# pop ups - help



## mmuzzy

My computer has started showing pop ups like crazy.   Is there anyone who can help me get rid of it?  I have run ad aware, spybot, CW shredder, but it only stops it for a while.  I tried to find and get rid of programs that had been downloaded onto my computer.  I do have hijacks this on my computer, but don't have a clue about interpreting what it says.  I would so appreciate some help.
thanks


----------



## Byteman

mmuzzy, please follow the tips for using HijackThis in the sticky, and then post a log! Usually either Buzz or I (or both) will analyze it, and give further directions.

Staying clean: use a realtime virus scanner (update it weekly), use a realtime spyware scanner (MSantispyware or spysweeper, update it weekly).  Use Spyware blaster from javacool (update it weekly), FireFox for a browser, and install Sun Java.


----------



## mmuzzy

Dear Byteman,
Here is the hijacks log.  I will need help in fixing the problems.  Am a novice at this, but am good at following directions.  I did this once before, as I remember having to do it in safe mode, but you gave me real clear directions on what to do.  Thanks for helping, and thanks to everyone who posted.  I'm going to check into everything you all advised.
mmuzzy

Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 1:19:03 PM, on 6/22/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\WINSTARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\ELITESWA32.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\MOTN3216.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.websearch.com/ie.aspx?tb_id=50249
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\SYSTEM\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\SYSTEM\wintask.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITESWA32.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\SYSTEM\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\TOOLBAR\TBPS.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Y357RXZ6R] MOTN3216.EXE
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab


----------



## Buzz1927

mmuzzy.
Download Kaspersky  , update it but don't run it yet. Then download Ewido, update it, then boot to safemode. Run Kaspersky followed by ewido, reboot and post a new Hijackthis log.
P.S. disable your AV until you get rid of Kaspersky to avoid a possible conflict.


----------



## mmuzzy

*Kaspersky download*

Dear Buzz,
I am having trouble downloading the Kaspersky software.  It looks like it's downloading, but nothing is happening.  My Norton AV seems like it is having trouble too.  I can't seem to get it to respond to live update downloads.  I do not think my AV is actively protecting my computer.  So, I am not sure what to do with the download of the Kaspersky.  Any suggestions?




			
				Buzz1927 said:
			
		

> mmuzzy.
> First off, you have the bube.d virus, download Kaspersky , update it but don't run it yet. Then download Ewido, update it, then boot to safemode. Run Kaspersky followed by ewido, reboot and post a new Hijackthis log.
> P.S. disable your AV until you get rid of Kaspersky to avoid a possible conflict.


----------



## Buzz1927

Did you manage to download ewido? If so, run it then try Kaspersky again (you need to see hidden files and extensions, and protected operating system). If not, follow the steps in the sticky, then try to download Kaspersky again.


----------



## Byteman

Muzzy, try rightclicking on Buzz's link for Kaspersky, and choose "Save Target as". See if that will let you save the file.


----------



## Buzz1927

Apparently, this infection can sometimes stop downloads from Kaspersky and other sites through the Hosts file. If Byteman's method doesn't work, download the Hoster here. Unzip it to the desktop. Run it and hit "Restore original Hosts". Then try the Kaspersky link again.


----------



## mmuzzy

*Ewido*

Buzz,
I downloaded Ewido but it says I have to have Windows 2000 or higher to use it.  I have Windows 98.  I'm trying to download the Kaspersky again.  I will let it download for a longer period of time and see if I have success.  Any other suggestions?
mmuzzy



			
				Buzz1927 said:
			
		

> Did you manage to download ewido? If so, run it then try Kaspersky again (you need to see hidden files and extensions, and protected operating system). If not, follow the steps in the sticky, then try to download Kaspersky again.


----------



## mmuzzy

*Kaspersky download problems*

Dear Buzz,
I tried to download Kaspersky twice and each time it says the download cannot take place because the connection with the server was reset.
mmuzzy



			
				mmuzzy said:
			
		

> Buzz,
> I downloaded Ewido but it says I have to have Windows 2000 or higher to use it.  I have Windows 98.  I'm trying to download the Kaspersky again.  I will let it download for a longer period of time and see if I have success.  Any other suggestions?
> mmuzzy


----------



## Buzz1927

mmuzzy.
Sorry about ewido, I missed you were running 98. I changed the link for kaspersky, have you tried the new one? If you still can't download it, do the online scans in the sticky, reboot and post the new hijackthis log, we'll get whats left manually.


