I followed some other thread advice and think i've stopped the ietlbass problem by removing the realaudio files as directed. However, i can't run HJT anymore. Once i start to run a scan, a MS message appears because a supposed "error is encountered" and then it sends and error report and shuts down the program. Also, my homepage has been hijacked and starts at "about:blank" all the time. Here's my log from yesterday, (but since then i fixed the ietlbass problem). I'm totally lost and don't know what to do.

Logfile of HijackThis v1.99.0
Scan saved at 12:54:23 PM, on 1/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\appnv32.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\War3Unin.exe:novdt
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Documents and Settings\Kisha\Application Data\eetu.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\system32\??ool32.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Kisha\Desktop\MG\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ypigl.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CD33897-E2B5-A6C9-F9A7-17EFBE461AE2} - C:\WINDOWS\system32\msue.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [appnv32.exe] C:\WINDOWS\system32\appnv32.exe
O4 - HKLM\..\Run: [Windows SyncroAd] C:\Program Files\Windows SyncroAd\SyncroAd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\RunOnce: [novdt] C:\WINDOWS\War3Unin.exe:novdt
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Kisha\Application Data\eetu.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Nllg] C:\WINDOWS\system32\??ool32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: RealAudio.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: SideFind - {10E42047-DEB9-4535-A118-B3F6EC39B807} - C:\Program Files\SideFind\sidefind.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-download.com/MediaTicketsInstaller.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ntlm.exe (file missing)

Start/All Programs/ Accessories/System Tools/System Restore.

Set it back a few days and see if you can open up HijackThis.

http://forums.designtechnica.com/showthread.php?t=5583


Download Spybot, AdAware (Links Above)

Delete what they find, Remove cookies, Temporary Internet files,Empty Recycle Bin, then post a new log, thanks..........Jim

I just found the designtechnica site yesterday and learned how to do this stuff. Just loaded HJT yesterday also, so this log is all i've got. I did one system restore today, using settings from 12/01/04.

Since i just added HJT yesterday, If i do a system restore from any farther back tthan yesterday, will it have anything to restore from?
also, i've run spybbotS&D and Adaware and removed all the things that come up as well as cookies, temp internet files, recycyle bin, etc.

Uninstall HijackThis and reinstall it see if that works. I could check this log from yesterday but you need to be able to go back into Hijack This to delete this stuff. You may want to ask ECA about this problem too, he may have a few ideas.........Jim

REALLy want the best IDEA...
Are you under warrenty??
Looking at the top section i can see NORTON, and Mcaffee on the 1 machine, this isnt nice.
i also see ALOT more stuff, not related to NICE programs.
I can go thru this, but Im going to have to be abit MEAN..

1. MAKE a choice between NORTON and mcaffee.. ONLY 1 plz.
2. goto ADD/remove programs and kill anything you DONT KNOW/DONT WANT/AINT USED.
3. Dump all internet TOYS, weather bug, Yahoo games, MSN games, Wild tangent, stock tickers, THEN goto IE OPTIONS and dump ALL cookies, and the temp internet files, and dump your TRASH can.

RESET.

Get, update and run...CURRENT versions...
Spybot,
ADAWARE,
Spywareblaster..
Kill everything they find...
Can you repost, NOW...

IF you cant, spybot has a section under ADVANCED mode...TOOLS...VIEW report, select all of it, and POSt it here.. Adaware has the same type of program..

ANOTHER option:
HITTING CTRL/ALT/DELETE
Bring up the TASK manager
TAB, processes..
You can KILL most anything..except important things such as windows. MOSTLY.
slowly kill things that will let you. If you do something BAD, it will just reset the comp, and DONT do that one.

Another option:
TRy running in SAFE mode(tap f8 at startup)
See if you can run HJT from THERE...
Few things run in SAFE mode, this is BASIC MODE to run windows. NOTHING extra is run, if not needed(MOST TIMES).
If HJT dont run, it either corrupted, virused, Or use CTRL/ALT/DELETE as above, and SLOWLY remove background tasks..Until it DOES run..

