here is the short of it.
i'm a magazine publisher, and i have to go to print VERY VERY soon. of course, just as things are getting close to deadline, my computer picks up some spyware. it started off with annoying popups and resetting my homepage, but now my computer is more crudded up than a woman of the night.
i've done everything i know how, but i'm not a computer whiz. however, i'm not a computer moron, either, and i'm just at my wit's end.
yes, it's that here4search garbage. i've downloaded hijack this, and will post my log below. i've also run every spyware known to man, but to no avail.
please help. i'm ready to put my boot through my monitor.
thanks in advance,
wayne chinsang, "tastes like chicken"

Logfile of HijackThis v1.99.0
Scan saved at 11:51:47 AM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe
C:\Program Files\AIM95\aim.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
O3 - Toolbar: (no name) - {f74f0f60-a4d3-4677-9201-e66b4da1ccaa} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\PrinTray. exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ePfxgI6Q] C:\WINDOWS\myysrlu.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.greg-search.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/261b47c20aea25902f04/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Winkaak - Unknown - C:\WINDOWS\System32\Winkaak.exe (file missing)
O23 - Service: Winkxdk - Unknown - C:\WINDOWS\System32\Winkxdk.exe (file missing)

forgot one thing:
it's affected my entire windows system, in that it no longer only freaks out when i'm in internet explorer. if i click on My Computer it takes forever to find it.
Also, I get an error window that pops up that says:
"Windows detected spy software "scpStelth.cih" ver. 2.018. Somebody is trying to access you through port 443. Your private information is in danger."
It then asks for me to click on a box to learn how I can remove it.
I'm sure this is probably the company essentially advertising their wares and how they can "fix it", but if not, please let me know, because I've avoided clicking "OK" thus far.

I am not the person that usually helps others in these forums, so I would wait for ECA or NightOwl. But these probably need to be deleted:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com

What magazine do you publish?

it's called "tastes like chicken". any of the threads that have http://www.tlchicken.com in them are probably correct, because that is my mag's homepage.

you can check it out there if you're interested. and thanks for writing back. i appreciate any and ALL help.

wayne

easyier to erase HERE, and fix later, with IE..

OK, you need some programs FIRST..
http://forums.designtechnica.com/showthread.php?t=5583
Spybot SD, Turn everything on.
Adaware
Spywareblaster

LOAd these, update them, RUN them, KILL everything.
Dump your trash can, Goto IE, options, and kill ALL cookies, and temp internet files.

then repost..

ran spybot sd, adaware, and spywareblaster, dumped my ie cookies and temp files and trash can.

here is the new log file:

Logfile of HijackThis v1.99.0
Scan saved at 3:43:53 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe
C:\Program Files\Adobe\Photoshop 6.0\Photoshp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Quark\QuarkXPress\QuarkXPress.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SpywareBlaster\spywareblaster.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
O3 - Toolbar: (no name) - {f74f0f60-a4d3-4677-9201-e66b4da1ccaa} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\PrinTray. exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ePfxgI6Q] C:\WINDOWS\myysrlu.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/261b47c20aea25902f04/netzip/RdxIE2.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Winkaak - Unknown - C:\WINDOWS\System32\Winkaak.exe (file missing)
O23 - Service: Winkxdk - Unknown - C:\WINDOWS\System32\Winkxdk.exe (file missing)

was that all right?

Reboot To Safe Mode (tap F8 on Startup)

Place a check next to each of these and click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.tlchicken.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.tlchicken.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.tlchicken.com
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
O3 - Toolbar: (no name) - {f74f0f60-a4d3-4677-9201-e66b4da1ccaa} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [ePfxgI6Q] C:\WINDOWS\myysrlu.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/261b47c20aea25...tzip/RdxIE2.cab
O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Winkaak - Unknown - C:\WINDOWS\System32\Winkaak.exe (file missing)
O23 - Service: Winkxdk - Unknown - C:\WINDOWS\System32\Winkxdk.exe (file missing)


Still In Safe Mode Delete all Temporary Internet Files, Cookies, Do a Defrag on your C Drive, Empty recycle bin.

Start/All Programs/Accessories/System Tools/Disc Defragment

Then Reboot and post a new log..........Jim

Goto SAFE MODE..
tap f8 when the comp is starting..

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL

O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

O23 - Service: Winkaak - Unknown - C:\WINDOWS\System32\Winkaak.exe (file missing)
O23 - Service: Winkxdk - Unknown - C:\WINDOWS\System32\Winkxdk.exe (file missing)

these are the MAIn problems..

This is fun,
OK,
Bring up search window..
at the top..
tools
folder options
VIEW
CLICK...SHOW hidden files and folders.
UNCLICK Hide extentions known..
UNCLICK HIDE protected op sys files
FIND...
W8C6S4~1.DLL...Look for W8c*.* KILL them ALL there is NO such file..
ec4m*.* KILL them all... This may not work on this one..its a REAL pain..

Winkaak.exe ..........If found, Kill it...Looks as if its not there...

