I have a problem on my pc.

Every time I boot up, I get an internet explorer page about:blank that shows up. I have favorites stored that I have not saved - topics of an off color nature. I have run adaware and spybot search and destroy and they have both given me lot's of things to fix. I've fixed them, but then have the problem all over again. I've also tried turning off my system restore and running the above mentioned programs, but to no avail.

Everytime I double click on Internet explorer, I get a series of McAfee virus warnings about files. All refer to the downloader-** virus. Substitue various letters for **.


I'm running Windows XP

Here is the hijackthis file: please let me know if you see anything that needs attention. Thanks!

Logfile of HijackThis v1.99.1
Scan saved at 7:45:05 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\DakTray.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Bruce Goulette\My Documents\virs and trojen help programs\hijackthis\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {6324094F-2875-EF02-7B79-E44ABD6291EB} - C:\WINDOWS\system32\sdkwa.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Dakota Tray] DakTray.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://dommlp05.meadwestvaco.com/iNotes6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...478/mcfscan.cab
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Thanks for your help!

Before we begin please go to this link:

http://virusscan.jotti.org/

Upload this file for a free scan and then come back and pastein the scan results in your next reply.

C:\Program Files\Internet Explorer\iexplore.exe

Wow! That was a fast response. Thanks!

I assume you meant to upload the hijackthis text file, so I did and this is what I got.


Service
Service load: 0% 100%

File: hijackthis.log
Status: OK
MD5 b2e04e6147cf8aaa98da856e0344e977
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

We're pretty fast here. I meant an actual copy of your iexplore.exe

It is set to start each boot and so I want to be sure it isn't infected with anything.


Go ahead back to the scan site and see if it is infected. If not, then follow the instructions. If it is infected, come back and let us know right away.


You will be restarting into Safe mode later.
Go here for directions if you need help:

http://service1.symantec.com/SUPPORT/tsgen...001052409420406
---------
Download CWShredder from this page:
http://www.intermute.com/spysubtract/cwshr...r_download.html

Don't run it yet.
-------

Download AboutBuster created by Rubber Ducky.

http://www.downloads.subratam.org/AboutBuster.zip

Unzip AboutBuster to the Desktop then click the "Update Button" then click "Check for Update" and download the updates and then click "Exit". We don't want you to run it yet. Only get the updates so it is ready to run later in safe mode.
-----------------------------------------

Restart into Safe Mode.


Go to Start>Run and type Hijackthis. Press enter to start HijackThis. DO NOT OPEN ANYTHING ELSE!

Select these items and press the fix checked button:



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6324094F-2875-EF02-7B79-E44ABD6291EB} - C:\WINDOWS\system32\sdkwa.dll
O2 - BHO: GetPostLog module - {C9B0D3DC-DC2B-4a17-8E34-02CD4C1E573F} - C:\WINDOWS\gpl.dll
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE[/b]

Delete these files if they still exist:

C:\WINDOWS\system32\rjfvr.dll
C:\WINDOWS\system32\sdkwa.dll
C:\WINDOWS\gpl.dll


-------------------------

Run About:Buster
-------

Run CWShredder and press the fix button to clean.
-------

Empty your Temporary Internet Files and history in Internet Options.
It's a good idea to do that regularly.


Go to Internet Options>Programs
Click the reset Web Settings Button to reset your home and search pages.


Restart into Regular Windows.


---------------

Go to this link and run the free AV scan to clean up and leftover files:

http://housecall.trendmicro.com/housecall/start_corp.asp
-------------------


If you were using a Hosts File it was deleted.

Download the Hoster from the link below. Click Restore Original Hosts. Click OK.

www.funkytoad.com/download/hoster.zip

--------
control.exe may have been deleted.
Follow instructions here to replace it: http://www.spywareinfo.com/~merijn/winfiles.html#control
----

Check C:\windows\System32 to be sure you have a file named Shell.dll

If missing, go to C:\windows\system

find shell.dll and copy it to the System32 folder



------

Go here and follow the directions to reset your ActiveX
http://www.computercops.biz/postt7736.html


Run HijackThis again and post the new log in your next reply in this same topic.

Here's the result of the internet explorer scan

Service load: 0% 100%

File: IEXPLORE.EXE
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 418d301c3b1fa94b19584aeeb3d65166
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing


I'll go do the other things you mentioned now, and be right back.

Those directions were for StudioG


Are you MissScrapsAlot
the same person?

