Hi folks,

I was hoping that one of you lovely people can give me some help.
I have a problem with this Dialer.6.g trojan that keeps coming back all the time.
I've read the posts and stuff and from what I gather if I show you my log from Hijackthis you can sort it for me?
Currently running AVG again and as soon as its done I'll be running the Hijackthis program.
The desktop itself is XP, updated to the latest patches, got Sygate Firewall running (Zonealarm bled the system dry) and system restore is off.
I remember having it months ago but a Windows update seemed to sort it - until now.
Not sure what else I can say, its a known problem which from what I can see in these threads you clever buggers can sort out.
Its peeing me off now, it resets my homepage and adds a few items to my favorites, and also changes the search option within I.E aswell.
Your help would be muchos appreciatos.

Hi Rib and welcome!

The dialer is a separate problem, I think due to the way AVG reports it. It would sure help if you tell us exactly what the alert is and what the file name and exact location (full path please) of what is being reported.

Then, yes, your HijackThis log (as I think the homepage resetting may be a different issue).

Hi there and thanks for getting back to me.
Well it sounds like I'm having a bit of bad luck at the minute!
I have attached the error message that I get, I'll attach the log on a new one straight after this.
It says its in the temporary internet files, but I've cleaned them all out, run AVG, run Adaware, and it just comes back.
Here you go.....

And heres my hijack log.
As you can see from this, the start page and search page is this mypoisk or something, and it also adds some favorites to my list.
I have to admit I do browse for a bit of blue movie fun (the temptations of Broadband proving too much) but I am usually very careful where I go and I never go anywhere where they ask to install some software first.
Didn't know whether this happening was part of the dialer, they seem to have come about the same time.
Again your help is appreciated.

First, let me paste out the log here where it is easier to work with. I'll come back with some results when I've had a chance to go over it.

I think what is happening is a website you visit and is simply sitting in your Cache (Temporary Intenet files). You could search to see if AdultMovies[1].exe is anywhere on your system and let us know what you find.

Be sure to configure your PC to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Meanwhile you do need to clear out your cache if you haven't already done that yet.

I'll come back with an answer on anything needing fixing on your log.
............................

Logfile of HijackThis v1.97.7
Scan saved at 20:36:01, on 21/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\mypager.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\HJ\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com
O2 - BHO: (no name) - {001F2570-5DF5-11d3-B991-00A0C9BB0874} - C:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\family stuff\dads stuff\adads soft\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINDOWS\2020SE~1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: eBay Toolbar - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - C:\Program Files\eBay\eBay Toolbar\4.2.0.3\eBayBand.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Video Driver] C:\WINDOWS\mypager.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Winsock32driver] win32server.scr
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: eBay Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: eBay Toolbar (HKLM)
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04f9edcb7d85eb6ceb18/...ip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.5019675926
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab

Nice one, you're a star.
Well I've just cleared out the cache again.
The thing is, there are 4 Users set up for this PC - how or what is the best way to clear all of them up at once?
I can delete the added favorites and re-set the start page but its on the other Users aswell, and I worry that whilst I delete it out of one, I go to delete them on another and it appears on mine again.
I tried changing the startpage in the registry yesterday too but it just changed back.
Oh and I searched for anything with 'adult' in and it came back with nothing.
Its definitely triggered by going to a site but I don't know which one and it worries me that its sat there waiting to pounce.

Go to the page I've marked below and get at least these three on your system.

IESPYAD (and make sure your Restricted Zone in IE has maximum security settings)

SpywareBlaster - get the updates to it then select all and protect against checked items.

SpywareGuard - get the updates to it, enable realtime, download and browser hijack protection.

Then also make sure you have ALL the Windows Critical Security updates:

The links for all of the above are in this page for you:
How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

I'm about done with your log and there will be some more things we need to do as I did find a trojan on there (just not a dialer). Back in just a bit.

I'm going to keep you busy for a while...but we'll get you straight and protected - don't worry and take your time. I wanted you to get some protection going up there so you don't just keep getting reinfected

Let's get rid of the bad stuff that's on your log right now. You have a remote access trojan and some browser hijackers on there.