----------



## mmuzzy

*hijacks this*

Hi Buzz,
I have had quite a time with the computer, but this is where things are right now.  I followed your sticky directions as best I could.  I was unable to figure out how to disable the system restore, as I could not see 'system restore' anywhere once I right clicked on My Computer and then on properties.  Perhaps the Windows 98 operating system looks different.  I was able to enable the viewing of all of the files and could uncheck the 'hide extentions for known file types.'  

I ran the housecall and it found quite a few 'not cleanable' items.  These are some, but not all:  troj bloader.OT, troj dloader.OT, troj krepper.p, bkdr padodor.aa, bkdr padodor.a, troj start pag.qy, troj start pag.qy, troj small.aal, troj clicker.ad

I could not get the pandasoftware to download...wouldn't work.

I have Ad-Aware 6.0 on the computer, but could not download the Ad-Aware SE.  When I tried to download, nothing would happen.  So I only had the choice of running the Smart Scan on the 6.0 version.  I ran the Spy-bot several times.  Sometimes the computer would freeze, or have a fatal error, so I cleaned up each problem one at a time until I figured out which problems were causing the computer to freeze.  This is what I erased:
admilli service, callinghome.biz, booked space, pacimedia, holistyc, hot search bar, exact advertising.bargains, IE plugins, delfin project, my web search, hunt bar and wild tangent.  This is what I COULD NOT erase because my computer would freeze or shut down:  Callinghome.biz, Elitum.EliteBar

I ran the Hijacks this.  Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 10:47:31 PM, on 6/29/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\WINSTARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\ELITESWA32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\THESRV.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\T2EPI.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [checkrun] C:\WINDOWS\SYSTEM\ELITESWA32.EXE
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [p4mX37V] THESRV.EXE
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rhrapk.exe reg_run
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Y357RXZ6R] T2EPI.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Any help you or byteman can give me would be most appreciated.  Thanks so much.
mmuzzy



			
				Buzz1927 said:
			
		

> mmuzzy.
> Sorry about ewido, I missed you were running 98. I changed the link for kaspersky, have you tried the new one? If you still can't download it, do the online scans in the sticky, reboot and post the new hijackthis log, we'll get whats left manually.


----------



## Buzz1927

Hi mmuzzy.
Don't worry about the system restore, Win98 doesn't have it. I need you to download a few programs.
Find Qoologic. 
LQfix. 
CWShredder. 
About Buster. 
Unzip them to the desktop, but don't run them yet. Boot into safemode.
Run CWShredder. Don't worry if it doesn't find anything.
Run About Buster 3 times.
Run LQfix.
Boot back to normal mode. Run Find Qoologic. After 10 minutes or so a text file will open (starting with "not all files are bad"), post that in your next reply along with a new Hijackthis log.


----------



## mmuzzy

*Qoologic*

Hi Buzz,
I did everything you asked.  Here is the log from Qoologic:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp



			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> Don't worry about the system restore, Win98 doesn't have it. I need you to download a few programs.
> Find Qoologic.
> LQfix.
> CWShredder.
> About Buster.
> Unzip them to the desktop, but don't run them yet. Boot into safemode.
> Run CWShredder. Don't worry if it doesn't find anything.
> Run About Buster 3 times.
> Run LQfix.
> Boot back to normal mode. Run Find Qoologic. After 10 minutes or so a text file will open (starting with "not all files are bad"), post that in your next reply along with a new Hijackthis log.


----------



## Buzz1927

Hi mmuzzy.
It doesn't look quite right (there should be more), can you run it again, making sure you're off-line and all windows are closed. And can I see a new Hijackthis log, please.


----------



## Buzz1927

Hi mmuzzy.
Sorry, I'd forgotten you're using 98, the Qoologic log is ok, but I need to see a new one if you've rebooted since that scan . When you post a new log, do so when you can leave the computer on for a long time, to make sure me or Byteman can give you the next steps.
Buzz.


----------



## mmuzzy

*new log*

Dear Buzz,
I reran CWShredder, About Buster, LQfix and Qoologic.  I ran LQfix in safe mode as you noted, but there was a warning message about doing so.  I was not online, but my cable connection makes it possible to log on at any time, thus the pop-ups interrupt constantly, even when I'm not online.

Here is the Qoologic message:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

I will post the hijacks this on another quote, since my message exceeds the limit.
mmuzzy



			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> Sorry, I'd forgotten you're using 98, the Qoologic log is ok, but I need to see a new one if you've rebooted since that scan (the file names change every time). When you post a new log, do so when you can leave the computer on for a long time, to make sure me or Byteman can give you the next steps.
> Buzz.


