundoFix.exe
Checking Java version...
Java version is 1.4.2.5
Java version is 1.4.2.6
Java version is 1.5.0.2
Java version is 1.5.0.6
Scan started at 10:47:14 PM 6/28/2006
Listing files found while scanning....
E:\WINNT\system32\hjlnn.bak1
E:\WINNT\system32\hjlnn.bak2
E:\WINNT\system32\hjlnn.ini
E:\WINNT\system32\nnljh.dll
Attempting to delete E:\WINNT\system32\hjlnn.bak1
E:\WINNT\system32\hjlnn.bak1 Has been deleted!
Attempting to delete E:\WINNT\system32\hjlnn.bak2
E:\WINNT\system32\hjlnn.bak2 Has been deleted!
Attempting to delete E:\WINNT\system32\hjlnn.ini
E:\WINNT\system32\hjlnn.ini Has been deleted!
Attempting to delete E:\WINNT\system32\nnljh.dll
E:\WINNT\system32\nnljh.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of HijackThis v1.99.1
Scan saved at 10:53:58 pm, on 28/06/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\WINNT\system32\hidserv.exe
E:\Program Files\Ahead\InCD\InCDsrv.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\WINNT\system32\MsgSys.EXE
E:\WINNT\system32\UMonit2k.exe
E:\Program Files\NavNT\vptray.exe
E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
E:\WINNT\Mixer.exe
E:\WINNT\system32\hkcmd.exe
E:\Program Files\Ahead\InCD\InCD.exe
E:\WINNT\system32\carpserv.exe
E:\WINNT\vsnpstd.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Nikon\NkView6\NkvMon.exe
E:\WINNT\system32\stisvc.exe
E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
E:\WINNT\system32\monitorbk.exe
E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
E:\Program Files\Folding@Home\winfah.exe
E:\Program Files\Folding@Home\FahCore_82.exe
E:\Documents and Settings\Administrator\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {E53AEEAF-168C-4526-B727-2E5935E2E83E} - E:\WINNT\system32\nnljh.dll (file missing)
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechGalleryRepair] E:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [Gene USB Monitor] E:\WINNT\system32\UMonit2k.exe
O4 - HKLM\..\Run: [vptray] E:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [IgfxTray] E:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] E:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [InCD] E:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [FaxCenterServer] "E:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [WinAmpBar] "E:\Program Files\WinAmpBar\WinAmpBar.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "E:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [snpstd] E:\WINNT\vsnpstd.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [NBJ] "E:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Desktop Weather 3] E:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - Startup: Folding@Home 5.02.lnk = E:\Program Files\Folding@Home\winfah.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: NkvMon.exe.lnk = E:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = E:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Belkin PCMCIA WLAN Monitor.lnk = E:\WINNT\system32\monitorbk.exe
O4 - Global Startup: ME101 Configuration Utility.lnk = E:\Program Files\NETGEAR\ME101 Configuration Utility\wlancfg.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = E:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://e:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://e:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - E:\PROGRA~1\YAHOO!\MESSEN~1\YPAGER.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {3A5A2021-0895-11D2-8817-0060089E0724} (GlobalEnglish Learning Technology) - http://www.globalenglish.com/html/setup/cabs/ge.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by24fd.bay24.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup156.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab30149.cab
O20 - AppInit_DLLs: E:\WINNT\system32\scanregw.dll
O20 - Winlogon Notify: NavLogon - E:\WINNT\system32\NavLogon.dll
O20 - Winlogon Notify: nwprovau - E:\WINNT\SYSTEM32\nwprovau.dll
O20 - Winlogon Notify: winxkp32 - winxkp32.dll (file missing)
O23 - Service: DefWatch - Symantec Corporation - E:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - E:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - E:\Program Files\NavNT\rtvscan.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - E:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - E:\WINNT\system32\ZONELABS\vsmon.exe
cheers....
O20 - Winlogon Notify: winxkp32 - winxkp32.dll (file missing)
Close all other windows except HijackThis and press "Fix Checked". Then close HijackThis and restart the computer.
