Ads234 hijacked my browser, and Sandboxer won't go away.

Hi AndreaHaley,

1) Check this page: http://www.angelfire.com/un/midaddle/index.html

2) For Sandboxer, try Manual Removal at bottom of http://www.pestpatrol.com/PestInfo/s/sandboxer.asp

Regards,
Zyloch

Hi Andrea,

First check for trojans/viruses and remove them: (Courtesy of Sunray 2003 PAQ which I just lost the link to)

online virus scanner:
---------------------

http://housecall.trendmicro.com/ 

http://security.symantec.com/

http://www.pandasoftware.com/activescan/com/activescan_principal.htm

http://www.pcpitstop.com/antivirus/default.asp 

DOS based : http://www.f-prot.com/download/download_fpdos.html

There are also numerous spyware/adware removal programs available : always make sure you update them first before running them,

What is spyware : http://www.spychecker.com/spyware.html

SpyBot-S&D : http://www.webattack.com/download/dlspybot.shtml 

Ad-aware : http://www.webattack.com/download/dladaware.shtml 

Trojan Remover :http://www.simplysup.com/

KL-Detector  :http://www.webattack.com/download/dlkldetector.shtml

X-Cleaner Free  :http://www.webattack.com/download/dlxcleaner.shtml

SpywareBlaster  :http://www.webattack.com/download/dlspywareblaster.shtml

SpywareGuard :http://www.webattack.com/download/dlspywareguard.shtml

SpySites  :http://www.webattack.com/download/dlspysites.shtml

Keylogger Hunter :http://www.webattack.com/download/dlklhunter.shtml

Spycop: http://www.spycop.com/

BHODemon : http://www.spywareinfo.com/downloads/bhod/

Browser Hijack Blaster : http://www.wilderssecurity.net/bhblaster.html

Goodbye Spy http://www.topshareware.com/GoodBye-Spy-download-2012.htm

Other spyware removal instructions: http://www.pchell.com/support/click2findnow.shtml

I noticed that you posted your hijackthis log earlier. Experts exchange now recommends that we suggest you do the following with these logs:

First make sure that you use the most recent version of hijack this:
HijackThis 1.98.2
http://www.majorgeeks.com/download3155.html
Download it, run it, save your log file.

Then use the following site to analyse and remove any "nasty" entries by pasting your saved logfile into it - which I noted from your previous post you DID have some nasties there,
HijackThis log file analysis
http://www.hijackthis.de/index.php?langselect=english

P.S don't worry about not getting EE rules first time round - most of us didn't ;-)

Post back if that little lot didn't help,

Deb :))

Oh and if you're running Windows xp or Me, make sure that you disable your system restore prior to attempting removal (otherwise you'll just restore the problems too)

Hi!  AndreaHaley

Just to start things out - you have a Peper Trojan on your system.
Do the following to remove it -
Download and run these:
Download Newuninst.exe - Download from:   http://downloads.subratam.org/Newuninst.exe 
Run it and make sure you have an active internet connection.
Reboot and run the tool once again (again with an active internet connection).

Download PeperFix.exe - Download from:   http://downloads.sbratam.org/PeperFix.exe 
Start
Run it and click Find and Fix.
Reboot into "Safe" mode and run the tool a second time to make certain it's done its job.
Reboot into "Normal" mode when finished and post a new HijackThis log here
(I have a copy of your HijackThis logfile that you posted in another members thread)
Good luck!
RF

Sorry, that second link should be:
http://downloads.subratam.org/PeperFix.exe
Oops! :)
RF

Hi rossfingal, (and everyone)

Bsed upon all your comments, I'm a mess!  Thanks for your efforts everyone!  I performed what appeared to be the easiest task above.  The fix for my Peper Trojan.  Here is my log from after I ran Newuninst.exe, twice, Peper fix twice, and then downloded the Latest & Greatest HiJack this.