----------



## mmuzzy

*hijacks this log*

Here is the Hijacksthis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:52:12 PM, on 6/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\WINSTARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\SYSTEM\THESRV.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\WINDOWS\RHRAPK.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\T2EPI.EXE
C:\WINDOWS\SYSTEM\HPZCFG.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\SYSTEM\HPZCFG.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [p4mX37V] THESRV.EXE
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rhrapk.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Y357RXZ6R] T2EPI.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - HKCU\..\RunOnce: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

I will leave the computer on until I get a message back from you or Byteman.
mmuzzy


			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> Sorry, I'd forgotten you're using 98, the Qoologic log is ok, but I need to see a new one if you've rebooted since that scan (the file names change every time). When you post a new log, do so when you can leave the computer on for a long time, to make sure me or Byteman can give you the next steps.
> Buzz.


----------



## mmuzzy

Dear Buzz and Byteman,
My computer became unstable and shut down.  I'll run another log in the morning and leave the computer on until I hear from you.  Disregard this last scan since I'll have to reboot the computer.  Sorry...
mmuzzy


----------



## mmuzzy

*new qoologic record*

Dear Buzz and Byteman,
I started up the computer this morning and followed the procedures you last gave me.  I ran CWShredder, About Buster and LQfix in safe mode.  Then I rebooted and ran Qoologic.  Here is the Qoologic log:  (I will post the Hijacks this log on another post, since it is too much data to post all at once.)  

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp


Thanks you guys, for hanging in there with me.
mmuzzy


----------



## mmuzzy

*Hi Jacks log*

Here is the current Hijacks log.  I will leave the computer on until I hear from you, as you requested.  Thanks again.
mmuzzy

Logfile of HijackThis v1.99.1
Scan saved at 10:33:26 AM, on 7/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\WINSTARTER.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCK.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\MEDIA ACCESS\MEDIAACCESS.EXE
C:\WINDOWS\SYSTEM\THESRV.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\WINDOWS\RHRAPK.EXE
C:\PROGRAM FILES\AUTOUPDATE\AUTOUPDATE.EXE
C:\WINDOWS\SYSTEM\T2EPI.EXE
C:\WINDOWS\SYSTEM\HPZCFG.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\SYSTEM\HPZCFG.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - Default URLSearchHook is missing
F1 - win.ini: run=hpfsched
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [p4mX37V] THESRV.EXE
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rhrapk.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [Y357RXZ6R] T2EPI.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - HKCU\..\RunOnce: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## Buzz1927

Hi mmuzzy.
The entries haven't changed, it's ok if you need to turn the machine off. You might want to print these instructions. Can you download these programs.
Killbox. 
CCleaner. 
Trojanhunter. 
Then go to Add\Remove Programs and remove anything related to WinTools, Toolbar, Search Toolbar or 180search.
Boot into safemode. Run the Killbox. Check "Replace on Reboot" and "Use Dummy". Copy and paste these one at a time into the "Full path of file to delete" box. After each one press the red button with the white cross, and yes to replace on reboot and no to restart now.
C:\WINDOWS\SEEDCO~1.EXE
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\BDBAMCM.EXE
C:\WINDOWS\Start Menu\Programs\StartUp\NRNA.EXE
Then run Trojanhunter.
Then CCleaner, under "Internet Explorer" uncheck "Cookies" (and under Firefox if you use it)
Then Hijackthis, hit "scan only" and check the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\TOOLBAR\TOOLBAR.DLL/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchmiracle.com/sp.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\CFGMGR52.DLL
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [Media Access] C:\PROGRAM FILES\MEDIA ACCESS\MediaAccK.exe
O4 - HKLM\..\Run: [p4mX37V] THESRV.EXE
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\rhrapk.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\SYSTEM\exp
O4 - HKCU\..\Run: [Y357RXZ6R] T2EPI.EXE
O4 - HKCU\..\Run: [180ClientStubInstall] "C:\TEMP\STUBINSTALLER6480.EXE"
O4 - Startup: nrna.exe
Close all open windows, hit "Fix Checked"
Find and delete these folders\files (in bold) if still there.
C:\WINDOWS\SYSTEM\*WINSTARTER.EXE* 
C:\PROGRAM FILES\MEDIA ACCESS\*MEDIAACCK.EXE* 
C:\PROGRAM FILES\MEDIA ACCESS\*MEDIAACCESS.EXE* 
C:\WINDOWS\SYSTEM\*THESRV.EXE* 
C:\WINDOWS\SYSTEM\*T2EPI.EXE* 
C:\WINDOWS\SYSTEM\*exp*
C:\WINDOWS\*CERES.DLL * 
There's more than all these, but my eyes are hurting, we'll get what's left later.
Reboot to normal mode, and post a new Qoologic log and Hijackthis log.