Then TALk to me, and repost..

okay, this is in reference to nightowl. i haven't done what eca suggested yet, as the defrag took me forever. but here is my log, and let me know if i still need to do what eca suggested and i'll do it.

thanks again, guys. if you're interested, i'll send free mags and swag your way for being so kind. just tell me where to send 'em.

best,

wayne

Logfile of HijackThis v1.99.0
Scan saved at 7:10:38 PM, on 1/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Justin\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\PrinTray. exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE

and yes, it still seems to be doing it, and after looking at the log it seems that at least the:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL

and

O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

are still there.

also, this:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9

is the stupid site that keeps coming up when i go anywhere. i'm sure you guys know this already, but just figured i'd point it out just in case.

NOW,
GO BACK and do what I SUGGESTED...
I posted it, because YOU CANT erase it that way..

:eww Isnt Spyware fun!

:eww Isnt Spyware fun!

Dont mind Puzzles,
Dont mind a challenge,
But at least when those are DONE,
they DONT come back.
the solution works EVERYtime.

okay, so i went and did what eca suggested.

it wouldn't let me delete:

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\W8C6S4~1.DLL

or

O20 - AppInit_DLLs: ec4mse2cxjkpv1u.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

and it didn't find any results for the other search.

weird thing, though, is that it would let me modify the names of the files. i took the .dll extensions off of them to test them, but changed them back once i realized i could do it because i don't want to screw anything up worse than it already is.

so, yeah, windows is running extremely slow, and IE may as well not be on my computer at all, because it craps out as soon as i launch a browser window.

If you can goto safe mode and CHANGe the names...ADD
OLD to the FRONT of the file name..
If it works...They should go away...
Also While in SAFE mode, Use hijack to kill the Listings.
then reset...

check hijack, to see if they FINALLy went..

alright, i went and added OLD to the front of the two files, but it still wouldn't let me delete them. ran hijackthis in safe mode, and killed the processes (or at least it said it did.)

then i restarted and ran hijack this again, and ran a log. thing is, the 02 and 20 lines are still there, but now the .dlls are named something else. looks like they're renaming files.

windows is still slow, IE is useless, and my homepage still gets hijacked. here's the log:

Logfile of HijackThis v1.99.0
Scan saved at 10:57:05 AM, on 1/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\Nhksrv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Justin\Desktop\hijack this\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\7GT6DN~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM32\msdxm.ocx
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\PrinTray. exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microtek Scanner Finder.lnk = C:\Program Files\Microtek\ScanWizard 5\ScannerFinder.exe
O4 - Global Startup: Norton System Doctor.lnk = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1_01) -
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O20 - AppInit_DLLs: 5626k1uujx5i7.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server - Unknown - C:\WINDOWS\Nhksrv.exe
O23 - Service: Norton Unerase Protection - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE

actually, i forgot one thing: it WOULD let me delete the EC4M file, but not the W8C6 file.

dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dl l.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll. dll.dll.dll.dll.dll.dll.dll.dll.dll.dll

looks like this crap is gone, only one now.

O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\system32\7GT6DN~1.DLL
O20 - AppInit_DLLs: 5626k1uujx5i7.dll
STILL there...
It adds a ".dll" each time it loads.. When it gets to loang it will SCREW windows...

Only got 2 options...
1. let norton Utilities try to fix it...Which is dangerous..
It has a utility that will search the system for funny Things in the REG..and try to fix them with YOUR help.
2. have you send your Hijack to SpyboT..

so you would suggest the latter choice then?
also, what happens if i send it to spybot? and how do i do that?

got it!
i used the etrust thing from another post, and it worked.
thanks again for everything, guys.
and again, seriously, if you want to see a copy of the mag (for free) gimme an address to send it to.
best,

wayne

Good, YEA...

Spybot advanced mode, tools...I would send it a copy of the problem..
They have a form in there for it..

Glad you got it figured out. Good Job ECA, Now you have to teach that fix to me.

Which Magazine do you have Wayne?........Jim

Download SpywareBlaster for prevention Here is the link.

http://www.javacoolsoftware.com/spywareblaster.html

it's called "tastes like chicken". it's a humor and entertainment magazine. you can check out our website here: http://www.tlchicken.com

also, our most popular content is our interviews, which you can view a whole list of here: http://www.tlchicken.com/interviews.php

The website knew my name, Very strange. I think it had something to do with Amazon.com.

Thanks for showing this to us.Looks Cool........Jim :vivi

it's affected my entire windows system, in that it no longer only freaks out when i'm in internet explorer. if i click on My Computer it takes forever to find it.
Also, I get an error window that pops up that says:
"Windows detected spy software "scpStelth.cih" ver. 2.018. Somebody is trying to access you through port 443. Your private information is in danger."
It then asks for me to click on a box to learn how I can remove it.
I'm sure this is probably the company essentially advertising their wares and how they can "fix it", but if not, please let me know, because I've avoided clicking "OK" thus far

DONT click YES....ALWAYs click the "x" on top...
They can do ANYTHING they wish, when you answer "YES"

Goto the spyware section and follow instructions..

Help!!!

I'm having the same problem w/ the "scpstelth.cih" saying that it's been hijacked.

I read the post and it says something about the "etrust" thing..

Any help would be appreciated!

Thanks!

