To Be Done:

Comple all information regarding elite toolbar and searchmiracle into a guide.

Sounds eazy enough right :)

Delete these, If the problem comes back post another log. Sometimes they reload.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} -

The last one is the toolbar.......Jim :vivi

Well, some things happened:

Search miracle popups started back immediately, maybe 1 per minute.

When I started IE, search miracle was my homepage.

When IE started, there was a place for the elite toolbar with a message saying "loading toolbar, please wait" I could surf slowly. After about 3 minutes IE crashed. I restarted it and the Elite toolbar was back.

Some of the things I removed were back when I ran HijackThis again. There also seemed to be other entries, like the one that changed my homepage. I did not remove them because I thought it might give you more information.

Thank you for helping me.

Here is a new log file:

Logfile of HijackThis v1.98.2
Scan saved at 8:06:08 PM, on 10/23/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Virus Solve\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\w2wu4do4.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\w2wu4do4.slt\prefs.j s)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winzho32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095656198382
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC46C246-98E5-488E-A1E0-60B736A13D2E}: NameServer = 207.69.188.187 207.69.188.186

This is a new problem. Spyware is Trial and error until someone finds a fix. I did some research and found this below. If it works let us know.

Fix these:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winzho32.exe

Show hidden files:

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.



boot to safe mode- F8

Find and delete these :
C:\WINDOWS\EliteBar\EliteBar version 50.dll <<<Folder EliteBar
C:\windows\system32\winyfu32.exe

Reboot and run this scanner: http://www.mwti.net/antivirus/free_utilities.asp

Take one of the first seven links, activate all, in settings


Post new logfile.

I did everytthing described above including show hidden files. However I did not have C:\windows\system32\winyfu32.exe, nor did I have winyfu32.exe anywhere else on my system.

Search miracle is gone as homepage, but toolbar is still there. Never left this time. Popups still happen.

I ran the virus search program at mwti.net. A log of the virus info is included below as well as a fresh HijackThis log.

Thanks again for the help.