----------



## mmuzzy

Dear Buzz,
I followed your directions.  Here is the Qoologic scan:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp


Here is the Hijacks scan:
Logfile of HijackThis v1.99.1
Scan saved at 2:59:36 PM, on 7/1/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Thanks from the bottom of my heart.
mmuzzy


----------



## Buzz1927

Hi mmuzzy.
We're making progress, are things any better? Could you re-do the Killbox steps again, but add this line.
C:\WINDOWS\vuvzpr.exe
Then post back the Qoologic log, and the line from Hijackthis that looks like this.
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run


----------



## mmuzzy

*new log*

Hi Buzz,
I ran the Qoologic log and then rebooted into normal mode.  The log was no longer on my clipboard, but I went into the Qoologic text and copied the file that was placed in there about 15 minutes ago, so I'm assuming this is the correct log.  Here is the Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\SEEDCO~1.EXE
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SKYTOWN.EXE
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* UPX!  C:\WINDOWS\System\HPZCFG.EXE
* UPX!  C:\WINDOWS\System\AUNPS2.DLL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\CERES.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL

I think this is the line you were looking for on the Hijacks this:
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run

The computer is running great.  No popups.  When I start up the computer, I am getting these two error messages:

error loaking AUNPS2.dll

System cannot find the file specified:  C:\WINDOWS\CFGMcr52.dll

The trojanhunter is cleaning trojans from Qlogic when I start up the computer, as well.

You are a genius....can't thank you enough....
mmuzzy



			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> We're making progress, are things any better? Could you re-do the Killbox steps again, but add this line.
> C:\WINDOWS\vuvzpr.exe
> Then post back the Qoologic log, and the line from Hijackthis that looks like this.
> O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
> This part - vuvzpr.exe reg_run - might have changed, that's what I'm looking for. No need to post the whole Hijackthis log yet.


----------



## Buzz1927

Hi mmuzzy.
I don't think the problem is gone. It may be OK now, but give it a day or two. Please post back if this is the case.


----------



## mmuzzy

Hi Buzz,
My son tells me that the computer is acting up again.  The popups seem to have returned.  The Trojanhunter is definitely cleaning the computer each time it opens, but I'm wondering if you could take a look at this log and let me know what you think.  Thanks so much~
mmuzzy

Logfile of HijackThis v1.99.1
Scan saved at 2:12:41 PM, on 7/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.2\THGUARD.EXE"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: NRNA.EXE.tcf
O4 - Startup: NRNA.EXE7027.tcf
O4 - Startup: NRNA.EXE5420.tcf
O4 - Startup: NRNA.EXE5536.tcf
O4 - Startup: NRNA.EXE824.tcf
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## Buzz1927

Hi mmuzzy.
I was expecting you to come back, as you left before we finished fixing you up. Run the FindQoologic and post the log from it, it can take a few tries to get everything.
In the meantime, let's get things looking a bit better. Uninstall Trojanhunter, it might be stopping us from seeing everything. Then run Hijackthis. Put a check by these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: SearchToolbarBHOObject - {12EE7A5E-0674-42f9-A76A-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\SYSTB.DLL
O3 - Toolbar: (no name) - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - (no file)
O3 - Toolbar: Search - {12EE7A5E-0674-42f9-A76B-000000004D00} - C:\WINDOWS\SYSTEM\STLB2.DLL
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\CFGMGR52.DLL,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\Run: [AutoUpdater] "c:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [{12EE7A5E-0674-42f9-A76B-000000004D00}] rundll32.exe stlb2.dll,DllRunMain
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKCU\..\Run: [HPZCFG] C:\WINDOWS\SYSTEM\HPZCFG.exe
O4 - Startup: NRNA.EXE.tcf
O4 - Startup: NRNA.EXE7027.tcf
O4 - Startup: NRNA.EXE5420.tcf
O4 - Startup: NRNA.EXE5536.tcf
O4 - Startup: NRNA.EXE824.tcf