SENCe its a DELL,
And if under warrenty,
I would call and ASK about a FULL reset, FULL reload of windows..

C:\WINDOWS\system32\appnv32.exe
cannot find any info on this file


C:\WINDOWS\War3Unin.exe:novdt

is this a game or something.

C:\PROGRA~1\Web Offer\wo.exe
C:\WINDOWS\system32\??ool32.exe

these 2 look bad

Still no luck, have done the following:

Removed unused/unknown programs in Add/Remove;
dumped & reloaded HJT - no go, iexpl still gets an error and stop it short;
updated & ran SpybotS&D, AdAware & Spywareblaster & killed everything they found;
tried killing of processes in Task mgr one by one, running HJT after each kill, no luck;
started in SafeMode and still couldn't run HJT.

Spywareguard won't save my setting to enable dowload protection, so the "about:blank" page still keeps overriding my homepage reset. It alerts and requests an action every time i restart and access IE, even if i tell it to silently block.

I ran the scan in advanced SpybotS&D, here's the log from the scan. I apologize for its length but appreciate your help. I hope this will help somehow:

--- Search result list ---

--- Spybot - Search && Destroy version: 1.3 ---
2004-11-29 Includes\Cookies.sbi
2005-01-04 Includes\Dialer.sbi
2005-01-04 Includes\Hijackers.sbi
2004-12-29 Includes\Keyloggers.sbi
2004-05-11 Includes\LSP.sbi
2005-01-04 Includes\Malware.sbi
2004-11-29 Includes\Revision.sbi
2004-11-29 Includes\Security.sbi
2005-01-05 Includes\Spybots.sbi
2004-11-29 Includes\Tracks.uti
2005-01-04 Includes\Trojans.sbi


--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.0: Microsoft .NET Framework 1.0 Service Pack 3 (KB867461)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB890175


--- Startup entries list ---
Located: HK_LM:Run, AdaptecDirectCD
command: "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
file: C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
size: 684032
MD5: be3238a165afb321f1696cc1ff9ef271

Located: HK_LM:Run, Alogserv
command: C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
file: C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
size: 36881
MD5: 88c3af8ff871ef282c4035273b14a01f

Located: HK_LM:Run, BCMSMMSG
command: BCMSMMSG.exe
file: C:\WINDOWS\BCMSMMSG.exe
size: 122880
MD5: 2d99607f21ff368c0e335a2d91a052a1

Located: HK_LM:Run, DwlClient
command: C:\Program Files\Common Files\Dell\EUSW\Support.exe
file: C:\Program Files\Common Files\Dell\EUSW\Support.exe
size: 323584
MD5: 27b68f137ed4c85ff92db98231bf11ed

Located: HK_LM:Run, ISUSPM Startup
command: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
file: C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
size: 221184
MD5: b4b4eb2f8849e93fe5fece11e52c5930

Located: HK_LM:Run, ISUSScheduler
command: "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
file: C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
size: 81920
MD5: 7139a13dd292272e12ffaf2499ca7beb

Located: HK_LM:Run, iTunesHelper
command: C:\Program Files\iTunes\iTunesHelper.exe
file: C:\Program Files\iTunes\iTunesHelper.exe
size: 278528
MD5: 2fd3df1d0ddc018202abfc9be6e68923

Located: HK_LM:Run, LogitechVideoRepair
command: C:\Program Files\Logitech\Video\ISStart.exe
file: C:\Program Files\Logitech\Video\ISStart.exe
size: 188416
MD5: 3257a2a9e9943de93ee5438cb2e77359

Located: HK_LM:Run, LogitechVideoTray
command: C:\Program Files\Logitech\Video\LogiTray.exe
file: C:\Program Files\Logitech\Video\LogiTray.exe
size: 65536
MD5: 66fa2cc087dfa905c22a7f83ff59c7dc

Located: HK_LM:Run, McAfee Guardian
command: "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
file: C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
size: 142336
MD5: 9d9be7fb4848d8e8e8428602ae078c90

Located: HK_LM:Run, mfcov.exe
command: C:\WINDOWS\mfcov.exe
file: C:\WINDOWS\mfcov.exe
size: 30390
MD5: 977b78b9ffeb99a56f13d6c527156e17