Chris

http://forums.designtechnica.com/showthread.php?t=5583


Download Spybot, AdAware, Hijack This (Links Above)


On Adaware and Spybot Delete what they find, Remove cookies, Temporary Internet files,Empty Recycle Bin,

Then scan with HijackThis. Save log to desktop, Copy and Paste log to message board.........Jim

I've downloaded Spybot, Ad-Aware, HijackThis.

But when i ran Ad-Aware, 'System Shutdown' notice popped up. Hope you guys can point me in the right direction for this...

gary

This is my LogFile from HijackThis:

Logfile of HijackThis v1.98.2
Scan saved at 12:47:17 AM, on 2/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
C:\program files\steam\steam.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Bluetooth Software\BTTray.exe
C:\PROGRA~1\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\User\LOCALS~1\Temp\Rar$EX00.218\Hijack This.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://win-eto.com/sp.htm?id=9
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://win-eto.com/hp.htm?id=9
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://win-eto.com/hp.htm?id=9
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\I7GT6D~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [scvhost loader] IXPLORE.EXE
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] C:\PROGRA~1\PANICW~1\POP-UP~2\PSFree.exe
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: v3cab - http://searchmiracle.com/cab/v3cab.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = f2874.find-quick.com
O17 - HKLM\Software\..\Telephony: DomainName = f2874.find-quick.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B19022AD-3B34-4ECA-8874-DEA361FD9300}: Domain = f2874.find-quick.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = f2874.find-quick.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = f2874.find-quick.com
O19 - User stylesheet: (file missing)
O20 - AppInit_DLLs: dyhklestyirbphll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

O20 - AppInit_DLLs: dyhklestyirbphll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

This can be hard to Kill, Trend Micro has been known to work on it. Need to kill it , It can shut your computer down.

http://www.trendmicro.com/download/trial/trial-pcc.asp

Give it a try, reboot and post a new log.........Jim

I have the same problem, please help!