File C:\WINDOWS\ELITET~1\ELITET~1.DLL tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\ELITET~1\ELITET~1.DLL tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\windows\system32\winzho32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\96wu19rd.exe infected by "TrojanDropper.Win32.Small.gt" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dealhlpr.dll tagged as not-a-virus:AdWare.DealHelper.r. No Action Taken.
File C:\WINDOWS\dhbrwsr.exe tagged as not-a-virus:AdWare.DealHelper.b. No Action Taken.
File C:\WINDOWS\dhp.dll tagged as not-a-virus:AdWare.DealHelper.r. No Action Taken.
File C:\WINDOWS\dhp2.dll tagged as not-a-virus:AdWare.DealHelper.j. No Action Taken.
File C:\WINDOWS\dhsvr.exe tagged as not-a-virus:AdWare.DealHelper.p. No Action Taken.
File C:\WINDOWS\dhupdt.exe tagged as not-a-virus:AdWare.DealHelper.f. No Action Taken.
File C:\WINDOWS\setupod.exe infected by "TrojanDropper.Win32.Agent.av" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\silent_install.exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\standard.exe tagged as not-a-virus:AdWare.WinFetcher.b. No Action Taken.
File C:\WINDOWS\systb.exe tagged as not-a-virus:AdWare.ToolBar.ImiBar.b. No Action Taken.
File C:\WINDOWS\system32\ATPartners.dll infected by "TrojanDownloader.Win32.Rameh.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\bhosave.dat tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\system32\bkmsf32.dat infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mscif.exe infected by "Trojan.Win32.Small.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mseggo.gif infected by "TrojanSpy.Win32.Delf.dx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msnimk.gif tagged as not-a-virus:AdWare.Ipend. No Action Taken.
File C:\WINDOWS\system32\winabd32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winehh32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winitx32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winjhb32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winjzz32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winmai32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winnrb32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winohv32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winzho32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Desktop\Virus Solve\backups\backup-20040123-193039-991.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Desktop\Virus Solve\backups\backup-20041023-234434-424.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\1018140.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\6923750.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\addit.exe tagged as not-a-virus:AdWare.Midadle.b. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\fJYihsf.exe tagged as not-a-virus:AdWare.WinFetcher.b. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\Gky86dPLb.dll tagged as not-a-virus:AdWare.Midadle.b. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\I38fnDmJj.exe tagged as not-a-virus:AdWare.Midadle.a. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\Lvy.dll tagged as not-a-virus:AdWare.Midadle.b. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\mscif.exe infected by "Trojan.Win32.Small.i" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\Ne8.dll tagged as not-a-virus:AdWare.Midadle.b. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\THI528B.tmp\mxTarget.cab tagged as not-a-virus:AdWare.BiSpy.m. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temp\WildWinTracker.exe tagged as not-a-virus:AdWare.WinFetcher.f. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\09ONKZ8N\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4707A9YZ\EliteBar53[1].dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\6FIFE5IR\bobby[1].exe infected by "TrojanDownloader.Win32.Small.sg" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ATPIREDS\EliteBar53[1].dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ATPIREDS\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KB57EIFL\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\STQBW5E3\silent_install[2].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\UDCR6HQ5\protector[1].exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\EliteToolBar version 53.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\hp\bin\Terminator.exe tagged as not-a-virus:RiskWare.Tool.KillApp. No Action Taken.
File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07654344.exe infected by "Worm.P2P.SpyBot.gen" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\732F57A0 infected by "TrojanDownloader.Win32.Small.gl" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7E792402 infected by "I-Worm.Bagle.c" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7F130E31 infected by "I-Worm.Tanatos.b" Virus. Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-237538551-482397144-748243563-1003\Dc12.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\96wu19rd.exe infected by "TrojanDropper.Win32.Small.gt" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dealhlpr.dll tagged as not-a-virus:AdWare.DealHelper.r. No Action Taken.
File C:\WINDOWS\dhbrwsr.exe tagged as not-a-virus:AdWare.DealHelper.b. No Action Taken.
File C:\WINDOWS\dhp.dll tagged as not-a-virus:AdWare.DealHelper.r. No Action Taken.
File C:\WINDOWS\dhp2.dll tagged as not-a-virus:AdWare.DealHelper.j. No Action Taken.
File C:\WINDOWS\dhsvr.exe tagged as not-a-virus:AdWare.DealHelper.p. No Action Taken.
File C:\WINDOWS\dhupdt.exe tagged as not-a-virus:AdWare.DealHelper.f. No Action Taken.
File C:\WINDOWS\EliteBar\EliteBar.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\setupod.exe infected by "TrojanDropper.Win32.Agent.av" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\silent_install.exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\standard.exe tagged as not-a-virus:AdWare.WinFetcher.b. No Action Taken.
File C:\WINDOWS\systb.exe tagged as not-a-virus:AdWare.ToolBar.ImiBar.b. No Action Taken.
File C:\WINDOWS\system32\ATPartners.dll infected by "TrojanDownloader.Win32.Rameh.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\bhosave.dat tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\system32\bkmsf32.dat infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4R61QTW1\bobby[1].exe infected by "TrojanDownloader.Win32.Small.sg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4R61QTW1\bobby[2].exe infected by "TrojanDownloader.Win32.Small.sg" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4R61QTW1\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\O3092XI5\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.j. No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1QVMVQX\protector[1].exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.

File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\W1QVMVQX\protector[2].exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mscif.exe infected by "Trojan.Win32.Small.i" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mseggo.gif infected by "TrojanSpy.Win32.Delf.dx" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msnimk.gif tagged as not-a-virus:AdWare.Ipend. No Action Taken.
File C:\WINDOWS\system32\winabd32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winehh32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winitx32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winjhb32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winjzz32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winmai32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winnrb32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winohv32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winzho32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wt\wtbgm\wtbgmtt.exe tagged as not-a-virus:AdWare.WildTangent. No Action Taken.
File G:\RECYCLER\S-1-5-21-237538551-482397144-748243563-1003\Dg55.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Logfile of HijackThis v1.98.2
Scan saved at 5:44:53 PM, on 10/24/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Owner\LOCALS~1\Temp\kavss.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Virus Solve\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\w2wu4do4.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\w2wu4do4.slt\prefs.j s)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winzho32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095656198382
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC46C246-98E5-488E-A1E0-60B736A13D2E}: NameServer = 207.69.188.187 207.69.188.186

Does the Program give you the option to take action?Or do they ask you to pay for it?.

I kind of like the log file it gives you.

These are the Elite toolbar.

File C:\WINDOWS\ELITET~1\ELITET~1.DLL tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.

File C:\WINDOWS\ELITET~1\ELITET~1.DLL tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.

File C:\WINDOWS\system32\bhosave.dat tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.

File C:\Documents and Settings\Owner\Desktop\Virus Solve\backups\backup-20040123-193039-991.dll tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.

Files\Content.IE5\4R61QTW1\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.q. No Action Taken.