Here goes nothin:

Logfile of HijackThis v1.98.2
Scan saved at 9:19:04 PM, on 09/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\FergusonVPN\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://usa.autodesk.com/adsk/servlet/home?siteID=123112&id=129446
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAccessInstall\InstallRA.exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [PlaxoUpdate] C:\WINNT\Plaxo\1.4.2.25\InstallStub.exe -a
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: ComcastHSI - {124F45C6-861B-47CD-A822-D766958768B6} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6930DB25-CD27-4DF7-A0C0-B4288CEF4575} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {8DAA8434-3152-4804-9458-22993FC61471} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sygate
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll

Whatdya think?

Andrea

Hi
The current EE suggestion as I posted earlier is to paste your HJT log into the site below for analysis - this also helps prevent this site from becoming overloaded with logs,
http://www.hijackthis.de/index.php?langselect=english

Having had a look at your log I suggest you fix the following, unless you know for a fact the entries relate to programs etc that you installed yourself,

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\ProgramFiles\SEP\sep.dll (file m
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Lo
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (fi
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
C:\PROGRA~1\Web Offer\wo.exe
C:\Program Files\WinDates\WinDates.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINNT\system32\SearchBar.
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404S
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file m
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Lo
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (fi
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [Configuration Loader] iexplore.exe
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [hwv8RUfmO] secdtect.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\coupons
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (fi
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\m
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_A
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll


Potentially fix these - Are you using sygate at all?
O4 - HKLM\..\Run: [InstallRA] C:\PROGRA~1\FEI\RemoteAccessInstall\InstallRA.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = sygate
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = sygate

I still strongly suggest that you use the virus scans posted earlier, as it's possible that unless you remove the source of the problem, the symptoms will just keep coming back,

Deb :))

Hi Deb,

What exactly do you mean by Potentially fix these?  Find them in the registry and delete them?
I will tell you that my husband does not use either of these programs anymore, FEI or Sygate.

I am running one of these scanners now, but another problem has occurred.  I now can no longer use my internet Explorer at all on my login.  I simply created a new one to get back to this dialog, but I am afraid of loosing all of my settings now.  

My Norton just popped up and found this:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan.ByteVerify
File:  C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location:  Quarantine
Computer:  ANDREAW2K
User:  Andrea2
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:39:25 2004

Popped up again with this:

Scan type:  Realtime Protection Scan
Event:  Virus Found!
Virus name: Trojan.ByteVerify
File:  C:\Documents and Settings\Andrea2\Local Settings\Temp\V7M43Ma01552
Location:  Quarantine
Computer:  ANDREAW2K
User:  Andrea2
Action taken:  Clean failed : Quarantine succeeded : Access denied
Date found: Sat Sep 18 22:43:53 2004

AAAGGHHH!!!

Help!......Andrea

Hi

Restart in safe mode and then delete ALL the contents of these folders (don't delete the folders - just what's in them) - should have asked you to do that anyway, but it needed a scan, or alternatively scan it again from safe mode - at least these have been quarantined so you can delete them from the quarantine on the antivirus.
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp

Search for and delete the following again in safe mode:
Web Offer Folder and contents
C:\WINNT\system32\mssaru.dll
vmmreg32.exe

Potentially fix these meant fix them with hijackthis if you don't recognise them,

Deb :))

Hi Deb,

Starting fresh this morning:  I went into safemode and deleted all of the filles (AND FOLDERS) in
C:\Documents and Settings\Andrea2\Local Settings\Temp\
C:\documents and settings\andrea\local settings\temp\
C:\Documents and Settings\Paige\Local Settings\Temp

I did not delete these items to the two other users on my machine, my husband and my son, should I have?

I Deleted "Web Content" folder, and went ahead and deleted, "Hotbar", "WhenuSearch" and "Memorywatcher", too.

Deleted mssaru.dll, but could not locate vmmreg32.exe

I set up a new user for myself, Andrea2 last night cuz my Internet Explorer does not work in my old login, is there anything I can do to clean up, (delete the old login once everything is switched over, (my e-mail, addresses & mail, custom toolbars in Autocad, etc.)

Thanks for your help, we are already running much faster, and no ads234 anymore.  Thanks.