Located: HK_LM:Run, Microsoft Works Update Detection
command: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
file: C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
size: 28672
MD5: ec0f1ec573a0346f89b8e87e04e9d32a

Located: HK_LM:Run, mmtask
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
size: 53248
MD5: ef94c44103ab1bd4400f26c12ee443de

Located: HK_LM:Run, MMTray
command: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
file: C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
size: 143360
MD5: 688b8208969898cc2b03e043c3ce3fe6

Located: HK_LM:Run, NvCplDaemon
command: RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
file: C:\WINDOWS\system32\RUNDLL32.EXE
size: 33280
MD5: da285490bbd8a1d0ce6623577d5ba1ff

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 77824
MD5: 5d22b4258489575412f6d18affc847a2

Located: HK_LM:Run, STOPzilla
command: "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

Located: HK_LM:Run, vptray
command: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
file: C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
size: 90112
MD5: 4b954730657f43b88a308c41fe570331

Located: HK_LM:Run, Windows SyncroAd
command: C:\Program Files\Windows SyncroAd\SyncroAd.exe

Located: HK_LM:Run, WinTools
command: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
file: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
size: 509952
MD5: 333cf23d62b8b9e7f3829559d5e42451

Located: HK_LM:RunOnce, WinTools
command: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe /boot
file: C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
size: 509952
MD5: 333cf23d62b8b9e7f3829559d5e42451

Located: HK_CU:Run, Aida
command: C:\Documents and Settings\Kisha\Application Data\eetu.exe
file: C:\Documents and Settings\Kisha\Application Data\eetu.exe
size: 79872
MD5: fac968174211e11ab534d2333b517e01

Located: HK_CU:Run, LDM
command: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
file: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
size: 16384
MD5: 32f2fec86fd01e8f12590b79d751edee

Located: HK_CU:Run, McAfee.InstantUpdate.Monitor
command: "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
file: C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
size: 102468
MD5: 655a50f26f18b7639b1271db7f90598e

Located: HK_CU:Run, MoneyAgent
command: "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
file: C:\Program Files\Microsoft Money\System\mnyexpr.exe
size: 200767
MD5: 215a4befffbe15bc2c1c50a841a89e99

Located: HK_CU:Run, MsnMsgr
command: "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
file: C:\Program Files\MSN Messenger\MsnMsgr.Exe
size: 4882432
MD5: f914c780dc4a3eb6eec812f0dddc0e3a

Located: HK_CU:Run, Nllg
command: C:\WINDOWS\system32\??ool32.exe
file: C:\WINDOWS\system32\??ool32.exe
size: -
MD5: d41d8cd98f00b204e9800998ecf8427e

Located: Startup (common), Logitech Desktop Messenger.lnk
command: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
file: C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
size: 169472
MD5: 91291ca1490f952d977618544d540b87

Located: Startup (common), Microsoft Office.lnk
command: C:\Program Files\Microsoft Office\Office10\OSA.EXE
file: C:\Program Files\Microsoft Office\Office10\OSA.EXE
size: 83360
MD5: 5bc65464354a9fd3beaa28e18839734a

Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
BHO name:
CLSID name: AcroIEHlprObj Class
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 5/14/2003 10:47:54 PM
Date (last access): 1/15/2005 10:14:30 PM
Date (last write): 5/14/2003 10:47:54 PM
Filesize: 50376
Attributes: archive
MD5: 0C0E1B2BCAED8DF401BE94D538BCB412
CRC32: 1D771322
Version: 0.6.0.0

{4A2B057E-4574-D2B6-630E-124B4D6CDF8E} ()
BHO name:
CLSID name:
Path: C:\WINDOWS\
Long name: crss32.dll
Short name:
Date (created): 12/11/2004 8:34:20 PM
Date (last access): 1/15/2005 10:08:42 PM
Date (last write): 12/11/2004 8:34:20 PM
Filesize: 95967
Attributes: hidden sysfile archive
MD5: 916DEF9913CCD481A35BB5022855F50C
CRC32: 41468903
Version: 255.255.255.255