Please make a new folder to put your HijackThis.exe into. Anywhere on your hard drive is fine other than your Desktop or the Temp folder. We suggest you use C:\Program Files\HijackThis but feel free to use any name or folder you like. Unzip HijackThis again and save the contents (Hijackthis.exe) to the new folder you made. Then navigate to it and run HijackThis from there. This is to ensure it makes the necessary backups for recovery if needed.

Read the items on the list below where I have left notes...there are some preliminary checks and questions I have for you that need to be answer first.

Next, please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

O1 - Hosts: 216.93.168.167 auto.search.msn.com
O1 - Hosts: 216.93.168.167 sitefinder.verisign.com

O3 - Toolbar: 2020 Search - {4E1075F4-EEC4-4a86-ADD7-CD5F52858C31} - C:\WINDOWS\2020SE~1.DLL

question only??O4 - HKLM\..\Run: [Video Driver] C:\WINDOWS\mypager.exe Question: Is this a valid program you know of? If not - checkmark it and let HijackThis fix it (this will just remove it from the startups but I need to know if you recognize the program or not so we can determine what it is.

O4 - HKLM\..\Run: [Winsock32driver] win32server.scr<---Hackarmy Trojan! (not a dialer but a remote access trojan...may be this one: http://vil.nai.com/vil/content/v_100723.htm
Scan this file at Kaspersky Online Single File check to get the actual detection (copy the report at the end and paste it back here)
Single file check (KAV)
http://www.kaspersky.com/remoteviruschk.html

O4 - Startup: PowerReg Scheduler V3.exe

(Optional) O4 - Global Startup: eBay Toolbar.LNK = C:\Program Files\eBay\eBay Toolbar\4.2.0.3\ebaytbar.exe eBay Toolbar <--- reported as spyware as it "phones home" Probably best removed through Add/Remove Programs in the Control Panel if you wish to do so

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/04f9edcb7d85eb6ceb18/...ip/RdxIE601.cab

O16 - DPF: {FC3A74E5-F281-4F10-AE1E-733078684F3C} (Downloader Class) - http://www.2020search.com/toolbar/2020Search.cab
......................................................
Making sure you configured your PC to show hidden files as instructed earlier, then reboot your PC into SAFE MODE:

How to start the computer in Safe mode (all)
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Delete the file: win32server.scr

Reboot back into normal mode

Download and run these two free Antispyware scanners. You can keep these on board as well for recommended weekly updating and scanning to keep your PC clean

Updating them first is very important - please do not skip that step.

Download Adaware (get the free edition)
http://www.lavasoft.de/software/adaware/

After download and installing first, please update the program important to get the updates first before scanning Just open Adaware and click on *Check for Updates Now* and then *Continue*. Let them download and install......then press the *Scan now* button. Let it fix what it finds.

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

.......................................................
Next
Download Spybot Search and Destroy
http://www.safer-networking.org/

How to Use Spybot
(click on the Tutorial link at the top in the program)

How to Update Spybot
http://www.safer-networking.org/index.php?...o&detail=update
1. Click on 'Online' in the navigation bar,
2. Click on 'Update',
3. Search for available updates,
4. Select ALL available updates,
5. Select a download location nearest to you,
6. Download the selected updates.
Updates will be installed without any further action needed.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Spybot has an Immunize feature that works with SpywareBlaster. Use it (click on it to immunize to further protect your system)
............................
Now, please reboot once more. Scan again with HijackThis and post a fresh log back here to see what remains.

And he strode into the night with cigarette in hand....

Will get back to you.

By the way as regards to any questions - I don't recognise mypager, from what you say I think we're alright that its not needed, as for the rest I'l be able to sort out.

All done.
Thanks a lot for your help on this.
Run all the programs and just about sorted.
Still getting this start page changing and search page, but one of the programs you said to try is warning me and letting me keep it how it was.
The win32server seems to be gone, done another hijack and it ain't there.
I would love to carry on but I really must sleep now, so I'll - Read our board rules - on when I get back from work tomorrow.
But the programs have found things, spybot got a few and so did adaware.
The thing with adaware is that whenever I run it it comes back with the same results - say 23 processes found each time, even though I get rid.
It'll definitely not be getting as much grief with these spyware programs running!
Thanks again, will check back tomorrow.
Now I must sleep.