Make sure you're offline, and all windows are closed apart from Hijackthis, and hit "Fix Checked".
Run Killbox, under "Files" hit "Delete all dummy files". 
Make sure you can see hidden files and protected operating system files. Find and delete this folder.
c:\Program Files\*AutoUpdate* 
and these files, if they still exist.
C:\WINDOWS\*CERES.DLL* 
C:\WINDOWS\*SYSTB.DLL* 
C:\WINDOWS\SYSTEM\*STLB2.DLL* 
c:\windows\system\*vfmloq.exe* 
C:\WINDOWS\SYSTEM\*SUPDATE.DLL* 
C:\WINDOWS\*wupdt.exe* 
C:\WINDOWS\SYSTEM\*HPZCFG.exe*
C:\WINDOWS\*CFGMGR52.DLL * 
If any can't be deleted, try in safemode.
Search for and delete this file
*AUNPS2.DLL* 

Reboot, and post a new Hijackthis log, as well as the Find Qoologic log.


----------



## mmuzzy

Dear Buzz,
Here is the Qoologic log.  I ran it first and will not uninstall Trojanhunter, and then take off the entries on Hijacks this.  I'll post another log when I finish.
Thanks so much.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

mmuzzy


----------



## mmuzzy

Dear Buzz,
I  followed all of your directions.  On startup of the computer, I get this error message:
Error loading Windows\system\supdate.dll

Here is the Qoologic log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp


Here is the Hijacks This log:
Logfile of HijackThis v1.99.1
Scan saved at 10:36:38 AM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
C:\WINDOWS\VUVZPR.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


Thanks again for helping us.
mmuzzy


----------



## Buzz1927

Hi mmuzzy.
We're getting there. You'll get an error message on startup until we get everything. Important - does your son play Prince of Persia 2? and if so, have you got the disc? Run the Killbox. Select "Delete on Reboot". Highlight the lines below and press Crtl + C. In Killbox, under "File" select "Paste from clipboard". Check all the entries appear (if it doesn't work you'll need to do them one by one, saying "No" when asked to restart) and press the red button with white cross. (They might not all exist).
C:\WINDOWS\System\SUPDATE.DLL
C:\WINDOWS\SEEDCO~1.EXE
C:\WINDOWS\RNRKIEI.DLL
C:\WINDOWS\UIUKS.DLL
C:\WINDOWS\System\REDIT.CPL
C:\WINDOWS\System\SKYTOWN.EXE
C:\WINDOWS\System\VFMLOQ.EXE
C:\WINDOWS\System\HPZCFG.EXE
C:\WINDOWS\System\AUNPS2.DLL
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\BDBAMCM.EXE
C:\WINDOWS\IUP1LD~5.EXE
C:\WINDOWS\IUP1LD~6.EXE
C:\WINDOWS\WUPDT.EXE
C:\WINDOWS\IUP1LD~4.EXE
C:\WINDOWS\IUP1LD~7.EXE
C:\WINDOWS\POP2.EXE
C:\WINDOWS\IUP1LD~8.EXE
C:\WINDOWS\IUP1LD~9.EXE
C:\WINDOWS\BUDDY.EXE
C:\WINDOWS\TDTB.EXE
C:\WINDOWS\CERES.DLL
C:\WINDOWS\ZOZXRPR.DLL
C:\WINDOWS\POPMU.DLL
C:\WINDOWS\startmenu\programs\startup\NRNA.EXE
C:\WINDOWS\vuvzpr.exe
C:\WINDOWS\SYSTEM\winstarter.exe

Run Hijackthis and check these entries.

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL (file missing)
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\SYSTEM\winstarter.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\SYSTEM\VIDCTRL\VIDCTRL.EXE
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - Startup: nrna.exe
Close all open windows and browsers, and hit "Fix Checked".
Find and delete this folder C:\WINDOWS\SYSTEM\*VIDCTRL* 
Reboot and post the new logs.


----------



## mmuzzy

Dear Buzz,
We cleaned up the files as you directed.  Here are the logs.  Thanks again.
mmuzzy

Qoologic Log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp



HiJacksThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 3:45:10 PM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\VFMLOQ.EXE
C:\WINDOWS\SYSTEM\CFGWIZ32.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {11111111-1111-1111-1111-111111111123} - file://C:\Program Files\Windows Media Player\mp3codec543.exe
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## Buzz1927

Hi mmuzzy.
In one Qoologic log you posted, there was a lot more entries than in all the others. Where it says "User Startup", I think it was on page 2 of this thread. Can you try and find the latest one like that? Apart from that, it's looking pretty good. Did you ask your son about Prince of Persia?
Run the Killbox again, this time in safemode, with the "Delete on Reboot" option checked. Copy and paste these.
C:\WINDOWS\CERES.DLL 
C:WINDOWS\BUDDY.EXE
C:\WINDOWS\RHRAPK.EXE
C:\WINDOWS\BDBAMCM.EXE
c:\windows\system\vfmloq.exe
Run Hijackthis and check these.
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\CERES.DLL
O4 - HKLM\..\Run: [vfmloq] c:\windows\system\vfmloq.exe
Reboot and post the logs. We're not far away now. How are the popups?
And can you try to download the latest versions of Adaware and Spybot.
Buzz.