Andrea

Hi Deb,

Upon re-reading your meticulous instructions, I realized I probably should not have deleted the folders nested below my Temp folder for each login.  I left my C:\~\temp in tact, but there were folders below that, I deleted all files and sub-folders below my Temp directory.  Everything seems to be ok, Should I have left the folders, and just deleted their contents?

Thanks, Andrea

Shouldn't matter. It's a %TEMP% folder anyways :)

Hi Andrea

Sorry - was offline yesterday - No it shouldn't matter - temp folders are just that - folders for holding temp files. It's good practise to empty them on a regular basis. Make sure that you empty all the temp folders under each users directory too. Is the pc clear of pop-ups after reboot? If so then your problem should be resolved for now. I would suggest that you get a decent virus protection software (Just in case you have it -Symantec/Norton just isn't cutting it at the moment - it missed 9 trojans on my system the other week, and I've encountered others using it who have had severe problems due to what it's missed - Trend Internet Security is pretty good - anyway I digress..)

So onto your profile which needs fixing. Is it only internet explorer that isn't working?

Deb :))

Hi Deb,

I have Symantec Corporate edition, which I download monthly on each machine.  It was a requirement when my husband was using that FEI software (That I cleaned using hijackthis, by the way)

I will look into Trend Internet Security, thanks for the tip.  

Pop-ups are virtually gone, ads234 is gone and sandboxer has gone away for the moment. Yes, in my old login, Internet Explorer was the only program that gave me an error, it created an error log, which I could not make sense out of.  This has happened once before in my son's login, the fix was to create a new login.  I'd like to have a solution, in case it happens again.  Otherwise I am pretty happy!  You have been great, precise, meticulous, etc!!

Thank you, Thank you.

Andrea

I'm glad to help :))
So you still have some pop-ups then? There could be some things left that we didn't fix - I was somewhat brutal though on what I got you to get rid of. You can always run hijack this again (I suggest you do this anyway), and post your log into the link I posted. This will clearly identify what you need to fix and things that it suspects are dodgy for further investigation. If you could post your internet explorer error that's logged we could maybe trouble-shoot it. Other options are to try system file checker

Have your windows 2000 cd handy:

Click start - run - sfc /scannow - this will check for valid versions of windows 2000 files. Next you can re-install service pack 4, and then check for any further updates from windows update. If this has happened on another login than there's something not quite right somewhere. The error log will help. Alternatively you can just recreate your profile and copy the contents of your old profile into your new one.

Deb :))

Oops, sent accidentally

Where was I - 5 logs in 5 minutes:

C:\Documents and Settings\All Users\Documents\DrWatson\drwtsn32.log

c:\plaxo.log

c:\Programfiles\hotbar\hotbar_1095698978.log

C:\WINNT\Debug\UserMode\userenv.log

Which one is the culprit?

Quickly, before I have to go back to work: my log from hijack this:

Logfile of HijackThis v1.98.2
Scan saved at 12:58:56 PM, on 09/20/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\FergusonVPN\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\Program Files\WinDates\WinDates.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\WINNT\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Trash\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [q1HVT6k.exe] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [vmwX3k0z.exe] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV.exe] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [pZn0E68IS.exe] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v.exe] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [vmwX3k0z] C:\documents and settings\andrea\local settings\temp\vmwX3k0z.exe
O4 - HKLM\..\Run: [4U0pV] C:\documents and settings\andrea\local settings\temp\4U0pV.exe
O4 - HKLM\..\Run: [q1HVT6k] C:\Documents and Settings\Paige\Local Settings\Temp\q1HVT6k.exe
O4 - HKLM\..\Run: [pZn0E68IS] C:\documents and settings\andrea\local settings\temp\pZn0E68IS.exe
O4 - HKLM\..\Run: [v] C:\documents and settings\andrea\local settings\temp\v.exe
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Gotta Run....

Hi Deb,

I'm Back, no real problems, except I cannot even find my Windows 2000 Disk.  I'm pretty comfortable with my new login, I save all my data to my "D" Drive, so I won't be confused with like where are "My Documents" between (login) Andrea or (login) Andrea2......I'm ok.