If so, ok. If not, then please do not continue. Start your own topic and post your log there. We can only help one person at a time.

Mosaic1

Hmm strange stuff..I think Shannon was doing all that typing in any case.. :LOL:


woof woof
Wave.gif

I didn't have these entries to fix when I ran hijackthis in safe mode

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129

I had all others and said to fix them.

When I restarted in regular mode, I got the following error message:

Title: System Configurations Utility
You have used the System Configuration Utility to make changes to the way Windows ????

The system Configuration Utility is currently in Diagnostic or Selective Startup mode, causeing this message to be displayed and the utility to run every time Windows starts.

Choose the Normal Startup mode on the General tab to Start Windows normally and undo the changes you made using the System Configurations Utility.

I hit ok, but did not go to the System utitlity to Choose Normal Startup mode. Should I have?


Then I got the about:blank page again when I first hit Internet Explorer to run the free AV scan after restarting in regular mode.


How should I proceed?
I have not run the free AV yet
I'm not sure if I need to do what you refered to about a host
I haven't continued past the free AV step at all yet.


I'll wait to hear what you suggest. Thanks so much!

Yess, I'm also MissScrapsAlot! My husband's pc is StudioG and I am using my laptop to follow along while I fix his pc. My pc is logged in as MissScrapsAlot. So sorry for the confusion.

No. You should not have allowed normal mode. If it happens again, put a check in the box saying do not ask me again.

May I see a new hijackthis log please?

Funny....now those entries are there. I could not find them in Safe Mode.


Logfile of HijackThis v1.99.1
Scan saved at 9:47:06 PM, on 5/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\System32\DakTray.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Bruce Goulette\My Documents\virs and trojen help programs\hijackthis\hijackthis\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Dakota Tray] DakTray.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://dommlp05.meadwestvaco.com/iNotes6.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...478/mcfscan.cab
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

That screen you mentioned came up because you had been in safe mode.

Close up Internet Explorer and fix these items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rjfvr.dll/sp.html#28129
R3 - Default URLSearchHook is missing


O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto


Sign off and back onto Windows.

See if this file exists and delete it if it does.

Then Run the AV scan.

May I see the about:Buster log too please?
Were you able to run CWShredder?

Anything else you weren't able to complete, please do as well.

Thanks a bunch Mosaic1

Thanks a bunch Mosaic1

I did all that you suggested, however - I was unable to run the AV from Housecall. I tried everyting - but it would not allow me to put a tick in the boxes next to mycomputer in order to activate the scan button. I followed their FAQ suggestions to allow the activex controls and am using an acceptable version of IE, but it wouldn't do it. It would show me all the drives on my pc, just not let me select any to scan.

Here are the log files for AboutBuster, CWShredder and lastly HijackThis. Could you please let me know if there is anything else that looks like a concern.

All your suggestions have resolved my problem. I am humbly in your debt!

I need to do similar with my laptop. I'll wait to make sure this pc is resolved before doing that to avoid confusion. Thanks!



-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!



CWShredder
Done
CoolWebSearch was not found on the system

CWShredder Report
**** Run Keys ****

RUN: [TCASUTIEXE] TCAUDIAG.exe -on
RUN: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
RUN: [nwiz] nwiz.exe /install
RUN: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
RUN: [Logitech Utility] Logi_MwX.Exe
RUN: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
RUN: [Dakota Tray] DakTray.exe
RUN: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
RUN: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
RUN: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
RUN: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


**** Browser Helper Objects ****

BHO: [AcroIEHlprObj Class] C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll


**** IE Toolbars ****

TOOLBAR: [&Radio] C:\WINDOWS\System32\msdxm.ocx
TOOLBAR: [McAfee VirusScan] C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll


**** IE Extensions ****



**** Hosts File Entries ****



**** IE Settings ****

Default Page: http://www.google.com
Default Search: http://www.google.com
Local Page: C:\WINDOWS\System32\blank.htm
Search Page: http://www.google.com


**** IE Context Menu (Right click) ****

IEContext: [E&xport to Microsoft Excel] res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**** Layered Service Providers ****