Files\Content.IE5\O3092XI5\silent_install[1].exe tagged as not-a-virus:AdWare.ToolBar.EliteBar.j. No Action Taken.

File C:\WINDOWS\wt\wtbgm\wtbgmtt.exe tagged as not-a-virus:AdWare.WildTangent. No Action Taken.


Looks like you were affected by a virus. :eww

Hijack This Log looks better, still have these. Search Miricle is Gone.

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 53.dll
O4 - HKLM\..\Run: [Sys29] C:\windows\system32\winzho32.exe


ECA what do you think of this?

Does the Program give you the option to take action?Or do they ask you to pay for it?.

You have to pay for it.

It does look like I have a virus. I think it is recent. I ran a system scan (Norton AntiVirus 9.05.15) once when I noticed the toolbars and once right before I first posted. Virus definitions say they are from today, despite not updating yet. AutoProtect is off and cannot be turned back on and e-mail scanning says "error".

I also have a folder on both my c: drive and G: drive that says "recycler" THey were created yesterday and today and I cannot delete or otherwise modify them.

I am researching the virus problem and attempting to remove it.

Ug!

Miles

Looks like an OK program, I just downloaded it and yes you have to pay for it. I scanned my computer and it shows that I have a few viruses(jar files). Funny Norton and AVG did not pick these up. My computer seems to be running OK, I'll leave it be for now.


How did you copy and paste the log to the message board? I saved the log but the results did not post on the log,just the scan?..........Jim

didnt see this one... come up.
Havent followed you..
Im really getting TIRED of XP sp2..

This is bad..

I'd KILL Norton and try AVG...

Beaware tho, i have seen a Few Virus, that LOCK you out from getting AVG...
Majorgeek.com has LOTS of the needed files.. But AVG needs to be registered..

http://www.mwti.net/antivirus/free_utilities.asp

Did you check out this program? It picked up stuff AVG and Norton did not........Jim

its part of Kaspersky,

but I dont like MULTI TOOLS.. Rather run what I want, insted of everything at once.
Looks cool, I'll look at it.

How did you copy and paste the log to the message board? I saved the log but the results did not post on the log,just the scan?

I copied (ctl+C) the virus information log from the program window, not from the log.

The program C:\windows\system32\winzho32.exe keeps comming back.

I'll uninstall Norton and try AVG.

I'll let you know how it turns out.

Thanks,

Miles

Thanks for the tip, I'll rescan and give it a try.Good luck with those viruses.........Jim

Thought I'd give a status report.

I uninstalled Norton and used AVG. Found out I have this virus:
Trojan Horse Startpage.11.A
AVG found it in a total of 7 places, 4 in C:\windows\system32 and 3 in C:\RECYCLER The virus itself apparently resides in: C:\windows\system32\winzho32.exe
AVG was unable to heal this file and it remains on my system. But was able to heal it in the 6 other places.

I cannot delete winzho32.exe or otherwise modify it. Says "cannot delete winzho32: access is denied"

Search miracle popups remain. However the elite toolbar is gone, at least for right now.

I guess that is progress. At least I know who my enemy is. I am trying to figure out a way to remove winzho32.exe.

Miles

Well, I finally deleted winzho32.exe by starting in safe mode and deleting it using explorer. I ran Trojan Remover 6.3.1 before doing this but while in safe mode, but that seemed to be unable to remove it.

I don't think my computer is healthy. But I would say that "the fever has broken" or that I have made some progress.

I now have other seemingly minor problems, but ... search miracle seems to be gone (yeah!).

I have some spyware that reloads immediatly after being removed by spybot S&D. They are DSO Exploit, there are 5 entries.

Here is the log produced by SpyBot S&D:
-----------------------------------------
DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-21-237538551-482397144-748243563-1003\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Inter net Settings\Zones\0\1004!=W=3

DSO Exploit: Data source object exploit (Registry change, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Internet Settings\Zones\0\1004!=W=3




Fresh HijackThis log:
---------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 11:37:15 PM, on 10/26/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\GRISOF~1\AVG6\avgserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft Anti-Virus\AVG6\avgcc32.exe
C:\Documents and Settings\Owner\Desktop\Virus Solve\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "www.google.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\w2wu4do4.slt\prefs.j s)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csea rchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\w2wu4do4.slt\prefs.j s)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVG_CC] C:\Program Files\Grisoft Anti-Virus\AVG6\avgcc32.exe /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1095656198382
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EC46C246-98E5-488E-A1E0-60B736A13D2E}: NameServer = 207.69.188.187 207.69.188.186

As long as you have the current Windows Updates those exploits are harmless I have them on my computer also. I looked into that problem a few months ago. Apparently Windows fixed the problem so as long as you are up to date on Windows Updates those should be OK.