Have a good sleep Rib

We'll be here and ready to resume when you are.

We'll probably need to see a new HijackThis log after running those programs. I'm feeling better knowing you have them and some protection at this point. The rest we can clear up as you are able.

I'm a little concerned about this mypager.exe directly in the Windows folder. When you get back to it I would like to know what a right click and look at the tabs marked Properties (and any other tabs listed) provides? I would also ask you to run that through the Kaspesky online check I linked earlier to see if it is viral or a trojan.

Good evening and good day. Well actually it was a Monday and they suck.
Just here to say I'm back. Gonna just go offline for the next half hour or so, run these spywares and do another hijackthis.
Will post when I'm done.

Hey RIB,
make sure you update that Lavasoft Adaware program since they had some updates over the weekend..and all those it comes up with that are called out..put a checkmark in front of each and then let the adware clean them off.

Well that took a lot longer than I thought but here goes.
All programms updated as of today.
Ran AVG, came back clean. But something weird - it starts at 800meg....?
Thought that was strange so did a scan from the right click on C:\WINDOWS, and nothing. Hell I even did a scan on mypager.scr itself and it said it was fine!
But if you see attached, I ran it along that virus checker and it came back saying it was a trojan. I checked the properties on it and thats attached too.
Ran Spybot S&D which came up with some objects, selected to be protected. Not mypager though. Then I ran Ad-aware - in the middle ity came up with Java/byte verify virus found in C:\Program Files\Lavasoft\Adaware6\cache\a.class.
Finished it off to run AVG again.
Will check back in a mo, just gotta sort stuff out for work cos I'm on call (BOO).

Oh and heres the latest hijackthis....

Logfile of HijackThis v1.97.7
Scan saved at 21:14:40, on 22/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJ\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\family stuff\dads stuff\adads soft\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.5019675926
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

"Then I ran Ad-aware - in the middle ity came up with Java/byte verify virus found in C:\Program Files\Lavasoft\Adaware6\cache\a.class."

AVG and adaware come up with some strange things I want you to know about when you run Adware and the AVG is also running with the Guard it has..when adware runs it has to open files to scan them and AVG Guard can popup and tell you it is seeing that action and files.



I would clean out that adware quarantine folder and then the Sybot restore folder also after you are sure you are not going to need any of those again as back up to repair an action you have taken

here is some more info on that cache file of adaware


The Adaware cache is a temp file that empties when aaw is finished

IF you have any quarentined file in your anti virus, aaw will scan(open up) and then the anti virus will say it found a virus in CACHE of Adaware.

:lol:



hope this helps?

when a "virus" is found in the aaw cache it is because Adaware is examining a file


Note: Norton AntiVirus has been used as an example in this topic, but the same thing applies to any AntiVirus program that displays a warning duuring the scan with Ad-aware 6.