--- ActiveX list ---
DirectAnimation Java Classes (DirectAnimation Java Classes)
DPF name: DirectAnimation Java Classes
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\dajava.cab
info link:
info source: Patrick M. Kolla

Microsoft XML Parser for Java (Microsoft XML Parser for Java)
DPF name: Microsoft XML Parser for Java
CLSID name:
description:
classification: Legitimate
known filename: %WINDIR%\Java\classes\xmldso.cab
info link:
info source: Patrick M. Kolla

{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object)
DPF name:
CLSID name: QuickTime Object
description: Apple Quicktime
classification: Legitimate
known filename: QTPLUGIN.OCX
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\QuickTime\
Long name: QTPlugin.ocx
Short name:
Date (created): 12/18/2004 1:29:56 PM
Date (last access): 1/15/2005 10:19:42 PM
Date (last write): 12/18/2004 1:29:56 PM
Filesize: 327736
Attributes: archive
MD5: CE3D865CCF4267C85934D9B7CA8521F2
CRC32: F9306ACA
Version: 0.6.0.4

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

{33564D57-9980-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:
description: Microsoft WMV Video Codec
classification: Legitimate
known filename: WMV9DMO.CAB
info link:
info source: Patrick M. Kolla

{3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class)
DPF name:
CLSID name: WebGameLoader Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ReflexiveWebGameLoader.dll
Short name: REFLEX~1.DLL
Date (created): 7/29/2004 6:20:38 PM
Date (last access): 1/15/2005 10:05:54 PM
Date (last write): 7/29/2004 6:20:38 PM
Filesize: 131072
Attributes: archive
MD5: 959F8F764895BF05BD702E57EF8BA637
CRC32: 1267B9AB
Version: 0.1.0.0

{B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class)
DPF name:
CLSID name: ZoneIntro Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ZIntro.ocx
Short name:
Date (created): 4/6/2004 5:03:12 PM
Date (last access): 1/15/2005 10:01:26 PM
Date (last write): 11/17/2004 10:44:52 PM
Filesize: 114728
Attributes: archive
MD5: F94C4867418A1CA860D784CCD807740B
CRC32: 5DCE6500
Version: 0.9.0.3

{CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class)
DPF name:
CLSID name: Downloader Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: dwnldr.dll
Short name:
Date (created): 5/24/2004 9:54:24 AM
Date (last access): 1/15/2005 10:05:54 PM
Date (last write): 5/24/2004 9:54:24 AM
Filesize: 106496
Attributes: archive
MD5: 9B89BD9A9974727C4430E8F7B99EA762
CRC32: C1371510
Version: 0.2.0.0

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\System32\macromed\flash\
Long name: Flash.ocx
Short name:
Date (created): 6/9/2004 1:59:26 PM
Date (last access): 1/15/2005 10:01:26 PM
Date (last write): 6/9/2004 1:59:26 PM
Filesize: 939224
Attributes: archive
MD5: FC3E17E12C2E31FAC34B416B3DAB829F
CRC32: D1CF3A57
Version: 0.7.0.0

{DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object)
DPF name:
CLSID name: PopCapLoader Object
Path: C:\WINDOWS\Downloaded Program Files\
Long name: popcaploader.dll
Short name: POPCAP~1.DLL
Date (created): 8/26/2004 10:12:00 AM
Date (last access): 1/15/2005 10:05:50 PM
Date (last write): 8/26/2004 10:12:00 AM
Filesize: 126976
Attributes: archive
MD5: 57F868A52B9D4153658DC0DB5062E536
CRC32: 35357599
Version: 0.1.0.0

{E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class)
DPF name:
CLSID name: HeartbeatCtl Class
Path: C:\WINDOWS\DOWNLO~1\
Long name: hrtbeat.ocx
Short name:
Date (created): 7/26/2004 6:36:00 PM
Date (last access): 1/15/2005 10:01:26 PM
Date (last write): 7/26/2004 6:36:00 PM
Filesize: 101464
Attributes: archive
MD5: 4BB1D03DFDFBBC51A7EC5D65D269EF42
CRC32: 5A8F1091
Version: 0.9.0.2