I believe there is a option on Spybot to ignore certain problems.

It looks like the Elite search bar and Search Miracle are gone.

For prevention I would try Spyware Blaster, Here is the webpage for info and free download.........Jim :vivi

http://www.javacoolsoftware.com/spywareblaster.html

Blaster LOCKS activeX, things wont load there unless you WANT IT TO.

In SPyboy, go to TOOL, turn on TEATIMER and OTHERS...They WATCh your system for changes..
It will TELL you, even when you are Loading new progs, if you WISH to change the reg...

Control C worked on the Copy and Paste,thanks.

I wonder why Norton did not pick up this crap?

I even right clicked the file and scanned with Norton and they come up clean, I guess I'll have to delete these manually one by one?

File C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3 .jar-5ef20017-60ecadd0.zip infected by "Trojan.Java.ClassLoader.k" Virus. Action Taken: No Action Taken

.File C:\Documents and Settings\Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3 .jar-6198e311-25259c5f.zip infected by "Trojan.Java.ClassLoader.i" Virus. Action Taken: No Action Taken

.File C:\Documents and Settings\Administrator\Local Settings\Temp\keenvalueUninstall.exe infected by "TrojanDownloader.Win32.Keenval" Virus. Action Taken: No Action Taken

.File C:\Documents and Settings\Administrator\Local Settings\Temp\sui.exe infected by "TrojanDownloader.Win32.Keenval" Virus. Action Taken: No Action Taken.

File C:\Documents and Settings\Administrator\Local Settings\Temp\UpdatedKeenValueInstall.exe infected by "TrojanDownloader.Win32.Keenval" Virus. Action Taken: No Action Taken

.File C:\Documents and Settings\Administrator\Local Settings\Temp\WUSV_UNIVInst.exe tagged as not-a-virus:AdWare.SaveNow.c. No Action Taken.

File C:\Documents and Settings\wordpro\lotus\scrncam\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken

.File C:\lotus\scrncam\setup.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\2B9E1A58.exe infected by "Worm.Win32.Lovesan.a" Virus. Action Taken: No Action Taken

.File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68BF7F34.tmp infected by "Trojan.Java.ClassLoader.i" Virus. Action Taken: No Action Taken.

File C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\68C22930.tmp infected by "Trojan.Java.ClassLoader.k" Virus. Action Taken: No Action Taken

.File C:\WINDOWS\Downloaded Program Files\gsda.dll tagged as not-a-virus:RiskWare.Downloader.SpyGame. No Action Taken

.File D:\My Documents\kmd.exe tagged as not-a-virus:AdWare.Cydoor. No Action Taken

.File D:\Original Data\Documents and Settings\Administrator\My Documents\BSINSTALL.exe tagged as not-a-virus:AdWare.SaveNow.k. No Action Taken

.File D:\Original Data\My Downloads\BSINSTALL.exe tagged as not-a-virus:AdWare.SaveNow.k. No Action Taken

.File D:\C Drive\Program Applications\webscene.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken

.File C:\WINDOWS\Downloaded Program Files\gsda.dll tagged as not-a-virus:RiskWare.Downloader.SpyGame. No Action Taken.

They are trojan, not virus.

Well, my machine seems to be opperating properly again. There are still a couple of things that seem wierd, such as the recycler folders on my C: and G:. But the internet is running at normal speed, the elite toolbar is gone and has not come back and the search miracle pop-ups have stopped. So I say SUCCESS! If I have more problems I will post a new thread.

Thank you for all the help Jim and ECA. Everything seems to work so much better now.

Thanks again,

Miles

Glad we could help.........Jim

Ok guys, try this reboot your system and go into safe mode(F8). After you are getting into safe mode then delete the following items:

c:\windows\elitetoobar
c:\windows\system32\winype32

voila... reboot your system.

if it not works, let me know.

good luck!!!

I too, am facing this "searchmiracle" problem. I have seen the previous posts about this issue. How do I send you my log file? Thanks.

get Hijackthis.

http://forums.designtechnica.com/showthread.php?t=5583

Would also suggest, Spybot SD, Adaware, Spyblaster.. Spybot needs to be registered.
Get them, Update them, run them... Better in SAFE mode.