Logfile of HijackThis v1.99.0
Scan saved at 8:59:48 PM, on 2/20/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09. exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\FarStone\VirtualDrive\Netsrv.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ct\Desktop\anti spyware\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.0.0 desktop.kazaa.com
O1 - Hosts: 127.0.0.0 www.altnetp2p.com
O1 - Hosts: 127.0.0.0 alpha.kazaa.com
O1 - Hosts: 127.0.0.0 shop.kazaa.com
O1 - Hosts: 127.0.0.0 www.bonzi.com
O1 - Hosts: 127.0.0.0 www.brilliantdigital.com
O1 - Hosts: 127.0.0.0 www.b3d.com
O1 - Hosts: 127.0.0.0 media.altnet.com
O1 - Hosts: 127.0.0.0 www.altnet.com
O1 - Hosts: 127.0.0.0 dev.bde.com.au
O1 - Hosts: 127.0.0.0 update.kazaa.com
O1 - Hosts: 127.0.0.0 bravo.kazaa.com
O1 - Hosts: 127.0.0.0 puma.kazaa.com
O1 - Hosts: 127.0.0.0 www.kazaagold.com
O1 - Hosts: 127.0.0.0 www.kazaa-gold.com
O1 - Hosts: 127.0.0.0 kazaagold.com
O1 - Hosts: 127.0.0.0 www.k-lite.com
O1 - Hosts: 127.0.0.0 www.kazaa-download.de
O1 - Hosts: 127.0.0.0 www.mp3downloadhq.com
O1 - Hosts: 127.0.0.0 www.easymusicdownload.com
O1 - Hosts: 127.0.0.0 easymusicdownload.com
O1 - Hosts: 127.0.0.0 www.mp3madeeasy.com
O1 - Hosts: 127.0.0.0 www.monstershare.com
O1 - Hosts: 127.0.0.0 monstershare.com
O1 - Hosts: 127.0.0.0 www.kazaa-plus.net
O1 - Hosts: 127.0.0.0 kazaa-plus.net
O1 - Hosts: 127.0.0.0 www.kazaa-plus.com
O1 - Hosts: 127.0.0.0 www.edonkey.com
O1 - Hosts: 127.0.0.0 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 127.0.0.0 www.kazaaplatinum.com
O1 - Hosts: 127.0.0.0 www.madeformusic.com
O1 - Hosts: 127.0.0.0 www.ikazaa.net
O1 - Hosts: 127.0.0.0 ikazaa.net
O1 - Hosts: 127.0.0.0 www.mp3u.com
O1 - Hosts: 127.0.0.0 www.mp3specialty.com
O1 - Hosts: 127.0.0.0 music-download-world.com
O1 - Hosts: 127.0.0.0 song-download-world.com
O1 - Hosts: 127.0.0.0 www.flixs.net
O1 - Hosts: 127.0.0.0 www.ishareit.net
O1 - Hosts: 127.0.0.0 www.ishareit.com
O1 - Hosts: 127.0.0.0 www.download-doctor.com
O1 - Hosts: 127.0.0.0 www.ezmp3download.com
O1 - Hosts: 127.0.0.0 www.kazaamedia.com
O1 - Hosts: 127.0.0.0 mp3-network.com
O1 - Hosts: 127.0.0.0 www.mp3-network.com
O1 - Hosts: 127.0.0.0 www.mp3grandcentral.net
O1 - Hosts: 127.0.0.0 www.mp333.com
O1 - Hosts: 127.0.0.0 www.kazaamate.com
O1 - Hosts: 127.0.0.0 www.emule.biz
O1 - Hosts: 127.0.0.0 www.kazaam8.tk
O1 - Hosts: 127.0.0.0 www.rippro.com
O1 - Hosts: 127.0.0.0 www.kaaza.com
O1 - Hosts: 127.0.0.0 secure.Webstartz.com
O1 - Hosts: 127.0.0.0 www.kazaalite.de
O1 - Hosts: 127.0.0.0 www.kazza.de
O1 - Hosts: 127.0.0.0 kazza.com
O1 - Hosts: 127.0.0.0 www.kazaalite.at
O1 - Hosts: 127.0.0.0 www.kazaalite.ch
O1 - Hosts: 127.0.0.0 www.kazaa-hilfe.de
O1 - Hosts: 127.0.0.0 www.edonkey-2000.de
O1 - Hosts: 127.0.0.0 www.edonkey-bot.de
O1 - Hosts: 127.0.0.0 www.edonkey-edonkey2000.de
O1 - Hosts: 127.0.0.0 www.edonkey-hilfe.de
O1 - Hosts: 127.0.0.0 www.edonkey-morpheus-forum.de
O1 - Hosts: 127.0.0.0 www.emule-hilfe.de
O1 - Hosts: 127.0.0.0 www.file-sharing-forum.de
O1 - Hosts: 127.0.0.0 www.filesharing-forum.de
O1 - Hosts: 127.0.0.0 www.imesh-download.de
O1 - Hosts: 127.0.0.0 www.kazaa-kaza.de
O1 - Hosts: 127.0.0.0 www.kazaa-lite.info
O1 - Hosts: 127.0.0.0 www.kazaa-lite-download.de
O1 - Hosts: 127.0.0.0 www.1md.de
O1 - Hosts: 127.0.0.0 www.mariodolzer.de
O1 - Hosts: 127.0.0.0 www.morpheus-forum.de
O1 - Hosts: 127.0.0.0 www.overnet-download.de
O1 - Hosts: 127.0.0.0 www.overnet-hilfe.de
O1 - Hosts: 127.0.0.0 www.winmx-download.de
O1 - Hosts: 127.0.0.0 www.winmx-hilfe.de
O1 - Hosts: 127.0.0.0 www.download-und-hilfe.de
O1 - Hosts: 127.0.0.0 www.filesharing-hilfe-forum.de
O1 - Hosts: 127.0.0.0 www.musik-download.biz
O1 - Hosts: 127.0.0.0 www.mp3downloads.ch
O1 - Hosts: 127.0.0.0 www.songfly.com
O1 - Hosts: 127.0.0.0 www.kazaa.nl
O1 - Hosts: 127.0.0.0 1stsoftwaredownloads.com
O1 - Hosts: 127.0.0.0 morpheus-download-morpheus.com
O1 - Hosts: 127.0.0.0 www.icisnet.org
O1 - Hosts: 127.0.0.0 software.global-netcom.de
O1 - Hosts: 127.0.0.0 www.filesharing-download.de
O1 - Hosts: 127.0.0.0 www.p2p.tm
O1 - Hosts: 127.0.0.0 www.filesharing-center.de
O1 - Hosts: 127.0.0.0 www.filesharing-tools.de
O1 - Hosts: 127.0.0.0 kazaa-download-kazaa.com
O1 - Hosts: 127.0.0.0 www.interscilsa.com
O1 - Hosts: 127.0.0.0 www.dvd-download-free.com
O1 - Hosts: 127.0.0.0 www.howtominibooks.com
O1 - Hosts: 127.0.0.0 www.internetmovies.com
O1 - Hosts: 127.0.0.0 www.rippro.net
O1 - Hosts: 127.0.0.0 www.musicmoviesbooks.com
O1 - Hosts: 127.0.0.0 www.kazaalite.org
O1 - Hosts: 127.0.0.0 www.getmp3music.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: (no name) - {EA6EF3DA-DDF7-4632-9BAE-143F42C5DBEA} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09. exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Virtual Drive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKLM\..\Run: [CacheLoader] C:\WINNT\System32\__download__\uloader4.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\RunOnce: [DeleteVirtual Maid] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Virtual Maid\virtual maid.dll"
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\flashget.exe
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.games.yahoo.com/games/clients/y/cct0_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Go - http://download.games.yahoo.com/games/clients/y/gt2_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1019_EN.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.update05.com/2/2/q.chm::/file.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

1, ya got a virus in there someplace.
2, kill ALL file sharing progs...NOT worth using with the backdoors they have IN THEM...
3, kill FLASHGET

goto trend micro, run there web Virus prog..
repost when done..

http://forums.designtechnica.com/showthread.php?t=5583

Download Spybot, AdAware, (Links Above)

Reboot To Safe Mode (tap F8 on Startup)

