Greetings! I ran Ad-Aware (found only cookies) and SpyBot (which hung up mid-way through, twice). HiJack log below. Do I have a problem? Thank you!

Logfile of HijackThis v1.99.1
Scan saved at 1:06:09 AM, on 8/6/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\INTEL\DSLSETUP\PRODSL.EXE
C:\INTEL\DSLSETUP\DHCPAGNT.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dnnmi.dll/sp.html#28129
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dnnmi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {BE101523-4F6A-627E-7956-0AA53A12FB29} - C:\WINDOWS\SYSTEM\WINNV.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [DSL Connection Manager] C:\intel\DSLSetup\prodsl.exe /P
O4 - HKLM\..\Run: [dhcpagnt] C:\intel\DSLSetup\dhcpagnt.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com/plugins/downloads/mpeg4img.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/...ll/MFImgVwr.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab

Hi smurf_inferno,

Please take the following steps:

Set hidden files showing. How do I show hidden files?

IMPORTANT Be sure all browser and explorer windows are closed.

Press Ctrl+Alt+Delete to start the Task Manager. If you find Network Security Service in this list, select it and end the task.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system\dnnmi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system\dnnmi.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank

O2 - BHO: Class - {BE101523-4F6A-627E-7956-0AA53A12FB29} - C:\WINDOWS\SYSTEM\WINNV.DLL (file missing)

O15 - Trusted IP range: 206.161.125.149Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Delete the following files in red (it could be that they are deleted already):

C:\WINDOWS\system\dnnmi.dll
C:\WINDOWS\SYSTEM\WINNV.DLL

While still in Safe Mode finish the cleanup process, please run through the rest of these steps:

From the Start Menu, choose "Run" and type Regedit then click "Ok".
Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
and highlight Services in the left pane. In the right pane, look for any of these entries:

__NS_Service
__NS_Service_2
__NS_Service_3

If any are listed, right-click that entry in the right pane and choose Delete.

Now navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
and highlight Root in the Left Pane. In the right pane, look for these entries:

LEGACY___NS_Service
LEGACY___NS_Service_2
LEGACY___NS_Service_3

If you find it, right-click it in the right-pane and choose delete.

If you have trouble deleting a key. Then click once on the key name (LEGACY__NS_SERVICE_ or another name that starts with LEGACY__NS_SERVICE) to highlight it. Then click on the "Permission" menu option under "Security" or "Edit". Uncheck "Allow inheritable permissions" and press "copy". Then click on everyone and put a checkmark in "full control". Then press "Apply" and "Ok" and attempt to delete the key again.

Exit regedit, and restart your computer in Normal Mode.

To remove the remainder of the files this exploit deposits, run this Online AntiVirus scan, removing all it finds:

Trend Micro (PC-cillin) - Free on-line Scan

=== Check ActiveX Settings ===
Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press "Default level", then "Ok".
Now press "Custom Level."
In the ActiveX section, set the first option, "Download signed controls", to "Prompt"; set the second option, "Download unsigned controls", to "Disable"; and finally, set "Initialize and Script ActiveX controls not marked as safe" to "Disable".


=== Replace Deleted Files ===
It is also possible that the infection may have deleted up to three files from your system. If these files are present, to be safe I suggest you overwrite them with a new copy.

Go here: http://www.spywareinfo.com/~merijn/winfiles.html#control and download the version of control.exe for your operating system. If you are running Windows 2000, copy it to c:\winnt\system32\. For Windows XP, copy it to c:\windows\system32\.

Download the Hoster from here: http://members.aol.com/toadbee/hoster.zip
Press "Restore Original Hosts" and press "Ok"
Exit Program.

If you have Spybot S&D installed you may also need to replace one file.
Go here: http://www.spywareinfo.com/~merijn/winfiles.html#sdhelper and download SDHelper.dll. Copy the file to the folder containing you Spybot S&D program (normally C:\Program Files\Spybot - Search & Destroy)

Additionally, Please check your ActiveX security settings. They may have been changed by this CWS variant to allow ALL ActiveX!! If they have been changed, reset your ActiveX Security Settings in IE as recommended.