I have the same problem and I'v been trying to delete by using Ad-aware,norton's anti virus, search and destroy and it wont delete it or anything can someone please help me!
heres my hijack this log

Logfile of HijackThis v1.98.2
Scan saved at 7:54:09 PM, on 12/02/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\sysoverload.exe
C:\WINDOWS\System32\miouco.exe
C:\WINDOWS\System32\36110.exe
C:\WINDOWS\System32\26655.exe
C:\Program Files\WashAds\WashAds.exe
C:\WINDOWS\System32\08226.exe
C:\WINDOWS\System32\57848.exe
C:\WINDOWS\System32\11636.exe
C:\WINDOWS\System32\06714.exe
C:\WINDOWS\System32\40581.exe
C:\WINDOWS\System32\15548.exe
C:\WINDOWS\System32\30620.exe
C:\WINDOWS\System32\63106.exe
C:\WINDOWS\System32\70110.exe
C:\WINDOWS\System32\88760.exe
C:\WINDOWS\System32\65536.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\s.truong\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\System32\65536.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O4 - HKLM\..\Run: [Windows Compliant] miouco.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvmx32.exe
O4 - HKLM\..\Run: [Microsoftvirus] sysoverload.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SysIdle] C:\WINDOWS\System32\65536.exe
O4 - HKLM\..\RunServices: [*windows update] wrauclt.exe
O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe
O4 - HKLM\..\RunServices: [Microsoftvirus] sysoverload.exe
O4 - HKLM\..\RunServices: [Windows Compliant] miouco.exe
O4 - HKLM\..\RunOnce: [Microsoftvirus] sysoverload.exe
O4 - HKCU\..\Run: [Windows Compliant] miouco.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe
O4 - HKCU\..\Run: [*windows update] wrauclt.exe
O4 - HKCU\..\Run: [Microsoftvirus] sysoverload.exe
O4 - HKCU\..\RunOnce: [Microsoftvirus] sysoverload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spyspotter/SpSp29952.22opt/SpySpotterInstall.cab

Lots of Bad stuff on here, You have Norton, Did you buy the yearly subsription. It wont remove unless the subscription is bought. I Dont see Spybot on here either


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

O2 - BHO: ngsh33.clsIS - {941CA48C-3984-4E7D-AAF8-8755ED76EB50} - C:\WINDOWS\System32\65536.dll

Removal:

- Stop adprot.exe as a running process
- Have HijackThis fix the line with the BHO (called ngsh33.clsIS) with al IE windows closed.
- Find and delete *****.dll and *****.exe after a reboot. * are numbers that are the same for the dll and the exe.

O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)

O4 - HKLM\..\Run: [Windows Compliant] miouco.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvvmx32.exe
O4 - HKLM\..\Run: [Microsoftvirus] sysoverload.exe
O4 - HKLM\..\Run: [SysIdle] C:\WINDOWS\System32\65536.exe
O4 - HKLM\..\RunServices: [*windows update] wrauclt.exe
O4 - HKLM\..\RunServices: [MS Remote Procedure Call] msrpc32.exe
O4 - HKLM\..\RunServices: [Microsoftvirus] sysoverload.exe
O4 - HKLM\..\RunServices: [Windows Compliant] miouco.exe
O4 - HKLM\..\RunOnce: [Microsoftvirus] sysoverload.exe
O4 - HKCU\..\Run: [Windows Compliant] miouco.exe
O4 - HKCU\..\Run: [Microsoftkeysd] systemwin32s.exe
O4 - HKCU\..\Run: [MS Remote Procedure Call] msrpc32.exe
O4 - HKCU\..\Run: [*windows update] wrauclt.exe
O4 - HKCU\..\Run: [Microsoftvirus] sysoverload.exe
O4 - HKCU\..\RunOnce: [Microsoftvirus] sysoverload.exe

All these 04s are related to virus or trojan


O16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} - http://download.spyspotter.com/spys...tterInstall.cab

I also am having problems with this please tell me what to do to get ride of it....it has over taken my new laptop and I am ready to form a vigilanty group to hunt down the developers of this stuff.....thanks

Logfile of HijackThis v1.98.0
Scan saved at 2:01:38 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvztd32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

Here is my log file....this stuff will not go away, I have tried ad-aware, spyware doctor, did them in safe mode...blah blah blah.....thanks in advance

Get, update and run, Spybot SD, Spyblaster, Adaware...

Goto ADD/REMOVE programs, and REMOVE ALL toolbars, Extra stuff you wanted from the net, weather bug, stock tickers, atomic TIME, DOWN LOADERS...
If we kill the problem and LEAVE the program that made it, it just reinstalls..

then plz repost..