Place a check next to each of these and click Fix Checked.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O1 - Hosts: 127.0.0.0 desktop.kazaa.com
O1 - Hosts: 127.0.0.0 www.altnetp2p.com
O1 - Hosts: 127.0.0.0 alpha.kazaa.com
O1 - Hosts: 127.0.0.0 shop.kazaa.com
O1 - Hosts: 127.0.0.0 www.bonzi.com
O1 - Hosts: 127.0.0.0 www.brilliantdigital.com
O1 - Hosts: 127.0.0.0 www.b3d.com
O1 - Hosts: 127.0.0.0 media.altnet.com
O1 - Hosts: 127.0.0.0 www.altnet.com
O1 - Hosts: 127.0.0.0 dev.bde.com.au
O1 - Hosts: 127.0.0.0 update.kazaa.com
O1 - Hosts: 127.0.0.0 bravo.kazaa.com
O1 - Hosts: 127.0.0.0 puma.kazaa.com
O1 - Hosts: 127.0.0.0 www.kazaagold.com
O1 - Hosts: 127.0.0.0 www.kazaa-gold.com
O1 - Hosts: 127.0.0.0 kazaagold.com
O1 - Hosts: 127.0.0.0 www.k-lite.com
O1 - Hosts: 127.0.0.0 www.kazaa-download.de
O1 - Hosts: 127.0.0.0 www.mp3downloadhq.com
O1 - Hosts: 127.0.0.0 www.easymusicdownload.com
O1 - Hosts: 127.0.0.0 easymusicdownload.com
O1 - Hosts: 127.0.0.0 www.mp3madeeasy.com
O1 - Hosts: 127.0.0.0 www.monstershare.com
O1 - Hosts: 127.0.0.0 monstershare.com
O1 - Hosts: 127.0.0.0 www.kazaa-plus.net
O1 - Hosts: 127.0.0.0 kazaa-plus.net
O1 - Hosts: 127.0.0.0 www.kazaa-plus.com
O1 - Hosts: 127.0.0.0 www.edonkey.com
O1 - Hosts: 127.0.0.0 www.kazaa-file-sharing-downloads.com
O1 - Hosts: 127.0.0.0 www.kazaaplatinum.com
O1 - Hosts: 127.0.0.0 www.madeformusic.com
O1 - Hosts: 127.0.0.0 www.ikazaa.net
O1 - Hosts: 127.0.0.0 ikazaa.net
O1 - Hosts: 127.0.0.0 www.mp3u.com
O1 - Hosts: 127.0.0.0 www.mp3specialty.com
O1 - Hosts: 127.0.0.0 music-download-world.com
O1 - Hosts: 127.0.0.0 song-download-world.com
O1 - Hosts: 127.0.0.0 www.flixs.net
O1 - Hosts: 127.0.0.0 www.ishareit.net
O1 - Hosts: 127.0.0.0 www.ishareit.com
O1 - Hosts: 127.0.0.0 www.download-doctor.com
O1 - Hosts: 127.0.0.0 www.ezmp3download.com
O1 - Hosts: 127.0.0.0 www.kazaamedia.com
O1 - Hosts: 127.0.0.0 mp3-network.com
O1 - Hosts: 127.0.0.0 www.mp3-network.com
O1 - Hosts: 127.0.0.0 www.mp3grandcentral.net
O1 - Hosts: 127.0.0.0 www.mp333.com
O1 - Hosts: 127.0.0.0 www.kazaamate.com
O1 - Hosts: 127.0.0.0 www.emule.biz
O1 - Hosts: 127.0.0.0 www.kazaam8.tk
O1 - Hosts: 127.0.0.0 www.rippro.com
O1 - Hosts: 127.0.0.0 www.kaaza.com
O1 - Hosts: 127.0.0.0 secure.Webstartz.com
O1 - Hosts: 127.0.0.0 www.kazaalite.de
O1 - Hosts: 127.0.0.0 www.kazza.de
O1 - Hosts: 127.0.0.0 kazza.com
O1 - Hosts: 127.0.0.0 www.kazaalite.at
O1 - Hosts: 127.0.0.0 www.kazaalite.ch
O1 - Hosts: 127.0.0.0 www.kazaa-hilfe.de
O1 - Hosts: 127.0.0.0 www.edonkey-2000.de
O1 - Hosts: 127.0.0.0 www.edonkey-bot.de
O1 - Hosts: 127.0.0.0 www.edonkey-edonkey2000.de
O1 - Hosts: 127.0.0.0 www.edonkey-hilfe.de
O1 - Hosts: 127.0.0.0 www.edonkey-morpheus-forum.de
O1 - Hosts: 127.0.0.0 www.emule-hilfe.de
O1 - Hosts: 127.0.0.0 www.file-sharing-forum.de
O1 - Hosts: 127.0.0.0 www.filesharing-forum.de
O1 - Hosts: 127.0.0.0 www.imesh-download.de
O1 - Hosts: 127.0.0.0 www.kazaa-kaza.de
O1 - Hosts: 127.0.0.0 www.kazaa-lite.info
O1 - Hosts: 127.0.0.0 www.kazaa-lite-download.de
O1 - Hosts: 127.0.0.0 www.1md.de
O1 - Hosts: 127.0.0.0 www.mariodolzer.de
O1 - Hosts: 127.0.0.0 www.morpheus-forum.de
O1 - Hosts: 127.0.0.0 www.overnet-download.de
O1 - Hosts: 127.0.0.0 www.overnet-hilfe.de
O1 - Hosts: 127.0.0.0 www.winmx-download.de
O1 - Hosts: 127.0.0.0 www.winmx-hilfe.de
O1 - Hosts: 127.0.0.0 www.download-und-hilfe.de
O1 - Hosts: 127.0.0.0 www.filesharing-hilfe-forum.de
O1 - Hosts: 127.0.0.0 www.musik-download.biz
O1 - Hosts: 127.0.0.0 www.mp3downloads.ch
O1 - Hosts: 127.0.0.0 www.songfly.com
O1 - Hosts: 127.0.0.0 www.kazaa.nl
O1 - Hosts: 127.0.0.0 1stsoftwaredownloads.com
O1 - Hosts: 127.0.0.0 morpheus-download-morpheus.com
O1 - Hosts: 127.0.0.0 www.icisnet.org
O1 - Hosts: 127.0.0.0 software.global-netcom.de
O1 - Hosts: 127.0.0.0 www.filesharing-download.de
O1 - Hosts: 127.0.0.0 www.p2p.tm
O1 - Hosts: 127.0.0.0 www.filesharing-center.de
O1 - Hosts: 127.0.0.0 www.filesharing-tools.de
O1 - Hosts: 127.0.0.0 kazaa-download-kazaa.com
O1 - Hosts: 127.0.0.0 www.interscilsa.com
O1 - Hosts: 127.0.0.0 www.dvd-download-free.com
O1 - Hosts: 127.0.0.0 www.howtominibooks.com
O1 - Hosts: 127.0.0.0 www.internetmovies.com
O1 - Hosts: 127.0.0.0 www.rippro.net
O1 - Hosts: 127.0.0.0 www.musicmoviesbooks.com
O1 - Hosts: 127.0.0.0 www.kazaalite.org
O1 - Hosts: 127.0.0.0 www.getmp3music.com
O2 - BHO: (no name) - {EA6EF3DA-DDF7-4632-9BAE-143F42C5DBEA} - (no file)
O4 - HKLM\..\Run: [CacheLoader] C:\WINNT\System32\__download__\uloader4.exe
O4 - HKCU\..\RunOnce: [DeleteVirtual Maid] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\Virtual Maid\virtual maid.dll"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {0594AF7E-573B-40DF-8165-E47AB2EAEFE8} - http://akamai.downloadv3.com/binari...UTH_1019_EN.cab
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.update05.com/2/2/q.chm::/file.exe
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN.cab

Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run AdAware and Spybot,delete what they find , Empty recycle bin.


Then Reboot and post a new log..........Jim

Thank you for quick response!

Logfile of HijackThis v1.99.0
Scan saved at 8:42:20 PM, on 2/21/2005
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpm.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09. exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\FarStone\VirtualDrive\vdtask.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\FarStone\VirtualDrive\Netsrv.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Documents and Settings\ct\Desktop\anti spyware\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVPCC] C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe /wait
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09. exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Virtual Drive] C:\Program Files\FarStone\VirtualDrive\vdtask.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINNT\System32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/games/clients/y/at1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: AVP Control Centre Service - Kaspersky Labs. - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus\avpcc.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

I have a little pop-up window on every 15 min., even when I'm offline

Your log looks clean to me. If you are still getting popups there is something hidden on here. I'm gonna show this log to ECA and see if he can find anything..........Jim :cool:

Hi
Can someone help me? I also have the same problem that lucky had. I have the HijackThis Log. Please Nightowl can you or someone else please look at the Log.

Logfile of HijackThis v1.98.2
Scan saved at 11:05:24 PM, on 2/21/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=533
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

Thanks
Rob

O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

This is bad and Hard to kill, If the string of dlls gets too long it will shut down your computer. Try Trend Micro. Its been known to kill this.

http://www.trendmicro.com/download/trial/trial-pcc.asp

Run this program, Delete or quarantine what it finds, Empty Recycle Bin, Reboot and post a new log.........Jim

O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s

O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: winlogin.exe

Check the top 3 to see if BOGUS...
the last one...Nightowl, do you remember it?? Look at the spelling..

Looks good Lucky..Keep it clean..

ECA,Yes i was just concentrating on the 020 one there. After he gets rid of that we can fix the rest.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=533
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

Fix in Safe Mode(Tap F8 on Startup)

Hi Nightowl and ECA.
Thanks for helping me. I scanned for viruses and for spyware with Trend Micro like you said. It came up with nothing. I have a new HighjackThis log for you.

ogfile of HijackThis v1.98.2
Scan saved at 11:07:13 AM, on 2/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=533
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

Please let me know what you think i should do
Thanks
Rob

http://forums.designtechnica.com/showthread.php?t=5583

Download Spybot, AdAware, (Links Above)

Reboot To Safe Mode (tap F8 on Startup)


Still In Safe Mode Place a check next to each of these and click Fix Checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://letgohome.com/sp.htm?id=533
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://letgohome.com/hp.htm?id=533
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://letgohome.com/hp.htm?id=533
O2 - BHO: (no name) - {467FAEB2-5F5B-4c81-BAE0-2A4752CA7F4E} - C:\WINDOWS\System32\W8C6S4~1.DLL
O4 - HKLM\..\Run: [dnscleaner] C:\WINDOWS\dnscleaner.exe
O4 - HKLM\..\Run: [XoftSpy] C:\Program Files\XoftSpy\XoftSpy.exe -s
O4 - HKCU\..\Run: [Spyware Begone] C:\freescan\freescan.exe -FastScan
O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

Still In Safe Mode Delete all Temporary Internet Files, Cookies, Run Trend Micro, AdAware and Spybot,delete what they find , Empty recycle bin.