Next go to Control Panel then Add/Remove Programs and look for the entry "OIN" or "(program) by OIN"
Proceed to uninstall it.
If you do not see this, please download their stand-alone uninstaller from http://www.outerinfo.com/OiUninstaller.exe.
Run this installer.
Now please delete the back-ups in OmegaKiller and Avenger.
Finally, rescan with Kaspersky Scanner and post the new log in your next reply.
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 02, 2006 10:54:06 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/07/2006
Kaspersky Anti-Virus database records: 204170
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 60975
Number of viruses found: 7
Number of infected objects: 11 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:21:57
Infected Object Name / Virus Name / Last Action
E:\WINNT\system32\config\software.LOG Object is locked skipped
E:\WINNT\system32\config\default.LOG Object is locked skipped
E:\WINNT\system32\config\SECURITY Object is locked skipped
E:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
E:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
E:\WINNT\system32\config\SAM Object is locked skipped
E:\WINNT\system32\config\SAM.LOG Object is locked skipped
E:\WINNT\system32\config\SYSTEM Object is locked skipped
E:\WINNT\system32\config\SOFTWARE Object is locked skipped
E:\WINNT\system32\config\DEFAULT Object is locked skipped
E:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
E:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
E:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
E:\WINNT\system32\oins.exe Infected: Trojan-Downloader.Win32.PurityScan.cp skipped
E:\WINNT\system32\cbxwvwv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bs skipped
E:\WINNT\Temp\win1E4.tmp.exe Infected: Trojan-Downloader.Win32.Small.cvw skipped
E:\WINNT\Debug\PASSWD.LOG Object is locked skipped
E:\WINNT\Debug\oakley.log Object is locked skipped
E:\WINNT\Debug\ipsecpa.log Object is locked skipped
E:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
E:\WINNT\SchedLgU.Txt Object is locked skipped
E:\WINNT\CSC\00000001 Object is locked skipped
E:\WINNT\Sti_Trace.log Object is locked skipped
E:\WINNT\WindowsUpdate.log Object is locked skipped
E:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
E:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe/data0002/data0006 Infected: Trojan-Dropper.Win32.VB.kk skipped
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe/data0002 Infected: Trojan-Dropper.Win32.VB.kk skipped
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe NSIS: infected - 2 skipped
E:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Administrator\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
E:\Documents and Settings\Administrator\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
E:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
E:\Program Files\Folding@Home\work\logfile_09.txt Object is locked skipped
E:\Program Files\Folding@Home\work\wudata_09.inp Object is locked skipped
E:\Program Files\Folding@Home\work\wudata_09.out Object is locked skipped
E:\Program Files\Folding@Home\work\wudata_09.nfo Object is locked skipped
E:\Program Files\Folding@Home\FAHlog.txt Object is locked skipped
E:\avenger\backup.zip/avenger/scanregw.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
E:\avenger\backup.zip/avenger/winxkp32.dll Infected: Trojan.Win32.Agent.qt skipped
E:\avenger\backup.zip ZIP: infected - 2 skipped
Scan process completed.
Cheers....
Do not worry about the "Object is locked skipped" lines. I have discussed this with a few experts, and it turns out that some of them are Windows registry hive files and are locked from access in Windows kernel mode. Nothing can access those files directly, for obvious reasons. That includes antivirus. We also suspect that the Kapersky Scanner changed recently, so the previous log generated did not show these harmless entries.
Please run VundoFix again.
Open Avenger. Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, paste this:
Files to delete:
E:\WINNT\system32\oins.exe
E:\WINNT\system32\cbxwvwv.dll
E:\WINNT\Temp\win1E4.tmp.exe
E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe
and click 'Done'
Click the Traffic Light icon to start the program, and OK the prompts to reboot your PC.
Delete the Avenger backups.
Finally, rescan with Kaspersky Online Scanner and post the new log in your next reply.