I ran everything as you said and here we go.....thanks



Logfile of HijackThis v1.98.0
Scan saved at 4:04:18 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvztd32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

Looks Better after running Spybot, Still have some things here. Place a check next to each of these and click Fix Checked, reboot and post another log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
:vivi

Still has something running SVCHOST...
He has 5 of them..

This elite tool bar will not go away, I delete it, remove it and all this junk keeps coming back.....what is scvhost?



Logfile of HijackThis v1.98.0
Scan saved at 6:00:29 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvztd32.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

Thats Spyware for you sometimes it takes a while to get rid of.

C:\WINDOWS\system32\svchost.exe

svchost looks ok now only 2, there was 5 hopefully they wont reload again.

Check these and Click Fix Checked, reboot and post a new log.


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System\blank.htm
F0 - system.ini: Shell=
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 58.dll
O4 - HKLM\..\Run: [kalvsys] C:\windows\system32\kalvztd32.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL

O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files..._full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

What are THESE 2???

XBlock is a spyware remover and the other is to the University of Phoenix website for my school...I will do the above. I did try and run everything in safe mode and that did not work either...but as you said it takes time....thanks

should I remove the svchost in win32?

I can not get the Fo sysini shell= to delete.....I went to safe mode and that did not work either..thanks


Logfile of HijackThis v1.98.0
Scan saved at 8:09:06 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\DOCUME~1\DAVIDC~1\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB

should I remove the svchost in win32?


Dont remove it, It looks fine now. Its normal to have 2 but more than 2 is bad........Jim

Hows it running now, Its looking better. Unless theres a hidden file somewhere?

All I see is this one.

F0 - system.ini: Shell=

I tried to remove that about 10 times in normal mode and safe mode and it would not delete but I re ran hijack this and attached is the new log file...thanks

Logfile of HijackThis v1.97.7
Scan saved at 9:05:24 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hijak\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

It seems that search miracle is gone and also elite bar....I did have a problem with
AboutBlank: coming back but I think that is gone maybe....

Are you on AOL???

I have AOL but I am not on it...also when I open IE it is slow opening up one time then the next time it will open right up.....

Here is the last log file

Logfile of HijackThis v1.97.7
Scan saved at 9:19:00 PM, on 12/3/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijak\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell4me.com/myway
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X-Cleaner Deluxe] "C:\PROGRA~1\X-CLEA~1\XCleaner_full.exe" -turbo -autostart -NOREBOOT
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {556DDE36-E951-11D1-A708-000000521958} - http://www.xblock.com/members/files/xcleaner_full_setup.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Looks Clean, How is it running.........Jim :vivi

Seems like it is back to normal though the IE launches slow one time and then normal the next. Other sites seem to load ok, just my home site is the problem....but it is much better......thanks so much for all the help!!

Dave

It seems to be pretty much back to normal though I am having a problem loading IE opening my home site at times. Normal one time slow the next then I have a few sites in my favorites that are very slow to open. I have no idea what it is that is causing this. but at leats the elite/miracle issue is gone...Thanks

I can not get Google to open, nascar.com, adimeadozen.com, they all time out before they open....any thoughts?

Could be your internet, try rebooting and try again. sometimes that works. Check your Internet options, make sure your home page is set. If not type it in and click apply.

Use Spyware Blaster for Prevention. It blocks alot of Spyware from loading on your computer. Update all the programs once a week. They add new definitions all the time. Heres the link for SpywareBlaster where you can read more about it and download it for free..........Jim

5) SpywareBlaster


http://www.javacoolsoftware.com/spywareblaster.html

Download.com

http://www.download.com/SpywareBlas...tml?tag=lst-0-1

:vivi

something to remember.
Even tho a site has been around along time, or is GREAT... A bot can be inserted into it with out there notice. Advertising bots, are a pain. They Are not on that site, they are being sent from ANOTHER site to appear, on theres. And they can place bots in them.

YOU clean system is probably having problems with THIS.
MAKE sure you are running SpybotSD, advanced MODE, TOOLS, RESIDENT, and both SDhelper, and teatimer...
TEATIMER will TELL you if someone is trying to INSTALL stuff.

I have all of these running, and it is still loading my IE home site slow at times, it sees the site but is very slow to load. Also it will not load Google or Nascar.com is it possible that one of these programs is blocking these sites for some reason or something is still wrong with the system. I am running windows XP

I reset my cable modem and my wireless router and that seemed to correct the problem. I still have 5 entries of the SVHOST is there anyway to figure out what they are attached to and remove or stop them....thanks for all your help

These programs WONT block sites unless you TELL them to.