LSP: McAfee_GdLsp [MSAFD Tcpip [TCP/IP]]
LSP: McAfee_GdLsp [MSAFD Tcpip [UDP/IP]]
LSP: McAfee_GdLsp [RSVP UDP Service Provider]
LSP: McAfee_GdLsp [RSVP TCP Service Provider]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{1801CC85-360D-4D3D-B9F2-485EC3E5D5CB}] SEQPACKET 5]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{1801CC85-360D-4D3D-B9F2-485EC3E5D5CB}] DATAGRAM 5]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{17829330-87AF-4D0C-ACE7-C238F0E18CF7}] SEQPACKET 0]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{17829330-87AF-4D0C-ACE7-C238F0E18CF7}] DATAGRAM 0]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{14F116C4-2DDA-4923-BB7D-7E3969CAB97B}] SEQPACKET 1]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{14F116C4-2DDA-4923-BB7D-7E3969CAB97B}] DATAGRAM 1]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{48417AA4-8F06-4F61-B9B6-3A57C78E3E1B}] SEQPACKET 2]
LSP: McAfee_GdLsp [MSAFD NetBIOS [\Device\NetBT_Tcpip_{48417AA4-8F06-4F61-B9B6-3A57C78E3E1B}] DATAGRAM 2]
LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1801CC85-360D-4D3D-B9F2-485EC3E5D5CB}] SEQPACKET 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1801CC85-360D-4D3D-B9F2-485EC3E5D5CB}] DATAGRAM 5
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{17829330-87AF-4D0C-ACE7-C238F0E18CF7}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{17829330-87AF-4D0C-ACE7-C238F0E18CF7}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{14F116C4-2DDA-4923-BB7D-7E3969CAB97B}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{14F116C4-2DDA-4923-BB7D-7E3969CAB97B}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{48417AA4-8F06-4F61-B9B6-3A57C78E3E1B}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{48417AA4-8F06-4F61-B9B6-3A57C78E3E1B}] DATAGRAM 2


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

{04E214E5-63AF-4236-83C6-A7ADCBF9BD02} [http://housecall60.trendmicro.com/housecall/xscan60.cab] C:\WINDOWS\System32\msvcrt.dll C:\WINDOWS\System32\mfc42.dll C:\WINDOWS\runtsckl.exe C:\WINDOWS\tmupdate.ini C:\WINDOWS\aucfg.ini C:\WINDOWS\loadhttp.dll C:\WINDOWS\System32\msvcp60.dll C:\WINDOWS\TSC.ini C:\WINDOWS\RMAgentOutput.dll C:\WINDOWS\dllTSCLIBMT.dll C:\WINDOWS\patchw32.dll C:\WINDOWS\Downloaded Program Files\xscan60.ocx
{11260943-421B-11D0-8EAC-0000C07D88CF} [http://www.ipix.com/download/ipixx.cab]
{3BFFE033-BF43-11D5-A271-00A024A51325} [https://dommlp05.meadwestvaco.com/iNotes6.cab]
{74D05D43-3236-11D4-BDCD-00C04F9A3B61} [http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab]
{9F1C11AA-197B-4942-BA54-47A8489BB47F} [http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38131.7620833333]
{D27CDB6E-AE6D-11CF-96B8-444553540000} [http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab]
{EF791A6B-FC12-4C68-99EF-FB9E207A39E6} [http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4478/mcfscan.cab]