Ran Avenger and got the following log:
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gcyknosj
*******************
Script file located at: \??\E:\WINNT\system32\chdwieys.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at E:\Avenger
*******************
Beginning to process script file:
File E:\WINNT\system32\oins.exe deleted successfully.
File E:\WINNT\system32\cbxwvwv.dll deleted successfully.
File E:\WINNT\Temp\win1E4.tmp.exe deleted successfully.
File E:\Documents and Settings\Administrator\Local Settings\Temp\win2D.tmp.exe deleted successfully.
Completed script processing.
*******************
Finished! Terminate.
Then deleted the backup files.
Lastly, ran Kaspersky again and got the following log:
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 04, 2006 9:43:05 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 4/07/2006
Kaspersky Anti-Virus database records: 204718
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 60869
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:21:58
Infected Object Name / Virus Name / Last Action
E:\WINNT\system32\config\software.LOG Object is locked skipped
E:\WINNT\system32\config\default.LOG Object is locked skipped
E:\WINNT\system32\config\SECURITY Object is locked skipped
E:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
E:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
E:\WINNT\system32\config\SAM Object is locked skipped
E:\WINNT\system32\config\SAM.LOG Object is locked skipped
E:\WINNT\system32\config\SYSTEM Object is locked skipped
E:\WINNT\system32\config\SOFTWARE Object is locked skipped
E:\WINNT\system32\config\DEFAULT Object is locked skipped
E:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
E:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
E:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
E:\WINNT\Debug\PASSWD.LOG Object is locked skipped
E:\WINNT\Debug\oakley.log Object is locked skipped
E:\WINNT\Debug\ipsecpa.log Object is locked skipped
E:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
E:\WINNT\SchedLgU.Txt Object is locked skipped
E:\WINNT\CSC\00000001 Object is locked skipped
E:\WINNT\Sti_Trace.log Object is locked skipped
E:\WINNT\WindowsUpdate.log Object is locked skipped
E:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
E:\WINNT\SoftwareDistribution\EventCache\{B98FB385-70A4-4665-AACE-4915CD6CE1E1}.bin Object is locked skipped
E:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012006070420060705\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
E:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
E:\Documents and Settings\Administrator\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
E:\Documents and Settings\Administrator\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
E:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
E:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
E:\Program Files\Folding@Home\work\logfile_09.txt Object is locked skipped
E:\Program Files\Folding@Home\work\wudata_09.inp Object is locked skipped
E:\Program Files\Folding@Home\work\wudata_09.out Object is locked skipped
E:\Program Files\Folding@Home\work\wudata_09.nfo Object is locked skipped
E:\Program Files\Folding@Home\FAHlog.txt Object is locked skipped
Scan process completed.
Looks a lot better to me, but what do I know!
thanks again......
Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore. Click to add a check mark beside Turn off System Restore on all Drives, and click Apply. When you are warned that all existing Restore Points will be deleted, click Yes to continue. All system restore points are deleted. Now you should manually create a restore point. Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
Click Create a Restore Point, and then click Next. Name your restore point. (I use the date as well as a descriptive term such as "Clean system.")
Here are a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of spyware problems.
You may have already taken some of these steps:
1. Watch what you download!
Do not download just anything you see on the web. Some may have spyware bundled into them.
2. Try not to use peer-to-peer programs.
P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
3. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
We recommend checking for Windows updates monthly.
4. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?
5. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.
6. Keep your antivirus software up to date. If you don't have one, I recommend the free AVG.
7. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm
A tutorial on understanding and using firewalls may be found here
8. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.
9. You might consider installing Mozilla / Firefox, which is much safer than Internet Explorer.
http://www.mozilla.org/
10. Install spyware detection and removal programs:
Ad-aware: http://www.snapfiles.com/get/adaware.html
Spybot S&D:
http://www.safer-networking.org
Use these programs to regularly scan your system for and remove many forms of spyware/malware.
11. Microsoft now offers their own anti-spyware product. Windows® Defender (Beta 2) improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC. This is a BETA for XP/2000 only.
12. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!
Cheers!!!