----------



## mmuzzy

Dear Buzz,
My son said he has not heard of the Prince of Persia game, and we have no software for it.  I looked at the Qoologic log and this is what was saved in the file as of this afternoon.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\SEEDCO~1.EXE
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SKYTOWN.EXE
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* UPX!  C:\WINDOWS\System\HPZCFG.EXE
* UPX!  C:\WINDOWS\System\AUNPS2.DLL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\CERES.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* UPX!  C:\WINDOWS\System\AUNPS2.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\CERES.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL


I will run the killbox again and then follow your directions and repost logs for you.
Thanks,
mmuzzy


----------



## mmuzzy

Dear Buzz,
I downloaded the latest versions of Adaware and Spybot and ran them both after I had followed your directions with killbox and hijacks.  I just ran the  Qoologic and Hijacks logs again.  Here is the first log.  I'll post the hijacks log in another post.

Qoologic Log:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* qoologic  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* exe  C:\WINDOWS\startm~1\programs\startup\NRNA.EXE

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\SEEDCO~1.EXE
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SKYTOWN.EXE
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* UPX!  C:\WINDOWS\System\HPZCFG.EXE
* UPX!  C:\WINDOWS\System\AUNPS2.DLL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\SEEDCO~1.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\CERES.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* UPX!  C:\WINDOWS\System\AUNPS2.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\WUPDT.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\CERES.DLL
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\TDTB.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL
* KavSvc  C:\WINDOWS\System\SUPDATE.DLL
* KavSvc  C:\WINDOWS\VUVZPR.EXE
* KavSvc  C:\WINDOWS\POPMU.DLL
* KavSvc  C:\WINDOWS\RNRKIEI.DLL
* KavSvc  C:\WINDOWS\UIUKS.DLL
* KavSvc  C:\WINDOWS\ZOZXRPR.DLL
* aspack  C:\WINDOWS\System\REDIT.CPL
* UPX!  C:\WINDOWS\System\VFMLOQ.EXE
* UPX!  C:\WINDOWS\System\SUPDATE.DLL
* aspack  C:\WINDOWS\EFAXVIEW.EXE
* aspack  C:\WINDOWS\RHRAPK.EXE
* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\RNRKIEI.DLL
* aspack  C:\WINDOWS\UIUKS.DLL
* aspack  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\VUVZPR.EXE
* UPX!  C:\WINDOWS\IUP1LD~5.EXE
* UPX!  C:\WINDOWS\IUP1LD~6.EXE
* UPX!  C:\WINDOWS\INSTAL~1.EXE
* UPX!  C:\WINDOWS\IUP1LD~4.EXE
* UPX!  C:\WINDOWS\IUP1LD~7.EXE
* UPX!  C:\WINDOWS\POP2.EXE
* UPX!  C:\WINDOWS\IUP1LD~8.EXE
* UPX!  C:\WINDOWS\IUP1LD~9.EXE
* UPX!  C:\WINDOWS\BUDDY.EXE
* UPX!  C:\WINDOWS\TSC.EXE
* UPX!  C:\WINDOWS\VSAPI32.DLL
* UPX!  C:\WINDOWS\ZOZXRPR.DLL


----------



## mmuzzy

Here is the Hijacks log

Logfile of HijackThis v1.99.1
Scan saved at 9:54:44 PM, on 7/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\VUVZPR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: nrna.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Hope things are getting better.
mmuzzy

popups are not appearing....


----------



## Buzz1927

Hi mmuzzy.
Can you try downloading Kaspersky  again. Update it, then under "settings" hit the riskware detection button and check the 2 boxes, then run it in safemode. Post a Hijackthis log afterwards. Also download Registrar Lite. We'll use it later. And in the Qoologic log, do you get any registry entries at the bottom? If so can you post them (just these entries, not the whole log).


----------



## mmuzzy

Hi Buzz,
Still cannot download the Kaspersky software.  Left it on for an hour and it said that the server had to be reset.  I downloaded the Registrar Lite.  I didn't post a log as I couldn't download the Kaspersky.
mmuzzy

Are you in the United Kingdom?