I purchased a virus package, Trend Micro, the first website listed above.  I will load it tonight.

I have had soome funky things happen, A search bar loaded itself on my Internet Explorer.  Have had a few pop-ups, my pop-up killer usually catches them, but I still have a list of what is getting that far.  

I really just wanted to thank you for all your help, my system is in much better shape, Thanks you you and your colleagues.  EE will be my new first source for computer help, not my last resort.

One last question, why do I have to go into "safe Mode" to delete my temporary files?  

Thats it.......Andrea

If you are in safe mode the minimum stuff is running - things that are nasty, sometimes "hide" in
temp files - quite often, in safe mode they are not running - therefore: they're not "active" -
it's possible to remove them - they're not  "active".
Just my opinion!
Glad everything has been rsolved!
Regards...
RF

Ross is right on that one - Safe mode just loads up with the minimum amount of drivers etc needed to get windows to start,

Glad we helped,

Deb :))

1. Please download DllCompare ( http://download.broadbandmedic.com/DllCompare.exe )

2. Start the Program with its default settings and put a check mark in the include subdirectories. Click the Run Locate.com and wait until the scan says complete.

3. Click the Compare button to start the next process.

4. Files in the upper portion have been verified to "exist", Files in the bottom section were not able to be accessed. Very few files should be listed in the bottom section when the Compare scan is complete.

5. Click on each of the listed entries in the lower section to select them. Right-click on the file and use the Option Rescan.

6. This will cause Windows Find to see if the file does exist, and then it will be removed from the list (to reduce the number of identified files)

7. Click the Make a Log of what was found button, and post the log here

Hi Shattuc,

What a treat, round two....thanks for offering your service.

Here is my log file from dllcompare.exe


*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

O^E says: "There were no files found :)"
________________________________________________

2,137 items found:  2,137 files (1 H/S), 0 directories.
Total of file sizes:  401,361,867 bytes    382.77 M

Administrator Account =  True

--------------------End log---------------------

It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and removed it from the bottom portion of the dialog box.  What did I do this for?

AndreaHaley

Incidentally, I am having another problem, I cannot get my wireless network to find my other machine.  I cannot communicate at all between machines.  Both machines can surf, and I get my e-mail on both, but I cannot access the hard drives using microsoft explore, nor can I print from the machine that is wireless.  I plan to call my network support, "Netgear" tonight - unless you have another suggestion. - Thanks.

Hi!

>  "It searched my C:\WINNT\system32 annd did find one file, but when I re-scanned, it found it and
      removed it from the bottom portion of the dialog box.  What did I do this for?"

Do you remember the name of the file?

RF

Hi Rossfingal,

I do not remember the name of the file when I ran DllCompare.exe yesterday, however, I ran the program again, just now, and in the bottom pane it found "msxbse35.dll"

I will not run the Option re-scan 'till I hear from you.

Andrea

Here's the log file indicating the file that was found.

*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNT\SYSTEM32\msxbse35.dll   Mon Jun 23 1997   1:06:50p  A.SH.        287,504   280.77 K
________________________________________________

2,137 items found:  2,137 files (1 H/S), 0 directories.
Total of file sizes:  401,361,867 bytes    382.77 M

Administrator Account =  True

--------------------End log---------------------

Hi! AndreaHaley

That file appears to be legitimate - check it's properties.
Info here:
http://www.manifold.net/support/import_shp.html
http://support.microsoft.com/default.aspx?scid=kb;EN-US;155666
http://support.microsoft.com/default.aspx?scid=kb;EN-US;179203

It looks to be the same as on my install of Win 2000.

Regards...
RF

Okee doke, I'm good........Thanks again for everything.

As far as what your last HJT log shows -

This entry can be dealt with by Ad-Aware SE
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
http://doxdesk.com/parasite/Sidesearch.html

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
http://www.adrants.com/2004/06/adspyre-launches-midaddle-ad-system.php

O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
http://www.mac-net.com/744489.page
http://www.pestpatrol.com/PestInfo/p/peopleonpage.asp

O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)
http://213.173.251.14/~fbeejdk/NewHJTEntries.htm

Just some information.
How is your computer running?