**** Windows Services ****

[3ComDMIService] C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
[Alerter] %SystemRoot%\System32\svchost.exe -k LocalService
[ALG] %SystemRoot%\System32\alg.exe
[AppMgmt] %SystemRoot%\system32\svchost.exe -k netsvcs
[AudioSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[AvSynMgr] "C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe"
[BITS] %SystemRoot%\System32\svchost.exe -k netsvcs
[Browser] %SystemRoot%\System32\svchost.exe -k netsvcs
[CiSvc] %SystemRoot%\system32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[COMSysApp] C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
[CryptSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[Dhcp] %SystemRoot%\System32\svchost.exe -k netsvcs
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[Dnscache] %SystemRoot%\System32\svchost.exe -k NetworkService
[ERSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINDOWS\System32\svchost.exe -k netsvcs
[FastUserSwitchingCompatibility] %SystemRoot%\System32\svchost.exe -k netsvcs
[helpsvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[HidServ] %SystemRoot%\System32\svchost.exe -k netsvcs
[ImapiService] C:\WINDOWS\System32\imapi.exe
[lanmanserver] %SystemRoot%\System32\svchost.exe -k netsvcs
[lanmanworkstation] %SystemRoot%\System32\svchost.exe -k netsvcs
[LmHosts] %SystemRoot%\System32\svchost.exe -k LocalService
[McAfee Firewall] "C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE
[McShield] "C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe"
[Messenger] %SystemRoot%\System32\svchost.exe -k netsvcs
[mnmsrvc] C:\WINDOWS\System32\mnmsrvc.exe
[MSDTC] C:\WINDOWS\System32\msdtc.exe
[MSIServer] C:\WINDOWS\System32\msiexec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[Nla] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\system32\svchost.exe -k netsvcs
[NVSvc] %SystemRoot%\System32\nvsvc32.exe
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\lsass.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RDSessMgr] C:\WINDOWS\system32\sessmgr.exe
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\System32\svchost.exe -k netsvcs
[seclogon] %SystemRoot%\System32\svchost.exe -k netsvcs
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[ShellHWDetection] %SystemRoot%\System32\svchost.exe -k netsvcs
[SoundMAX Agent Service (default)] C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
[Spooler] %SystemRoot%\system32\spoolsv.exe
[srservice] %SystemRoot%\System32\svchost.exe -k netsvcs
[SSDPSRV] %SystemRoot%\System32\svchost.exe -k LocalService
[stisvc] %SystemRoot%\System32\svchost.exe -k imgsvc
[SwPrv] C:\WINDOWS\System32\dllhost.exe /Processid:{51167947-272B-40FD-A170-3608E0FFEA65}
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TermService] %SystemRoot%\System32\svchost.exe -k netsvcs
[Themes] %SystemRoot%\System32\svchost.exe -k netsvcs
[TrkWks] %SystemRoot%\system32\svchost.exe -k netsvcs
[uploadmgr] %SystemRoot%\System32\svchost.exe -k netsvcs
[upnphost] %SystemRoot%\System32\svchost.exe -k LocalService
[UPS] %SystemRoot%\System32\ups.exe
[VSS] %SystemRoot%\System32\vssvc.exe
[W32Time] %SystemRoot%\System32\svchost.exe -k netsvcs
[WebClient] %SystemRoot%\System32\svchost.exe -k LocalService
[winmgmt] %systemroot%\system32\svchost.exe -k netsvcs
[WMDM PMSP Service] C:\WINDOWS\System32\MsPMSPSv.exe
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[WmiApSrv] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[wuauserv] %systemroot%\system32\svchost.exe -k netsvcs
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Disable Script Debugger] yes
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINDOWS\System32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.google.com
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.google.com
IEOPT: [FullScreen] no
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [Window_Placement] ,
IEOPT: [Use FormSuggest] no
IEOPT: [NotifyDownloadComplete] yes
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [AddToFavorite-- The nicest hobby on Earth ;) --panded]
IEOPT: [AutoSearch]
IEOPT: [Use Search Asst] no
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.google.com
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.0.2600.0000
IEOPT: [FullScreen] no
IEOPT: [Use Search Asst] no
IEOPT: [Search Page] http://www.google.com
IEOPT: [Default_Page_URL] http://www.google.com
IEOPT: [Default_Search_URL] http://www.google.com






Logfile of HijackThis v1.99.1
Scan saved at 8:20:52 PM, on 5/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
C:\WINDOWS\System32\DakTray.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\McAfee\McAfee VirusScan\Vshwin32.exe
C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Bruce Goulette\My Documents\virs and trojen help programs\hijackthis\hijackthis\hijackthis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Control Center] C:\Program Files\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [Dakota Tray] DakTray.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://dommlp05.meadwestvaco.com/iNotes6.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...478/mcfscan.cab
O23 - Service: 3Com DMI Agent (3ComDMIService) - 3Com Corporation - C:\WINDOWS\System32\3Com_DMI\3CDMINIC.EXE
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: McAfee Firewall - Unknown owner - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE" /SERVICE (file missing)
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

Your log looks good.

I'm wondering if your Firewall is preventing the AV from running.
Alternatively, let's try putting the site in trusted zones and see if that helps.

Internet Options>security tab

Click the trusted Sites icon and then the Sites Button. In the Add this web Site to the Zone field Ciopy and paste this address:
*.trendmicro.com


Press ok and ok again.

Try the scan again.


When finished, go back in and remove the site from trusted zones.

Let me know how you do.

Disabled my Firewall and also added to trusted sites and still no luck! I sent them an email earlier asking for any suggestions. I'll come back and post thier suggestions if they send any just so you have them in case anyone else that you help finds the same problem.

Thanks for all your help. I really appreciate it!

:LOL:

You're welcome. I hope they are able to resolve the situation. Don't forget to enable your firewall again.