Download Ad-aware SE and update it (the Globe icon, then Connect).

Next, go to Settings (the gear icon at the top) and then "Scanning" and checkmark these items so they will be green:
"Scan within archives"
"Scan my IE Favorites for banned URLS"
"Scan my hosts file"

Then click "Proceed" to save settings.

Click on "Tweak" next. And checkmark to make this green also:
"Automatically try to unregister objects prior to deletion"

Click on "Proceed"

Next, from the main screen, click on "Perform Full System Scan". Uncheck "Search for negligible risk entries" and click on "Next". Eliminate all that Ad-aware finds.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Restart your computer after cleaning with AdAware SE and scan again. Repeat the process until no further items are found as bad.

Run HiJackThis and post a new log in this thread.

OK. That was frustrating:

1. I ran HiJackThis and deleted the indicated files (015 - Trusted IP keeps coming back).

2. I restarted in Safe Mode, but the files to be deleted were not there. I also went into the registry, but none of the NS_Service keys appeared. So no change there either.

3. After upgrading my Java, I ran the Trend Micro scan. But it hung mid-way through the process. I rebooted and tried again. It hung again, and when I tried to back out everything froze.

4. After getting restarted I checked my Active X settings. No change was needed; they were as recommended.

5. I tried to download the control.exe file. I am running ME and it was not clear which system file to put it in. I don't have a C:\WINNT so I extracted it to C:\WINDOWS\system32 (even though I am not XP). Don't know what that file does.

6. Tried to download Hoster, but the page no longer exists.

7. Tried to download SDHelper.dll, but after requesting it be extracted to my SpyBot folder it requested a password which I do not have.

8. I ran Ad-Aware (which I updated last night) with the recommended settings. I was NOT able to check the TWEAK setting because no such command ("automatically try to unregister objects prior to deletion") appeared under any of the Tweak options. Ad-Aware found a number of objects to delete, but it would not let me delete many of them. Ad-Aware suggested I restart and run the program again. I did. It froze.