RF

Sorry I was out of town yesterday, I thought maybe you might have a certain one, but I was wrong, if you find nothing when you run dllcompare, and you hit rescan, and it finds nothing, then you are clean, at least from that particular Hijacker...
the rest...
I'll post more in a bit, but after fixing with Ad-Aware and Spybot S&D howisyour system running?

Hi,

So, with the exception of the first item listed above, I should run RJT, and fix the remainder of the entries above?  

As far as my system - My system is much, much better/faster.  A few pop-ups still, my "Pop-up Killer" catches them though.  ADS234 is gone, and Sandboxer seems to be gone for good.  My network is not working, between two machines, I suspect it is the firewall settings on the new virus protector I purchased, Trend-Micro.

Andrea

clear your Temp Folders...
Both Temporary internet files, and
C:\documents and settings\andrea\local settings\temp\
Delete all the files in that folder...
if they are not already gone...
and I hate to say it...
(Sorry EE)
please run HJT again and post a new log.

But Delete the files in your temp folders first.

Here is my log immediately after I cleared all the temp files from each persons login, in safe mode.  This log was created in safe mode also.

Logfile of HijackThis v1.98.2
Scan saved at 6:09:23 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
D:\Trash\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: ComcastHSI - {55E7E90E-DFB7-440B-85DD-38A2D70B05A3} - http://www.comcast.net (file missing) (HKCU)
O9 - Extra button: Help - {6A35814A-2315-4452-A948-0FF82A0B35F0} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {C0D68DA6-F08F-40DC-B185-2D32750D7BB3} - http://www.comcastsupport.com (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

I hate to say this, but a log in safe mode does not show everything we want to see {Sorry EE}
However, while you're in safe mode, do a complete search on your computer and delete any instances of the
following files (check your prefetch and dllcache folders, as well as ALL temp folders):
404Search.dll
onAE.dll
sep.dll
mssaru.dll
Delete all instances you find, of any of these

Also, have HijackThis "fix" these:
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_50151/QDow_AS2.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vsigns/0003C00/setup.exe 

Clean out your temp folders
Empty the recycle bin
Reboot your computer into "Normal" mode
And - Again - post a new HijackThis log for us to take a look at.  :)

Regards..
RF

A couple of things:
1.)  I did not find any of the above dll files
2.) I did not delete folder CONTENT.IE5, at some point along this road I read to only delete CONTENTIE, (not "content.ie5")  So I have not deleted this folder from my Temporary Internet Files directory, nor it's contents - should I have?
3.) Does each user have a seperate recycle bin?  I deleted the contents of the login "administrator" but could not locate anybody elses.

My log sir - created under regular boot circumstances. (not safe mode)

Thanks again!

Logfile of HijackThis v1.98.2
Scan saved at 10:03:11 PM, on 09/27/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE
D:\Trash\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Greetings RF,

I guess the silence means I should have deleted the "Content.ie5" folder?

NO!

Sorry!
Don't delete the "Content.ie5" - OPEN UP

Sorry - posted by accident -
don't delete that folder - open it, you'll see subfolders  -open them -
and delete ALL the contents, except "desktop.ini" (and you might get a question about "thumbs.db
Probably - don't delete it
Refards...RF

Hi RF,

Yes, I deleted all of the contents, (in safe mode) my desktop.ini files arein:
c:\Program Files
c:\program Files\support.com\backup\de
c:\winnt
c:\winnt\system32
d:\andreas stuff

Here is my HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 6:31:00 AM, on 09/30/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Can I "fix" the files that are missing here?