Hello.....
I hope to explain your misconceptions of the Ad-aware 6 program if there are any resulting from this kind of warning..
The Trojan or Virus warning you received means that the reported file was infected before and is residing in your system, it has nothing to do with the Ad-aware 6 program.
During the scanning process, Ad-aware 6 makes a local copy of the files it is about to scan (not executing them, of course) in a temporary folder that it creates within the Ad-aware 6 folder called cache, while Ad-aware 6 has the infected file open to scan, NAV sees it and reports it as infected. When the scan is finished the file is closed, there is no possible way for the file to execute during this process. When Ad-aware 6 has completed the system scan, the cache folder is deleted, that is why you cannot find it.
To be honest, the powerful scanning process that Ad-aware 6 uses has made it possible for your NAV to "see" this infection, something that it did not see on it own. Now that you know that it is there, you can take the proper steps in getting rid of this infection.
Most of the time NAV will give you the option to Quarantine\Remove\Ignore the file, it is highly suggested to have NAV quarantine the file if you have the oppertunity.
Then....
Since you have these files in quarantine, you may want to follow the NAV submission instructions and have them look at them.
After submitting them, I would also suggest rescanning your computer(s) with NAV. Make sure that you have the latest virus definitions for NAV using the Intelligent Updater: http://securityresponse.symantec.com/avcen...ges/US-N95.html
....or use the LiveUpdate feature.
Then run Ad-aware 6, if anything new is detected by NAV, have it quarantine them and repeat the process. The instructions that NAV has sent to the others that have submitted like files that I have read so far are to delete the files and replace them if necessary. You can use your own judgement there. If you do submit them to Symantic, you should receive instructions on how to proceed.
OK........
If you do not get the option to quarantine the files....
The solution is the following:
When NAV reports this file it will list the path to it.
This file may be in an archive....
The last entry in that path will be the Archive Filename.
Search for a file named XXXX, where the X's are the name of the Archive file in the path.
This file includes the infected file, and has nothing to do with Ad-aware.
You should unzip, and remove the infected file, or delete the entire archive.
It is advisable to copy the file to a 3.5 floppy for backup just in case, however if it is in an archive, it is in all probability not needed.
After you have removed the file, re-run Ad-aware 6 and the warning should not re-appear, if it does, repeat the process on the new one found.
Also, when you find the file, you may wish to submit it to Symantic for evaluation like I mentioned above.

These instructions are basically the same for all AntiVirus software out there that "discover" a virus during an Ad-aware 6 scan.

Nice one, thought the buggers had got to that aswell!
Cleaned some of the old stuff out, but at least I know about that message now.
It certainly fits the bill - it doesn't find anything when Ad-aware is shut.
Everythings coming up fine, nothings picked up mypager.scr.
Should I just delete it? I don't have to worry about it being a system file anymore.
Its definitely a trojan as you can see from the attachment on an earlier post.
Any ideas on AVG starting at 800meg aswell? I've allowed all hiiden files to be viewed.
I'm just a bucket of niggles. Feel free to kick at any point.

Let me look at that all after dinner tonight..did you ever send a copy of that mypager to Jane ?? did not even know if she as for it . See ya later.

She was concerned about it and asked me to run it through that KL virus checker, which came back with the message that it was a trojan, but nothing picks it up.
I do remember Sygat asking if it could access the internet a while ago but I select it to not access.
I could upload it onto here if you want but I didn't want to do that without checking that it ain't gonna try anything on at your end.
I got the properties pasted on too of mypager.scr which Jane asked for, it reckons its some kind of compatibility software.
Well I'll probably be on til about midnight, hopefully won't be getting called out in the night or I might be back on sooner!
I'll check back in the morning aswell, then I'll be back home and logged on by about 7 tomorrow.
Take it easy, thanks for your help so far.
Enjoy your dinner!

Yes go ahead and up load it here in a zip and then i will delete it afterwards so no one plays with it except da guru

Thanks RIB

I'm here....go ahead and upload it in a reply to this thread or email to me if you still have my address.

To upload a file with a reply, click on the reply button, type some text in this box and then click on the *browse* button underneath the message box.....browse to the file, highlight it, press open and then hit *reply* . Don't use the preview - that will wipe out the attachment and you will have to browse to it again.

Good Morning all.
Attached is the mypager in a zip.
I trust you will all have a good day, I'll be back at the end of mine!

Edited to remove attachment

Hi Rib!

Downloaded and scaned your ZIP!

Antivirus Kit 2004 realtime scan reports it as Trojan.Win32.ICQPager.a !!!

So be aware! But let the experts here proof it!

Best wishes!

Peter

Hi Rib,

Got it! Thanks :thx: - I'll make sure AVG gets a copy to add to their detections. Please go ahead and delete the file.


(@Peter - It has already been scanned at the KAV online file check and yes, it is a trojan), but AVG missed it so that is why I wanted a sample.) ;)

Cheers Jane, now deleted!

Well there doesn't seem to be much left now, though if I could just squeeze in one last request.......
The search/start urls are still changing everytime I log in.
Spyguard tells me that it wants to change and I can get through the options with 'keep old value', but I could do without it happening at all.
Since I started this discussion I've not gone on any websites other than spyware download places.
None of the other spywares (Ad-Aware ((Cheers Hunter)), Spybot H&S, SpywareGuard and SpywareBlaster seem to sort it, though as I said the Spyguard at least lets me stop it from changing eachtime.
Cheeeerss.....