----------



## Buzz1927

Hi mmuzzy.
Yes, I'm in the UK. Let's try this. Open CCleaner. Under "Options" check "Run CCleaner when computer starts", then under "Advanced", uncheck "Only delete files in temp folders older than 48 hours." Then do the Killbox steps in post #31. Then run Hijackthis and fix these lines.
O4 - HKLM\..\Run: [autoupdate] rundll32 C:\WINDOWS\SYSTEM\SUPDATE.DLL,SHStart
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\vuvzpr.exe reg_run
O4 - Startup: nrna.exe
Then reboot.
Every time you reboot, run FindQoologic and check what's under "Files found in System" and "startup files". Keep doing it until the only file left is the EFAXVIEW.EXE. If it's still not working after doing it 5 times, try it with "Replace on reboot" and "Use dummy". Let me know how it goes and post a new Hijackthis log.

Edit: And things are looking much better, just this last problem to kill.


----------



## mmuzzy

Hi Buzz,
I am almost there but am having trouble understanding one of your directions.  I ran CCleaner following the steps in post #31 and then ran hijackthis and deleted the files you suggested.  Then I rebooted and Ran Qoologic.  I found this:
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack  C:\WINDOWS\BDBAMCM.EXE
* aspack  C:\WINDOWS\EFAXVIEW.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

My question is, keep doing what for 5 times until I only have EFAXVIEW.EXE left.  How do I do to get rid of * aspack  C:\WINDOWS\BDBAMCM.EXE?  Another question:  Is the User startup information correct?
mmuzzy


----------



## Buzz1927

Hi mmuzzy.
You need to do the Killbox steps in post #31, reboot and do it again, that should get rid of C:\WINDOWS\BDBAMCM.EXE. It might not take 5 tries. The User Startup is fine, it shows we're nearly there. When you get rid of the BDBAMCM.EXE. post a new Hijackthis log.


----------



## mmuzzy

*log*

Hi Buzz,
Have been away for a few days....I ran the Kill Box two more times, and this is the log I got:

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE. 
»»»»»»»»»»»»»»»»»»»»»»»»» Files found in System »»»»»»»»»»»»»»»»»»»»»»»

* aspack  C:\WINDOWS\EFAXVIEW.EXE


»»»»»»»»»»»»»»»»»»»»»»»»» startup files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»


Global Startup:
problem locating dir

User Startup:
C:\WINDOWS\Start Menu\Programs\StartUp

I'm hoping this is what we're looking for..... as the bdbamcm.exe didn't show up this time.  What do I need to do to maintain the 'health' of this computer?  I certainly appreciate your help.  Have you heard anything about the download posted the other day to my post about Secretmaker? 

Thanks again, Buzz.
mmuzzy




			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> You need to do the Killbox steps in post #46, reboot and do it again, that should get rid of C:\WINDOWS\BDBAMCM.EXE. It might not take 5 tries. The User Startup is fine, it shows we're nearly there. When you get rid of the BDBAMCM.EXE. post a new Hijackthis log.


----------



## mmuzzy

Dear Buzz,
I forgot to post the hijacks log.  Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 9:56:21 PM, on 7/18/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\NAVISEARCH\BIN\NLS.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\Run: [Ucro] C:\Program Files\aets\wdus.exe
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab


----------



## Buzz1927

Hi mmuzzy.
Good work with the Killbox, it's all gone. There's some new problems now, though. Go to Add\Remove programs and remove these programs, if there.
Bullseye Network
Navisearch
Aets
Run Hijackthis and check these lines.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKCU\..\Run: [Ucro] C:\Program Files\aets\wdus.exe
Close all open windows and hit "Fix Checked".
Navigate to C:\Program Files and delete these folders.
Bullseye Network
Navisearch
Aets
Download Firefox. Use it instead of Internet Explorer, make sure everyone using the computer does the same. I don't know anything about Secretmaker, sorry. I'll recommend some more programs when you're clean. Reboot and post a new log.