Thanks....Andrea

Hi!   Andrea

Have HijackThis fix the following:
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - C:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\andrea\Local Settings\Temp\onAE.dll (file missing)
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINNT\system32\ms.exe (file missing)
O21 - SSODL: SARU - {FF5D8CC8-DE01-4964-89F1-648E43271415} - C:\WINNT\system32\mssaru.dll (file missing)

Since comcast appears to be your Internet provider these are optional:
(although, I have comcast and I've removed them with no problems)
O9 - Extra button: Help - {248C8BB3-B63F-47A8-A6E1-63A1A2373AD6} - http://www.comcast.net/memberservices/ (file missing) (HKCU)
O9 - Extra button: Support - {7844F386-C5B3-4CE2-B38A-F1ECE174D97E} - http://www.comcastsupport.com (file missing) (HKCU)
O9 - Extra button: ComcastHSI - {7E416EA4-9E9C-4ECD-95C9-9E46F506EE8F} - http://www.comcast.net (file missing) (HKCU)

Clean out your temp files
Empty the recycle bin
Reboot your computer and let's see how things look.

Cheers!
RF

Logfile of HijackThis v1.98.2
Scan saved at 4:35:21 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx

I emptied everybody's recycle bin from each login, is there an easier way?

Thanks.......Andrea

Hi!

Log looks much better.
One more thing to do - go to Add/Remove Programs and look for an entry for:
Twain-Tech
If it's present, uninstall it.
Reboot your computer into "safe" mode.
Search your entire computer for any instances of -
preinsmt.exe
(your profilepath)\start menu\programs\pc powerscan\uninstall pc powerscan.lnk
C:\Program Files\intrigue learning\unwise.exe
C:\Program Files\intrigue learning\unwise.ini
C:\Program Files\intrigue learning\update.exe
C:\Program Files\intrigue learning\updates_v2.inf
C:\WINNT\\xgn.exe
C:\WINNT\system\mxtarget.dll
C:\WINNT\system\twaintec.dll (twaintech.dll)
C:\WINNT\system32\mxtarget.dll
C:\WINNT\system32\twaintec.dll
C:\WINNT\twaintec.dll
C:\WINNT\twaintec.ini
C:\WINNT\wsem218.dll

Delete any that you find.
If twaintech.dll is in use, then you would need to rename it, (something like twaintech.bad)
reboot the computer, and then delete it.
Clean out your temp files
Empty the rercycle bin
Reboot and let's see how things look.
Good luck!
RF

Logfile of HijackThis v1.98.2
Scan saved at 6:15:20 PM, on 10/03/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\Promon.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
C:\WINNT\system32\Smtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\NoPops\PopupKillerGUI.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\PROGRA~1\NoPops\POPUPK~1.EXE
C:\Program Files\Trend Micro\Internet Security\PCClient.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\WinDates\WinDates.exe
D:\Trash\HijackThis.exe
C:\Program Files\Trend Micro\Internet Security\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.experts-exchange.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {0000607D-D204-42C7-8E46-216055BF9918} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Popup Killer - {49E489BF-C4B8-11D6-9547-00C0DFF1DE9E} - C:\Program Files\NoPops\PopupKiller.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - C:\Program Files\SEP\sep.dll (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Promon.exe] Promon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Windows Explorer] vmmreg32.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb06.exe
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopupKiller] C:\PROGRA~1\NoPops\PopupKillerGUI.exe /nosplash
O4 - HKLM\..\Run: [w74U38T] keray.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\RunServices: [Windows Explorer] vmmreg32.exe
O4 - Startup: WinDates.lnk = C:\Program Files\WinDates\WinDates.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcDcToday.ocx
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\Autodesk\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\Autodesk\AutoCAD 2002\AcPreview.ocx

I could not fine even ONE of the files in your last post, is this a problem?

Andrea

Hi!

Just remembered one other thing.
This line:
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
Here's some info on cfd.exe:
splintercell990 May 18, 2004 (splintercell990 is a malware expert active on several security forums)
http://forums.net-integration.net/index.ph...indpost&p=74369
"BroadJump program on your computer. It is not a true spyware program, but it may have been installed on your system when
you got cable Internet from your cable company. The software collects information on your Internet activity and sends it
to your ISP so that your ISP can serve you advertisements related to the type of sites you visit."

Cheers!
RF

Hi RF,

I un-installed Broad Jump, thanks.

Andrea