OOPS! :oops:

Oh Jane, please forgive my fault!

Im so unworthy! ;)

Now I remember I read it before above! Im getting older every day Im afraid!

But nevertheless keep correcting me when Im doing nonsense! Please!

So long! Peter

Hi Rib,

Could we see a fresh HijackThis log?

@ Peter {{{Hugs}}} :hug: I didn't think you saw page 1 (no worries)

:thx: Mam Jane!

You saved my day!

Peter

Howdy folks, apologies for the delay.
Attached is my hijack log.
I reset the search utils with one of the spyware programs, so they say blank at the minute and don't change because of Spyguard letting me keep it as the old value.


Logfile of HijackThis v1.97.7
Scan saved at 20:24:31, on 23/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
C:\Program Files\Silicon Image\SiISATARaid\SATARaid.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJ\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\family stuff\dads stuff\adads soft\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SATARaid.lnk = ?
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.5019675926
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Hi Rib,

I see the http://mypoiskovik.com is back. <_<

I know we removed it once already. It this what it keeps wanting to change to?

Do you know what this program is running at startup?
O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe

You can use HijackThis to fix these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm

Evening there,
I ran the hijackthis and fixed the searches but it still seems to come back.
There are multiple user accounts on the PC, and it sets it for them all.
Would running it in safe mode and running the spys and hijack fix the problem, with the global administrator login? I built the thing so I got administrator access but if I change something on my account does it change it for them all? It adds some urls to the favorites of all accounts along with start page and search engine.
I also searched for this mypoisek.. thingy and theres nothing about anyone else complaining of it. As I've said I can sometimes have a look at the bluer side of the internet but I know not to be signing up or willingly downloading their pap.
Oh and that SiPix thing is something for this tacky camera effort someone got.

First, let me explain how this stuff gets on your system in the first place.

It can happen without your consent or even knowledge (or it can come bundled with software you DO willingly download but may not be aware it comes with other pests on board). ActiveX downloads and hijackers using Windows exploits on an unpatched system are the other culprits.

See here for a full explanation and why, in the very beginning of this thread, I recommended those programs and the Windows Critical Updates for you (to avoid possible future reinfections).

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

Running the HJT scan in Safe mode is useless (we need to see what's running). If you turn off the bad guys, we can't see them.

Of your startup items (the 04s), this is the only thing I can see that I can't quite get a good feel on so I wonder if you wouldn't mind doing a *fix check* on it to stop it from starting up (that won't delete the file or program FYI - just stops it from startups) and tell me if this keeps happening. (I'm also including an orphened toolbar item I spotted on the log. It's not doing anything with no file attached anymore, but might as well get rid of the entry)

O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)

O4 - HKLM\..\Run: [DELUXECC] C:\WINDOWS\twain_32\SiPix\SCDeluxe\DELUXECC.exe

I also need for you to write down exactly everything SpywareGuard is telling you when one of those alerts pops up and let us know that.


Lastly....it would be a good idea to take a look at the logs for other users. Something might be in there that is causing the problem.

Now then now then.
Well its taken me a while but basically I've done this:
Logged into all user accounts simultaneously. Cleared Cookies, Temporary Internet Files. Deleted the favorites that it adds in each user.
Ran Hijack on each user, to fix the start page etc.
Gone back to my login, ran all the spyware I have. SpyGuard report is below.
Ad-Aware is still running, as soon as it is finished I will reboot - fingers crossed eh!
Can I just confirm that fixing something in hijack removes it from startup, but doesn't bugger the program up?
That would be useful, I don't need SataRaid I just installed it for the drivers for my mates PC (the joy of installing a serial ATA drive with XP and having to install 3rd party drivers which needs another machine running it!).
I've done all you asked aswell.
Will bell back when rebooted to let you know if they're back.
I can hear my bed calling me!

BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On (whenever I switch on) date a browswer page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name:Search Page
Old Value: <none>
New Value: http://mypoiskovik.com/index.htm
Restored old value.

BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On (whenever I switch on) date a browswer page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name:Start Page
Old Value: <none>
New Value: http://mypoiskovik.com/index.htm
Restored old value.

BROWSER HIJACK ALERT - BROWSER PAGE CHANGED
On (whenever I switch on) date a browswer page change was detected.
Registry Location: HKCU\Software\Microsoft\Internet Explorer\Main\
Value Name:Search Bar
Old Value: <none>
New Value: http://mypoiskovik.com/sp.htm
Restored old value.

Yup it still happens.

Night Jane, will be back tomorrow.

Rob

Yep, something sure is trying to change your Search and Start pages.

Ok - so we have a plan and can continue this tomorrow :thumb:

As far as how HijackThis works....it won't delete the 04 items you check, just stops them from startup. Some that are running in Memory have to be ended with the Task Manager first before they can be fixed. Some programs, they just come back though and you have to do it through the program itself (realplayer is one).

You can try using HJT to stop the SATARaid.exe from startups. Won't hurt anything. You can always use the hJT backups to recover it if you like.

Some items (the 02s, 03s and 016 items) HJT does delete the file so do be careful doing stuff on your own. That said, however, on the 016 items even if you get rid of one by mistake, next time you use the program or visit the website that needs it, it will ask to download again (via Activex). If it is not a nice program - it won't ask will will stealth install on you. That's why ActiveX should be set at a prompt in the Internet zone, at a minimum, in your browser security settings.

I'm hopeful the other user logs will be a help in this :)

Have a good night Rib

Good evening,
It seems that dialer.6.g is causing a few probs lately!
Definitely glad you guys are here, and very grateful for the help so far.
Well I seem to be rid of my trojans at the mo touch wood, its just these annoying page changes!
Not sure where to go from here, everything shows clear....

Hi Rib, is that dialer still showing up on AVG alerts?

I don't think that was responsible for the home and search page changing. Did you want to list the logs for the other users? Maybe we'll find something in there.

Nope that dialer seems to be gone.

See below for other user hijack logs.

Mine:

Logfile of HijackThis v1.97.7
Scan saved at 21:19:53, on 24/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\MediaFACE II\MediaFace.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_ATMS03.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_ARUN03.EXE
C:\New Folder\R\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\family stuff\dads stuff\adads soft\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GoogleToolbar.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.5019675926
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Other User:

Logfile of HijackThis v1.97.7
Scan saved at 21:18:08, on 24/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\New Folder\D\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\family stuff\dads stuff\adads soft\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus COLOR 480SXU] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_AICN03.EXE /P25 "EPSON Stylus COLOR 480SXU" /O6 "USB001" /M "Stylus COLOR 480SXU"
O4 - HKCU\..\Run: [DailyFHMCluster] Uninstaller will remove
O4 - HKCU\..\Run: [FHMCluster] C:\Program Files\Daily FHM\skinkers.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar_en_2.0.106-big.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar_en_2.0.106-big.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar_en_2.0.106-big.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar_en_2.0.106-big.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar_en_2.0.106-big.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.5019675926
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

Other User:

Logfile of HijackThis v1.97.7
Scan saved at 21:17:04, on 24/03/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe
C:\New Folder\K\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mypoiskovik.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mypoiskovik.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mypoiskovik.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://mypoiskovik.com/index.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - e:\family stuff\dads stuff\adads soft\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: winlogon.exe
O8 - Extra context menu item: &Google Search - res://c:\windows\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\windows\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\windows\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\windows\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\windows\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: FlashGet (HKLM)
O9 - Extra 'Tools' menuitem: &FlashGet (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: axscanner - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: axscannerruntime - http://www.pestscan.com/scanner/axscannerruntime.cab
O16 - DPF: mscomctl - http://www.pestscan.com/scanner/mscomctl.cab
O16 - DPF: msvcp71 - http://download.pestpatrol.com/Downloads/C...nts/msvcp71.cab
O16 - DPF: msvcr71 - http://download.pestpatrol.com/Downloads/C...nts/msvcr71.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7922.5019675926
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/html/software...tivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

There is another user account set up but that hasn't been accessed for ages, and when I was clearing the favorites of all users through docs and settings I noticed this user didn't have the favorites and stuff, so I figured this account hasn't been affected and thought it better to leave it that way....?