--- Process list ---
Spybot - Search && Destroy process list report, 1/15/2005 11:06:34 PM

PID: 0 ( 0) [System]
PID: 4 ( 0) System
PID: 188 (1376) C:\WINDOWS\system32\wscntfy.exe
PID: 200 ( 988) alg.exe
PID: 280 ( 988) C:\WINDOWS\system32\cisvc.exe
PID: 296 ( 988) C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
PID: 340 ( 988) C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
PID: 376 ( 988) C:\WINDOWS\System32\nvsvc32.exe
PID: 452 ( 988) C:\WINDOWS\System32\svchost.exe
PID: 584 ( 988) wdfmgr.exe
PID: 672 ( 988) C:\Program Files\Common Files\WinTools\WToolsS.exe
PID: 872 ( 4) \SystemRoot\System32\smss.exe
PID: 920 ( 872) csrss.exe
PID: 944 ( 872) \??\C:\WINDOWS\system32\winlogon.exe
PID: 988 ( 944) C:\WINDOWS\system32\services.exe
PID: 1000 ( 944) C:\WINDOWS\system32\lsass.exe
PID: 1156 ( 988) C:\WINDOWS\system32\svchost.exe
PID: 1252 ( 988) svchost.exe
PID: 1376 ( 988) C:\WINDOWS\System32\svchost.exe
PID: 1420 ( 988) svchost.exe
PID: 1472 ( 988) svchost.exe
PID: 1584 (2008) C:\Program Files\Common Files\WinTools\WToolsA.exe
PID: 1644 (1960) C:\WINDOWS\BCMSMMSG.exe
PID: 1680 (1960) C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
PID: 1720 (1960) C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
PID: 1788 (1584) C:\Program Files\Common Files\WinTools\WSup.exe
PID: 1928 ( 988) C:\WINDOWS\system32\spoolsv.exe
PID: 1960 (1888) C:\WINDOWS\Explorer.EXE
PID: 2064 (1960) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
PID: 2116 (1960) C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
PID: 2152 (1960) C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
PID: 2184 (1960) C:\Program Files\Common Files\Dell\EUSW\Support.exe
PID: 2196 (1960) C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
PID: 2204 (1960) C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
PID: 2236 (1960) C:\Program Files\Logitech\Video\LogiTray.exe
PID: 2240 (2184) C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
PID: 2280 (1960) C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PID: 2304 (1960) C:\Program Files\QuickTime\qttask.exe
PID: 2332 (1960) C:\Program Files\iTunes\iTunesHelper.exe
PID: 2612 ( 988) C:\Program Files\iPod\bin\iPodService.exe
PID: 2652 (1960) C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
PID: 2668 (1960) C:\Program Files\MSN Messenger\MsnMsgr.Exe
PID: 2696 (1960) C:\Documents and Settings\Kisha\Application Data\eetu.exe
PID: 2748 (1960) C:\WINDOWS\system32\??ool32.exe
PID: 2960 (1960) C:\Program Files\SpywareGuard\sgmain.exe
PID: 3084 (2960) C:\Program Files\SpywareGuard\sgbhp.exe
PID: 3292 (1156) C:\WINDOWS\System32\LVComS.exe
PID: 3316 (2236) C:\Program Files\Logitech\Video\LowLight.exe
PID: 3480 (1960) C:\Program Files\Internet Explorer\iexplore.exe
PID: 3844 ( 280) C:\WINDOWS\system32\cidaemon.exe
PID: 3868 ( 280) C:\WINDOWS\system32\cidaemon.exe
PID: 3928 (1960) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe


--- Browser start & search pages list ---
Spybot - Search && Destroy browser pages report, 1/15/2005 11:06:34 PM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page_bak
about:blank
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://smbusiness.dellnet.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Search\SearchAssistant
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Bar
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
about:blank
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\SearchAssistant
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 1: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 2: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip

Protocol 3: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 4: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 5: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9700DE80-8817-4E40-B4A3-076BE8DFB2A6}] SEQPACKET 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 6: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9700DE80-8817-4E40-B4A3-076BE8DFB2A6}] DATAGRAM 4
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 7: MSAFD NetBIOS [\Device\NetBT_Tcpip_{39795819-E2C4-422E-A039-958151C45EEA}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 8: MSAFD NetBIOS [\Device\NetBT_Tcpip_{39795819-E2C4-422E-A039-958151C45EEA}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 9: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C403D2DA-6423-4113-BE6E-F84B427BE338}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 10: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C403D2DA-6423-4113-BE6E-F84B427BE338}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{61820C7F-1F2D-4EC6-AC52-4AA4C5CE956B}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E5EC0A67-7EEA-48D6-BF30-90F5C13ABCA3}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{E5EC0A67-7EEA-48D6-BF30-90F5C13ABCA3}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

You may want to run the new Spyware Program by Microsoft. Some people have had some luck with it. Here is the Link. Its worth a try.........Jim

7) Microsoft Antispyware

http://www.microsoft.com/athome/sec...re/default.mspx

Go to safe mode (F8 on startup) and delete this file

C:\WINDOWS\system32\??ool32.exe

It looks bad to me, may be part of the problem.

turn off, or KILL wintools..

Is install shield doing you ANY good..

{3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class)
DPF name:
CLSID name: WebGameLoader Class
Path: C:\WINDOWS\Downloaded Program Files\
Long name: ReflexiveWebGameLoader.dll
Short name: REFLEX~1.DLL
Date (created): 7/29/2004 6:20:38 PM
Date (last access): 1/15/2005 10:05:54 PM
Date (last write): 7/29/2004 6:20:38 PM
Filesize: 131072
Attributes: archive
MD5: 959F8F764895BF05BD702E57EF8BA637
CRC32: 1267B9AB
Version: 0.1.0.0

seems to be, ELITE tool bar..

{33564D57-0000-0010-8000-00AA00389B71} ()
DPF name:
CLSID name:

Last 2 are activeX, and can be removed... TRY spywareblaster...

Located: HK_CU:Run, Aida
command: C:\Documents and Settings\Kisha\Application Data\eetu.exe
file: C:\Documents and Settings\Kisha\Application Data\eetu.exe
size: 79872
MD5: fac968174211e11ab534d2333b517e01

This last one, I dont know...
I would goto SAFE mode, and Erase the WHOLE thing...

Search for this files
slserv.exe
bcmwltry.exe
salm.exe
eetu.exe
and delete them if you found them

Good luck..

running the MS spyware program now. Can't locate that file with "??ool32.exe" in order to remove it. Still no luck trying to run HJT. will keep trying...

C:\WINDOWS\system32\??ool32.exe

It should be in the System32 folder, If you find it delete it in Safe Mode. (Tap F8 on startup).........Jim

Also see if you can get HijackThis to work in Safe Mode.

Make sure, that when you SEARCh, you select ALL hidden and system files..
Otherwise windows WONT even look, in the WINDOWS directory..

Ok, ran the new MS spyware program and it worked out a few kinks. have been able to run HJT in safe mode and it created the following log. Meantime, i'll address the issues you guys posted an hour or two ago.

Logfile of HijackThis v1.99.0
Scan saved at 10:51:48 PM, on 1/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\DOCUME~1\Kisha\LOCALS~1\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\usrnk.dll/sp.html#29126
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A2B057E-4574-D2B6-630E-124B4D6CDF8E} - C:\WINDOWS\crss32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [appwc32.exe] C:\WINDOWS\system32\appwc32.exe
O4 - HKLM\..\RunOnce: [gbigr] C:\WINDOWS\crbd32.dll:gbigr
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /startmonitor
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Kisha\Application Data\eetu.exe
O4 - HKCU\..\Run: [Nllg] C:\WINDOWS\system32\??ool32.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O23 - Service: AVSync Manager - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McShield - Unknown - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: Intel NCS NetService - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Network Security Service (NSS) - Unknown - C:\WINDOWS\ntlm.exe (file missing)

WOULD also suggest not wondering the net, until we kill some of this..