9. Meanwhile, new software programs are appearing during startup and in my startup dock. Hmmm.

Thank you for your assistance -- Randall

Here's the new HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 11:23:37 AM, on 8/6/2006
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\IWP\NPFMNTOR.EXE
C:\PROGRAM FILES\SYMANTEC\LIVEUPDATE\ALUSCHEDULERSVC.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\LTMSG.EXE
C:\INTEL\DSLSETUP\PRODSL.EXE
C:\INTEL\DSLSETUP\DHCPAGNT.EXE
C:\PROGRAM FILES\HP\HP SOFTWARE UPDATE\HPWUSCHD2.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\COMMON\BIN\RXMON9X.EXE
C:\PROGRAM FILES\DELL\RESOLUTION ASSISTANT\MOTIVEASSISTANT\BIN\MAD.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\MICROSOFT WORKS\WKSSB.EXE
C:\PROGRAM FILES\MOTIVE\MOTMON.EXE
C:\PROGRAM FILES\MESSENGER\MSMSGS.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQTRA08.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IOWATCH.EXE
C:\PROGRAM FILES\COREL\WORDPERFECT FAMILY PACK 2\PROGRAMS\DAD9.EXE
C:\PROGRAM FILES\IOMEGA\TOOLS\IMGICON.EXE
C:\PROGRAM FILES\HP\DIGITAL IMAGING\BIN\HPQGALRY.EXE
C:\WINDOWS\SYSTEM\HPZIPM12.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HIJACKTHIS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [DSL Connection Manager] C:\intel\DSLSetup\prodsl.exe /P
O4 - HKLM\..\Run: [dhcpagnt] C:\intel\DSLSetup\dhcpagnt.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE /Consumer
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [RxMon] C:\Program Files\Dell\Resolution Assistant\Common\bin\RxMon9x.exe
O4 - HKLM\..\Run: [madexe] C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\mad.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [MotiveMonitor] C:\Program Files\Motive\motmon.exe
O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKLM\..\Run: [websearch] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
O4 - HKLM\..\Run: [NTGX32.EXE] C:\WINDOWS\SYSTEM\NTGX32.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [NPFMonitor] C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [ALU Scheduler Service] C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [MFCGG.EXE] C:\WINDOWS\MFCGG.EXE
O4 - HKLM\..\RunServices: [IPPY.EXE] C:\WINDOWS\SYSTEM\IPPY.EXE
O4 - HKLM\..\RunServices: [WINQU.EXE] C:\WINDOWS\SYSTEM\WINQU.EXE
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE
O4 - HKLM\..\RunServices: [ADDEN.EXE] C:\WINDOWS\ADDEN.EXE
O4 - HKLM\..\RunServices: [APIMD.EXE] C:\WINDOWS\APIMD.EXE
O4 - HKLM\..\RunServices: [CRAH32.EXE] C:\WINDOWS\SYSTEM\CRAH32.EXE
O4 - HKLM\..\RunServices: [NTPH.EXE] C:\WINDOWS\NTPH.EXE
O4 - HKLM\..\RunServices: [APPKJ32.EXE] C:\WINDOWS\SYSTEM\APPKJ32.EXE
O4 - HKLM\..\RunServices: [JAVANJ.EXE] C:\WINDOWS\JAVANJ.EXE
O4 - HKLM\..\RunServices: [IEBU32.EXE] C:\WINDOWS\SYSTEM\IEBU32.EXE
O4 - HKLM\..\RunServices: [SDKJG32.EXE] C:\WINDOWS\SYSTEM\SDKJG32.EXE
O4 - HKLM\..\RunServices: [NTDR32.EXE] C:\WINDOWS\SYSTEM\NTDR32.EXE
O4 - HKLM\..\RunServices: [ADDAG.EXE] C:\WINDOWS\SYSTEM\ADDAG.EXE