Have you gone into IE, options and KILLED ALL Cookies, and ERASED ALL internet temp?

SVCHOST, is a pain...
Its used by other programs to access the web. Even IE uses it... On 90% of systems its only 2-3 that show up.. MORE means something ELSE is using it. Finding it, means CLEANING everything OFF... NO Internet utilities, gadgets, toys, running... ONLY IE..

I just been infected with searchmiracle bs....I've been trying to resolve...cause Im getting very irritated by the pop-ups....I've read this whole thread and Im not very familiar with deleting registery keys and starting up in safe mode...Im a real beginner with it comes to these kind of problems.

I would like to know if I format my whole computer and reinstall windows xp if this infection will be removed.

thanks in advance for all the advise

Yes it would..
But THINK about what you are looseing...
ALL you Email address's, ALL your pics, ALL your settings, ANY work done with WORD, or excel.
And backing this up, isnt that easy either.

You could find a neibhorhood kid to help..(LOL)

If you would like us to look at your system download these 2 programs. Hijack This and Spybot

1. Download Spybot first, run it let it scan your computer, then delete anything it finds.

2. Download Hijack This, Click Scan, Then Click Save Log, Copy and Paste the Saved Log to the message board and we can take a look,The links for these programs below..........Jim

2) SpyBot

http://www.safer-networking.org/en/download/

Download.com

http://www.download.com/Spybot-Sear...tml?tag=lst-0-2

Latests Definitions File

http://www.spybotupdates.com/update...sd_includes.exe

3) HijackThis

http://www.spywareinfo.com/~merijn/downloads.html

Download.com

http://www.download.com/HijackThis/...tml?tag=lst-0-1

can't delete toolbar along with casino popups help...Earl

ogfile of HijackThis v1.97.7
Scan saved at 3:10:39 PM, on 12/07/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\hgivpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searchmiracle.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.30.35.20 MIDCAD.AAA-MIDATLANTIC.COM MIDCAD.AAA.COM MIDCAD
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA-MIDATLANTIC.COM MIDCPMS.AAA.COM MIDCPMS
O1 - Hosts: 143.61.84.1 ATS212
O1 - Hosts: 207.30.35.20 MIDCAD.AAA-MIDATLANTIC.COM
O1 - Hosts: 207.30.35.20 MIDCAD.AAA.COM
O1 - Hosts: 207.30.35.20 MIDCAD
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA-MIDATLANTIC.COM
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA.COM
O1 - Hosts: 207.30.35.21 MIDCPMS
O1 - Hosts: 143.61.84.1 ATS212
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ijipsfuba] C:\WINNT\system32\nkwmcuov.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [t73i3sU] dmr42u.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfbn32.exe
O4 - HKLM\..\RunServices: [Microsoft Config Loader] msconfig32.exe
O4 - HKCU\..\RunOnce: [gi832749232] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR36G4H.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR36ETH" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi1536852885] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR678BJ.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR675MP" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi2037691731] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR67DDS.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR67CBQ" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi424088996] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR68QN0.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR68OJ0" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/weblaunch/weblaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do

Download Spybot,Run it, delete what it finds then post a new log.Here are the links........Jim


2) SpyBot

http://www.safer-networking.org/en/download/

Download.com

http://www.download.com/Spybot-Sear...tml?tag=lst-0-2

Goto IE, Options, DUMP all your TEMP pages, and COOKIES.

GET, LOAD, UPDATE and run...
Spybot SD, Adaware, Spywareblaster...

ALSO..
Goto add remove programs, and kill ANY toolbars, internet related TOYS, that YOU CANT prove are NOT the problem. And kill anything YOU DONT know or cant find info on...

then repost...plz.

an saved at 6:58:32 PM, on 12/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\hgivpy.exe
C:\WINNT\system32\rundll32.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.30.35.20 MIDCAD.AAA-MIDATLANTIC.COM MIDCAD.AAA.COM MIDCAD
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA-MIDATLANTIC.COM MIDCPMS.AAA.COM MIDCPMS
O1 - Hosts: 143.61.84.1 ATS212
O1 - Hosts: 207.30.35.20 MIDCAD.AAA-MIDATLANTIC.COM
O1 - Hosts: 207.30.35.20 MIDCAD.AAA.COM
O1 - Hosts: 207.30.35.20 MIDCAD
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA-MIDATLANTIC.COM
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA.COM
O1 - Hosts: 207.30.35.21 MIDCPMS
O1 - Hosts: 143.61.84.1 ATS212
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ijipsfuba] C:\WINNT\system32\nkwmcuov.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [t73i3sU] dmr42u.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfbn32.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunServices: [Microsoft Config Loader] msconfig32.exe
O4 - HKCU\..\RunOnce: [gi832749232] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR36G4H.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR36ETH" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi1536852885] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR678BJ.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR675MP" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi2037691731] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR67DDS.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR67CBQ" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi424088996] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR68QN0.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR68OJ0" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/weblaunch/weblaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = phl_dom,,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_dom,phl_dom,phl_dom,phl_dom,,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_ dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_do m,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom, phl_d
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = phl_dom,,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_dom,phl_dom,phl_dom,phl_dom,,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_ dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_do m,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom, phl_d