Here are a few other online scanners to try, if you like. The Panda will not clean, but it will produce a list of found files. Create that and post its contents if you use Panda.

http://www.pandasoftware.com/activescan/
http://www.kaspersky.com/beta?product=161744315
http://security.symantec.com/default.asp?
http://housecall.trendmicro.com/
http://www.ravantivirus.com/scan/
http://www3.ca.com/virusinfo/
http://www.bitdefender.com/scan/licence.php
http://www.commandondemand.com/eval/index.cfm
http://info.ahnlab.com/english/
http://www.pcpitstop.com/pcpitstop/AntiVirusCntr.asp

Here are the results from Panda's online scan.

I'll try one of the others that also cleans it next.

What should I do about these?




Incident Status Location

Adware:Adware/Gator No disinfected C:\DOCUME~1\BRUCEG~1\LOCALS~1\Temp\fsg_tmp
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Ab scissor.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Broadband comparison.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Credit counseling.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Credit report.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Crm software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Debt credit card.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Escorts.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Fha.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Health insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Help desk software.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Insurance home.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Loan for debt consolidation.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Loan for people with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Marketing email.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Mortgage insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Mortgage life insurance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Nevada corporations.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Online Betting Site.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Online gambling -- Look for another playground --.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Online instant loan.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Order - Sorry, stupid no chance here -.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Payroll advance.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Personal loans online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Personal loans with bad credit.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Prescription Drugs Rx Online.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Refinancing my mortgage.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Tahoe vacation rental.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Unsecured bad credit loans.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\Videos.url
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Bruce Goulette\Favorites\Sites about\What is hydrocodone.url

I also just ran Symantec Online Scan and got the following results.

C:\WINDOWS\Downloaded Program

Files\HDPlugin1101.dll is infected with

Adware.Gator

I'm about to use symantec's online removal tool for this.

Open this folder and select all, then delete all.
C:\DOCUME~1\BRUCEG~1\LOCALS~1\Temp



Find and delete this Folder. I bet it is just full of sites added by malware.
C:\Documents and Settings\Bruce Goulette\Favorites\Sites about


The file in Downloaded program files is likely a leftover installer.

IF you go to Start >Run and type
regsvr32 /u occache.dll
Press enter and then open
C:\WINDOWS\Downloaded Program Files

you can delete the file yourself.

Then go back to Start >Run and type
regsvr32 occache.dll

Press enter to finish.

Yup looks like you are getting all of it cleaned off now and even in the favorites.




Trojan Name
StartPage-FY


http://vil.nai.com/vil/content/v_130641.htm


It sure is a trashy trojan :(

also make sure these are not in your favorites also and panda just missed them
%WinDir%\Favorites\Only sex website.url
%WinDir%\Favorites\Search the web.url
%WinDir%\Favorites\Seven days of free porn.url

:banana: I'm doing the happy dance here! I've followed all your instructions and have rescanned with Panda and have come up clean. Thanks so much. I verified that those items were no longer in my favorites also.

Blessings to you! I'm in your debt!



Now I need to do the same with my laptop. I'll start a new thread once I get it sorted out. Thanks again.

You're welcome. Love the Dance!


We have a little bit of follow-up on this.

Are there any other User Profiles on the computer? If so, we should have a look at their hijackthis logs one at a time.


Then there is this next advice to be done after all profiles are cleared.

Once you have rebooted a time or two, be sure everything is in working order. It is time to flush your system restore points. Once you do that you will not be able to correct any problems you may have now by going back to a point before today.


After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.

Go to Start>Run and type msconfig Press enter.

When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings Link on the left.

Check the box labeled Turn off System restore.


Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
----------------------------
Also here is an excellent source for tips to tighten security. Follow the advice and get the free downloads to help avoid some of these problems in the future.
http://www.computercops.biz/postt7736.html

Thanks so much.

There are no other user profiles.

I had already turned off System Restore before any of this had been done. I was instructed to do so under additional removal instructions for windows xp on McAfee's site. I had tried to resolve it there first before coming to you. Thanks for the reminder, because I have not yet turned it back on and I need to do that.

I will read up on the security topic you sent also. Thanks so much! I'm about 10 minutes away from starting this process all over again with my laptop pc.


Blessings!

MissScrapsAlot,

You're welcome. That sounds good. I'll close this topic now that it has been resolved. If you need it re-opened in the near future, PM and Admin or Moderator to do that.


Anyone else, please start your own topic and someone will help.


Mo