Then Reboot and post a new log..........Jim

Hi Jim
I have done what you've said to do. I think Adaware found the problem but is unable to fix it. Also, when I tried to check and fix
04-Global Startup:winlogin.exe
it told me to go to task manager and shutdown the program but couldn't do it.
I am not that great at computers so please bear with me. This is the latest HijackThis log. Thanks for helping me I appreciate it.

Logfile of HijackThis v1.98.2
Scan saved at 5:04:32 PM, on 2/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 4 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

Thanks
Rob

Were you in Safe Mode when you tried to delete it?

O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

55 dlls at the end. this has always been hard to kill.

I also want you to go to Add Remove Programs.

Click on Start.
Click on Settings.
Click on Control Panel.
From the Control Panel, double-click on Add/Remove Programs.
Click on the Install/Uninstall tab in the Add/Remove Programs Properties window.
Locate either New.net Application or New.net Domains and select it.
Click on the Add/Remove button.
After removal of the software, you may be prompted to reboot. Please reboot after removing the software

Post a new log........Jim

Hi Jim
yes I was in the safe mode when I tried to delete.
Also, I went into the Add/Remove programs area and there wasn't either of the ones you mentioned.
I will try everything all over again and let you know how it went.
Thanks
Rob

I did a little research on this, Dont know if this will work, Worth a try I guess. It worked on another message board. You may want to print this out.

Download this program.

http://www.mvps.org/winhelp2002/DelDomains.inf

Right click the DelDomains.inf file and click Install, making sure Internet Explorer is closed. You won't see anything happen. Give it a minute.

Download CWShredder (Stand Alone Version)

http://www.intermute.com/spysubtrac...r_download.html

Close all browser windows,
Open cwshredder.exe then click "Fix" and let it run.

Reboot to safe mode – tapping F8 at startup

Have Hijack This Fix these Entries.

O4 - Global Startup: winlogin.exe
O20 - AppInit_DLLs: cuvsieuuppnfv1ll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.d ll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll.dll .dll.dll.dll.dll.dll.dll.dll.dll.dll

View Hidden Files
Open Windows Explorer. Go to Tools, Folder Options and click on the View tab.
Make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files".
Now click "Apply to all folders", Click "Apply" then "OK"

Delete these files – some may not be there
C:\WINDOWS\cerbmod.dll
C:\WINDOWS\system32\bzapgyf.dll
C:\WINDOWS\system32\dheev.dll
C:\WINDOWS\dealhlpr.dll
C:\WINDOWS\odon.exe
C:\WINDOWS\DHUpdt.exe
C:\WINDOWS\dhbrwsr.exe
C:\WINDOWS\system32\tibs3.exe
C:\WINDOWS\System32\matrixhere.exe
C:\WINDOWS\System32\dfrnnx.exe

Delete these folders
C:\Program Files\E2G
C:\Program Files \Toolbar
C:\Program Files\Real-Tens
C:\Program Files\Common Files\CMEII
C:\Program Files\NewDotNet
C:\Program Files\SurfSideKick 2
C:\WINDOWS\system32\wsxsvc
C:\WINDOWS\system32\vmss
C:\Program Files\Date Manager
C:\Program Files\WebSavingsfromEbates
C:\Program Files\Ebates_MoeMoneyMaker

Delete everything in this folder C:\WINDOWS\TEMP

START – RUN – key in %temp% OK - Edit – Select all – File – Delete

Empty the recycle bin
Reboot and post a new log

Hi again Jim
Last night I tried the steps you told to do before again. I will show you my latest HijackThis Log.

Logfile of HijackThis v1.98.2
Scan saved at 10:55:43 AM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I don't know if I am completely clear of my problem. I wanted to also tell you that when I tried to run Trend Micro in Safe Mode it wouldn't run.
Let me know what you think and do you think I should use the latest method you mentioned.
Thanks
Rob

You got rid of the worst one. You still have this one.

O4 - Global Startup: winlogin.exe

Try to fix it in Safe mode using Hijack This. Empty Trash Bin, Reboot and post a new log.........Jim

If it doesnt run in safe mode run it in normal mode, You may not need it now the bad one is gone. Just need to kill winlogin.exe now.........Jim

Hi Jim
I try to get rid of the
04 - Global Startup: winlogin.exe
but can't do it.
I have a question and please don't laugh if its a dumb one. I have a windows update icon that comes up in the task bar that when I put my cursor over it says Download at 77% and going. I try to right click to get the properties on it and nothing comes up. I am very nervous about that. For awhile it would only download sometimes and then disappear but I just wanted to download an update from Windows- the service pack 2 one and it had trouble doing it so I canceled it. Now the one icon I was telling you about in the taskbar says there is an update waiting to be installed. I am leary to do so. What should I do?
Thanks
Rob

Is the icon yellow? Should be ok to download the program. I had one of those this morning.