----------



## mmuzzy

*hijacks log*

Hi Buzz,
I followed your directions, and removed what you said.  I downloaded the firefox internet software.   I ran the following Hijacks log and have it posted.  Should I delete the Internet Explorer program completely?  My son uses the MSN instant messenger as well as the AOL version.  Otherwise, we are all using the firefox.  Here is the hijacks this log.  Thanks again.
mmuzzy

Hi Jacks log
Logfile of HijackThis v1.99.1
Scan saved at 6:58:32 PM, on 7/26/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\QUICKENW\QAGENT.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\LEXBCES.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\MOUSE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MSN APPS\UPDATER\01.03.0000.1005\EN-US\MSNAPPAU.EXE
C:\PROGRAM FILES\VIEWPOINT\VIEWPOINT MANAGER\VIEWMGR.EXE
C:\PROGRAM FILES\CCLEANER\CCLEANER.EXE
C:\WINDOWS\SYSTEM\MRTMNGR.EXE
C:\PROGRAM FILES\HP DESKJET 610C SERIES\EREG\REMIND32.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\WINDOWS\DESKTOP\HIJACKS THIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\HP\HPCORETECH\SOLN\HPOSM.EXE
C:\WINDOWS\TEMP\!UPDATE.EXE
C:\PROGRAM FILES\HP\HPCORETECH\COMP\HPTSKMGR.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.myexcel.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ironmountaindailynews.com/loclnews.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F1 - win.ini: run=hpfsched
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [LexStart] LexStart.EXE
O4 - HKLM\..\Run: [QAGENT] C:\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\PROGRA~1\LOGITECH\ITOUCH\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] c:\MOUSE\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [HP Software Update] "c:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\PROGRAM FILES\HP\HPCORETECH\HPCMPMGR.EXE"
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [LVComs] c:\windows\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [msnappau] "c:\program files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Reminder-hpc41003.lnk = C:\Program Files\HP DeskJet 610C Series\ereg\Remind32.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Dell Home - {770BAA40-0094-11D4-AB37-40C34FC1EA00} - http://business.dellnet.com/ (file missing) (HKCU)
O12 - Plugin for .aspx: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp.dasd.org/qp2.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/includes/MotivePreQual.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab




			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> Good work with the Killbox, it's all gone. There's some new problems now, though. Go to Add\Remove programs and remove these programs, if there.
> Bullseye Network
> Navisearch
> Aets
> Run Hijackthis and check these lines.
> R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
> O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\SYSTEM\NVMS.DLL
> O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
> O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
> O4 - HKCU\..\Run: [Ucro] C:\Program Files\aets\wdus.exe
> Close all open windows and hit "Fix Checked".
> Navigate to C:\Program Files and delete these folders.
> Bullseye Network
> Navisearch
> Aets
> Download Firefox. Use it instead of Internet Explorer, make sure everyone using the computer does the same. I don't know anything about Secretmaker, sorry. I'll recommend some more programs when you're clean. Reboot and post a new log.


----------



## Buzz1927

Hi mmuzzy.
Try to keep everyone on Firefox if you can, everything works with it apart from the odd web page. Don't delete Internet Explorer. The only time I use IE is for Windows updates. Noticed this - C:\WINDOWS\TEMP\*!UPDATE.EXE* delete this file, in safemode if needed. Install the Anti-Spyware programs here. (only the Anti-Spyware, not the others).  Are the popups gone?


----------



## mmuzzy

*looking pretty good*

Dear Buzz,
Things are looking pretty good.  Pop ups are GONE!!!  Did see an error message this morning when I opened up the computer for ndrv performing an illegal operation and would be closed down.  I remember seeing that before early on.  Couldn't find the C:\WINDOWS\TEMP\!UPDATE.EXE anywhere.  I have the antispyware programs on, except the one from Microsoft as I don't have windows 2000.  Should I download the firewall on your list of things to do?  I can't thank you enough for your help.
mmuzzy



			
				Buzz1927 said:
			
		

> Hi mmuzzy.
> Try to keep everyone on Firefox if you can, everything works with it apart from the odd web page. Don't delete Internet Explorer. The only time I use IE is for Windows updates. Noticed this - C:\WINDOWS\TEMP\*!UPDATE.EXE* delete this file, in safemode if needed. Install the Anti-Spyware programs here. (only the Anti-Spyware, not the others).  Are the popups gone?


----------



## Buzz1927

Hi mmuzzy.
The ndrv message you're getting is related to adware, do a search for it. Make sure you do an advanced search in hidden files, do the same for !update.exe, if you don't find them, never mind, they might be gone, and the ndrv will only affect Internet Explorer. Update and scan once a week with Adaware, and enable the Resident Tea-timer in Spybot (it's under "advanced" then "tools".) If you've got Norton Internet Security Suite, that has got a firewall, no need to install another one, they will conflict with each other.
If you get any problems, let us know.
Take Care.
Buzz.


----------