I'll check back in a bit, cheers for looking.

I can't see anything obvious Rib. The one glaring thing I notice is that you do not have your service packs installed on your Operating System. This means you need to go to Windows Update and get ALL the recommended critical security updates. It could be that you all are just getting it switched by a webpage using an exploit in windows for which you are not patched.

http://v4.windowsupdate.microsoft.com/en/default.asp

I'll ask some of the other experts to drop by and see if they can spot anything else for you. Something is changing those pages!! So keep checking back every so often. We may find the answer yet (or another victim that could hold the key - you never know)

No probs Jane, thanks for all your help on this one.
I guess I got a bit slack there, where I work we got a phat firewall that takes care of everything, I do all my online banking and ordering there so I don't have to worry about doing it at home.
Well I'll be keeping it as secure as I can from now on, and I'll sort Sevice Pack one.
Thanks again for helping with all this, I am not worthy!
Will keep tabs on the site from now on.
Rob

Happy to have you with us Rob. Anytime we can help - let us know

I'm hoping someone else can come up with some ideas on that search hijacking

Ok Rob, This file - please locate it and upload as an attachment to your reply here:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe

We want to take a look at it

{thanks for seeing that LoPhatPhuud} :thumb:

Sorry for jumping into, CalamityJane, but Rib, can you check the Properties (and post them here) of these two files?

C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\svchost.exe

It could be that one of them (probably the second one) is not legit, but just to be sure...

Thank you!

Evening folks.
Well I had some stuff to do and some men to see about some dogs but I'm back.
Few things to be doing, I'll start with the first - Happy Belated Birthday Jane!
And you're number two aswell - file is attached. I did wonder about that one but just figured it was the process that starts the logon, fallen into their trap already!
As for number three thats FatsGordon - the one in startup being 12kb, the one in system32 is 420kb.
As for the properties - I will continue in a moment and post the screenshots on the next post......

Edit by CalamityJane: Thanks! Got it, attachment now removed :)

And now for Fats - alright there, thanks for joining in!
Attached screenshots off SVCHosts.
And I noticed something else.....I have set the settings to show all hidden files, including system files. I did this on the C drive, and checked it in the WINDOWS folder. Yet when I weent into the Windows folder they came up hidden. Checked again, and they're set to not hidden.....?
Cheers for looking.
PS In C:/WINDOWS there is also svchost.log and svcpack.log.
In C:/WINDOWS/SYSTEM32 theres svcpack.dll (aswell as the svchost.exe.

Hi Rob,

Can you upload this one (the one directly in the Windows folder - not the one in System32)

C:\WINDOWS\svchost.exe

Glad to be of service ma'am...... ;)

Edit by CalamityJane: Thanks, again! Got it. Attachment now removed

Thanks Rob,

Ok:

Reboot your PC into Safe Mode:

How to start the computer in Safe mode (all)
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Rename these files:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogon.exe<--rename file to winlogon.old (change the extension to old

C:\WINDOWS\svchost.exe <--rename to: svchost.old (change the extension to old)

Then reboot back into normal mode - fix your search and start pages and tell us if it changes again.

Scan again with HijackThis and post a new log please.

Also - did we have you download and run the CWShredder?

Are you sure that Trojans are a bad thing, as it seems like my computer needs one to run.
I just got a message saying I got ICQPager Trojan in C:\Windows.
Scanned the folder with AVG and it found it, so it ran AVG Test.
Its running now, but any ideas on why it still starting at 800 meg?
It says its starting to run, then the number of files checked starts at zero and the Bytes tested goes straight to 800 meg.
Just like to point out again I have unhidden all folders, I keep checking as its almost like its not reading some files (possibly made to by something to deliberately miss certain folders).
Hey can I be a conspiracy theorist?
They're all out to get me :blink:

Hi Rib,
Question.

When you Log into that PC are you just another user..or are you logged in as the Admin ?