O4 - HKLM\..\RunServices: [D3TF.EXE] C:\WINDOWS\SYSTEM\D3TF.EXE
O4 - HKLM\..\RunServices: [CRKG.EXE] C:\WINDOWS\SYSTEM\CRKG.EXE
O4 - HKLM\..\RunServices: [ADDQZ.EXE] C:\WINDOWS\ADDQZ.EXE
O4 - HKLM\..\RunServices: [SDKYV32.EXE] C:\WINDOWS\SDKYV32.EXE
O4 - HKLM\..\RunServices: [MSWS.EXE] C:\WINDOWS\MSWS.EXE
O4 - HKLM\..\RunServices: [JAVANN.EXE] C:\WINDOWS\SYSTEM\JAVANN.EXE
O4 - HKLM\..\RunServices: [MSSU.EXE] C:\WINDOWS\SYSTEM\MSSU.EXE
O4 - HKLM\..\RunServices: [MSCT32.EXE] C:\WINDOWS\MSCT32.EXE
O4 - HKLM\..\RunServices: [MFCIM32.EXE] C:\WINDOWS\SYSTEM\MFCIM32.EXE
O4 - HKLM\..\RunServices: [D3EJ.EXE] C:\WINDOWS\D3EJ.EXE
O4 - HKLM\..\RunServices: [MSRG.EXE] C:\WINDOWS\MSRG.EXE
O4 - HKLM\..\RunServices: [SYSOG.EXE] C:\WINDOWS\SYSOG.EXE
O4 - HKLM\..\RunServices: [SYSCA.EXE] C:\WINDOWS\SYSTEM\SYSCA.EXE
O4 - HKLM\..\RunServices: [NTZY32.EXE] C:\WINDOWS\SYSTEM\NTZY32.EXE
O4 - HKLM\..\RunServices: [D3KX.EXE] C:\WINDOWS\D3KX.EXE
O4 - HKLM\..\RunServices: [JAVACK32.EXE] C:\WINDOWS\SYSTEM\JAVACK32.EXE
O4 - HKLM\..\RunServices: [IEKB32.EXE] C:\WINDOWS\IEKB32.EXE
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [MSMSGS] C:\PROGRA~1\MESSEN~1\msmsgs.exe /background
O4 - HKCU\..\Run: [HXDL.EXE] C:\Program Files\Alset\HelpExpress\default\HXDL.EXE -from="HXIUL.EXE" -to="HXIUL.EXE"
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\SYSTEM\nssys32.exe
O4 - Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Startup: Resolution Assistant.lnk = C:\Program Files\Dell\Resolution Assistant\MotiveAssistant\bin\matcli.exe
O4 - Startup: Iomega Watch.lnk = C:\Program Files\Iomega\Tools\IOWATCH.EXE
O4 - Startup: Refresh.lnk = C:\Program Files\Iomega\Tools\refresh.exe
O4 - Startup: Desktop Application Director 9.LNK = C:\Program Files\Corel\WordPerfect Family Pack 2\programs\dad9.exe
O4 - Startup: Iomega Startup Options.lnk = C:\Program Files\Iomega\Tools\IMGSTART.EXE
O4 - Startup: Iomega Disk Icons.lnk = C:\Program Files\Iomega\Tools\IMGICON.exe
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmwordtrans.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmsimilar.html
O8 - Extra context menu item: Backward Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR1.DLL/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\PROGRA~1\MESSEN~1\MSMSGS.EXE
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRAM FILES\JAVA\JRE1.5.0_06\BIN\SSV.DLL
O9 - Extra button: Dell Home - {EE117DAA-A30B-40FC-945C-38AE1B80C1FA} - http://www.dellnet.com (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O15 - Trusted IP range: 206.161.125.149
O16 - DPF: {861DB4B6-3838-11D2-8E50-002018200E57} (MrSIDI Control) - http://images.myfamily.net/isfiles/downloads/MrSIDI.cab
O16 - DPF: {19597B66-2CCF-11D4-B6C9-00C0F04E6DA8} (MPEG4 Image Control Object) - http://www.e-vue.com/plugins/downloads/mpeg4img.cab
O16 - DPF: {75565ED2-1560-4F15-B841-20358DE6A0D1} (ImageControl Class) - http://content.ancestry.com/asfiles/files/...ll/MFImgVwr.cab
O16 - DPF: {AFDD01B0-7ABB-11D9-9669-0800200C9A66} (MFInstall Class) - http://c.ancestry.com/MFInstall/MFInstall.cab