On winlogin.exe, I was snooping around trying to find a fix for it. I found this website that apparently has a fix. Give it a try and post a new log.........Jim

http://www.dougknox.com/xp/utils/xp_winlogin_remove.htm

thank you eca and nightowl! :thumb

Glad we could help.........Jim :vivi

Hi again Jim
The icon looks like the windows update icon with the earth and the windows logo but its been trying to update for the last 3 days. It had taken a very long time. I don't know maybe I am paranoid now. I only had the internet for 2 days before I got this crazy problem.
I will try that link you gave me. When I try to delete winlogin.exe. It tells me that the file may be in use. Use task Manager to shutdown the program and run HighjackThis again to delete the file. When I go to task manager there is no program like that but there is a winlogon.exe. And it won't let me delete that saying it is an important file.
Thanks
Rob

Dont delete winlogon.exe Its a good file.

Spyware disquises their Spyware to look legit. So the just changed one letter

winlogon.exe - Good
winlogin.exe - bad

Are you in Safe Mode when you try to delete it.

Give that program a try. I want to see if it works.........Jim :eww

I was in safe mode when I tried it and it won't delete. And yes I gave that program a try and it didn't find the winlogin.exe file. So I am still in the same position. I want to Thank you once again Jim for your help. For a long time there I was ready to toss this computer out the door. I am learning alot since I stumbled onto this web site.
I guess I will keep working at it.
Thanks
Rob

Toss it my way...

Umm...

I THOUGHT, Hijack had a FIX on reboot..

Hi ECA
I don't know what else to do about it. It won't let me delete it.
Rob

It strange, I've had other logs that HijackThis deletes it with no problem.

Post a new log, Maybe ECA can see something.

Also try Searching for hidden files. Heres how:

Click Start/ Search, then click All Files and Folders, Scroll Down and click More Advanced Options.

You should see some options to check. Make sure there is a check mark in these 3 boxes.

Search System Folders

Search Hidden Files and Folders

Search Subfolders

All 3 need to be checked, then go back and type in winlogin.exe and see if you can come up with it.

If you find it rename it winlogin.txt

(rename right click then click Rename)

After its renamed, Place it in the recycle Bin, Empty Recycle Bin, Reboot and post a new log.........Jim

Hey Jim
here's the latest log again. Hope ECA can find something.

Logfile of HijackThis v1.98.2
Scan saved at 11:31:38 PM, on 2/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 6 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks
Rob

Hi Jim
I have been researching the winlogin.exe and it appears to be the product of the Randex. e worm or virus. I am still looking into it but it will have to wait till tomorrow. I am beat. I am sure that this will kill me before I kill it.
Good Night
Rob

Ok Rob, we can try again tomorrow.........Jim :thumb

If you Get the Task manger up, and its there...
Its part of one of the Startups...
Spybot, Advanced MODE, TOOLS, STARTUP lists 1 section...If you can find it there, you can TURN OFF.

Other wise..
You need to search it out..
Seacrh... TOOLS, SEE ALL EXTENTIONS,
DONT HIDE extention, MS files, system files..

Then search for Winlogin.....
DONT delete, find its location...Give us the location FIRST...

Have you tried useing TREND micro, Anti virus..

Yes he does...
But I dont see Spybot.. Or adaware..

Hi ECA
I've tried everything you said and still no sign of winlogin.exe. I don't know what else I can do. Its driving me crazy!!! I keep working on finding it but with no luck. I will keep you informed. And a big Thanks for all your help.
Rob

Do Load, Install update and RUN
spybot SD, and all it asks. it tells you when things change the reg.
ADAWARE..
And
spywareblaster..

Should I be scanning in advanced mode-spybot SD?

Advanced mode has other options, and lets you see other things..
If teatimer and SDHELP are loaded its fine..
If you wish wonder around and take a look, theres LOTS of tools there. BE careful what you do tho.
It will even show your startup programs..

Hi Nightowl and ECA
I am sorry but I was so frustrated with my computer being hijacked that I stayed off it for awhile. I will send you my latest HiJackThis log cause I think there is something new there. Can one of you take a look at it please.

Logfile of HijackThis v1.98.2
Scan saved at 8:56:43 PM, on 3/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bob\Local Settings\Temp\Temporary Directory 8 for hijackthis.zip\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Thanks
Rob M

O4 - Global Startup: winlogin.exe
http://www.liutilities.com/products/wintaskspro/processlibrary/winlogin/

Its supposed to be WINLOGON...NOT WINLOG"IN"

Hi again ECA
I downloaded the trial version and couldn't find anything wrong.
I was wondering on my last HijackThis Log should I delete

04-HKLM\..Run:[KernelFaultCheck]%systemroot%\system32\dumprep 0-k

Thanks
Rob

no, it only shows that your ystem crashed and it saved the data to recover.