Help!! I seem to have been hit with this elite toolbar, and searchmiracle along with it came a file called bobby[1].exe. I've run Spybot Search & Destroy, Adware SE, and Norton AV and it claims to delete everything but this bobby[1]. Then when I get on the net to research this, everything comes back - it doesn't seem to get any better. I have scanned this thread, added hijack this and removed files that I could see in common with those removed by others. I have a problem that I am unable to put my computer into safe mode - I am not sure if I'm not pressing f8 at the right time but I'm not seeing a safe mode option. I just want my normal home page and toolbar back, Can You Help???

Thanks,
Meer

Download Hijack This , Let it Scan, Save log, Copy and Paste it to the message board. Please start a new thread. It makes it easier for us to check.thanks.........jim

3) HijackThis

http://www.spywareinfo.com/~merijn/downloads.html

Download.com

http://www.download.com/HijackThis/...tml?tag=lst-0-1

Place a check next to each of these and click fix checked



R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R3 - Default URLSearchHook is missing
O1 - Hosts: 207.30.35.20 MIDCAD.AAA-MIDATLANTIC.COM MIDCAD.AAA.COM MIDCAD
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA-MIDATLANTIC.COM MIDCPMS.AAA.COM MIDCPMS
O1 - Hosts: 143.61.84.1 ATS212
O1 - Hosts: 207.30.35.20 MIDCAD.AAA-MIDATLANTIC.COM
O1 - Hosts: 207.30.35.20 MIDCAD.AAA.COM
O1 - Hosts: 207.30.35.20 MIDCAD
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA-MIDATLANTIC.COM
O1 - Hosts: 207.30.35.21 MIDCPMS.AAA.COM
O1 - Hosts: 207.30.35.21 MIDCPMS
O1 - Hosts: 143.61.84.1 ATS212
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [ijipsfuba] C:\WINNT\system32\nkwmcuov.exe
O4 - HKLM\..\Run: [CSV7P70] C:\Program Files\CSBB\CSV7P070.exe
O4 - HKLM\..\Run: [Rxagik] C:\WINNT\Meruoq.exe
O4 - HKLM\..\Run: [t73i3sU] dmr42u.exe
O4 - HKLM\..\Run: [BO1HelperStartUp] C:\PROGRA~1\BUTTER~1\BO1HEL~1.EXE /partner BO1
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfbn32.exe
O4 - HKCU\..\RunOnce: [gi832749232] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR36G4H.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR36ETH" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi1536852885] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR678BJ.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR675MP" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi2037691731] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR67DDS.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR67CBQ" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O4 - HKCU\..\RunOnce: [gi424088996] "C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\giR68QN0.ex e" /resume:"C:\DOCUME~1\EILEEN~1.WIL\LOCALS~1\Temp\1KR68OJ0" /exename:"C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Local Settings\Temporary Internet Files\Content.IE5\ADFWXWVA\Gutterball-Setup[1].exe"
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguard.com/installation/Install.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do

Reboot and post a new log.

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_WatchDog.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CheckPoint\SecuRemote\bin\SR_Service.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe
C:\WINNT\system32\wabsoy.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\QuickTime\qttask.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Eileen Arzola.WILLOW-S2VCX35U\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINNT\about.htm
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\winnt\system32\kalvfbn32.exe
O4 - HKLM\..\RunServices: [Microsoft Config Loader] msconfig32.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\calsp.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - https://mysupport.nai.com/amiuptodate/bin/1,0,0,7/McUpdatePortal.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.3dgroove.com/download/GrooveAX.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {93CEA8A4-6059-4E0B-ADDD-73848153DD5E} (CWebLaunchCtl Object) - http://pilots.cf1live.com/esupport/static/weblaunch/weblaunch.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl_do
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,ph l_dom,phl_dom,phl_dom,phl_dom,,phl_dom,phl_dom,phl _dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_d om,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom ,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,phl_dom,p hl