Hi Randall,

Are you running a firewall? I can't see one in your log... If not, download either Kerio Personal Firewall or ZoneLabs Zone Alarm and install it.

Please create a list of programs that can be removed using Add/Remove Programs
Start HiJackThis. Click "Config"->"Misc Tools"->"Open Uninstall Manager" ->"Save List".
Save the log to a convenient location, and copy it into this thread.

Download Killbox to your desktop.
Click killbox.exe.

Download http://www.mvps.org/winhelp2002/DelDomains.inf

Right-click on the deldomains.inf file and select 'Install'.

Download Hoster
Press "Restore Original Hosts" and press "OK"
Exit Program.

Download and save AboutBuster.zip. Unzip AboutBuster to your desktop or another folder.

First unzip all files from the zip folder to a folder or your desktop.
Now, restart your Computer in Safe Mode.
How do I Safe Boot my computer?

Start About:Buster and click "OK". Then click "Update". A new screen should popup. On that screen click "Check For Update". If it says it found an update click "Download Update". If it doesn't it will automatically tell you and exit. Now for the scanning part. Click "Start" and then "OK". The program should start scanning. Click on "Save Log..." to save the report and post a copy back here when you are done with all the steps. Then click "Exit" and restart in safe mode again.

Once restarted run About:Buster once more to make sure everything is ok.

Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select

• C:\WINDOWS\SYSTEM\KERNEL32.DLL

and click on "Kill process". Answer Yes to the "Are you sure..." question.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"
O4 - HKLM\..\Run: [websearch] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
O4 - HKLM\..\Run: [NTGX32.EXE] C:\WINDOWS\SYSTEM\NTGX32.EXE
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\RunServices: [MFCGG.EXE] C:\WINDOWS\MFCGG.EXE
O4 - HKLM\..\RunServices: [IPPY.EXE] C:\WINDOWS\SYSTEM\IPPY.EXE
O4 - HKLM\..\RunServices: [WINQU.EXE] C:\WINDOWS\SYSTEM\WINQU.EXE
O4 - HKLM\..\RunServices: [JAVASL.EXE] C:\WINDOWS\JAVASL.EXE
O4 - HKLM\..\RunServices: [ADDEN.EXE] C:\WINDOWS\ADDEN.EXE
O4 - HKLM\..\RunServices: [APIMD.EXE] C:\WINDOWS\APIMD.EXE
O4 - HKLM\..\RunServices: [CRAH32.EXE] C:\WINDOWS\SYSTEM\CRAH32.EXE
O4 - HKLM\..\RunServices: [NTPH.EXE] C:\WINDOWS\NTPH.EXE
O4 - HKLM\..\RunServices: [APPKJ32.EXE] C:\WINDOWS\SYSTEM\APPKJ32.EXE
O4 - HKLM\..\RunServices: [JAVANJ.EXE] C:\WINDOWS\JAVANJ.EXE
O4 - HKLM\..\RunServices: [IEBU32.EXE] C:\WINDOWS\SYSTEM\IEBU32.EXE
O4 - HKLM\..\RunServices: [SDKJG32.EXE] C:\WINDOWS\SYSTEM\SDKJG32.EXE
O4 - HKLM\..\RunServices: [NTDR32.EXE] C:\WINDOWS\SYSTEM\NTDR32.EXE
O4 - HKLM\..\RunServices: [ADDAG.EXE] C:\WINDOWS\SYSTEM\ADDAG.EXE
O4 - HKLM\..\RunServices: [D3TF.EXE] C:\WINDOWS\SYSTEM\D3TF.EXE
O4 - HKLM\..\RunServices: [CRKG.EXE] C:\WINDOWS\SYSTEM\CRKG.EXE
O4 - HKLM\..\RunServices: [ADDQZ.EXE] C:\WINDOWS\ADDQZ.EXE
O4 - HKLM\..\RunServices: [SDKYV32.EXE] C:\WINDOWS\SDKYV32.EXE
O4 - HKLM\..\RunServices: [MSWS.EXE] C:\WINDOWS\MSWS.EXE
O4 - HKLM\..\RunServices: [JAVANN.EXE] C:\WINDOWS\SYSTEM\JAVANN.EXE
O4 - HKLM\..\RunServices: [MSSU.EXE] C:\WINDOWS\SYSTEM\MSSU.EXE
O4 - HKLM\..\RunServices: [MSCT32.EXE] C:\WINDOWS\MSCT32.EXE
O4 - HKLM\..\RunServices: [MFCIM32.EXE] C:\WINDOWS\SYSTEM\MFCIM32.EXE
O4 - HKLM\..\RunServices: [D3EJ.EXE] C:\WINDOWS\D3EJ.EXE
O4 - HKLM\..\RunServices: [MSRG.EXE] C:\WINDOWS\MSRG.EXE
O4 - HKLM\..\RunServices: [SYSOG.EXE] C:\WINDOWS\SYSOG.EXE
O4 - HKLM\..\RunServices: [SYSCA.EXE] C:\WINDOWS\SYSTEM\SYSCA.EXE
O4 - HKLM\..\RunServices: [NTZY32.EXE] C:\WINDOWS\SYSTEM\NTZY32.EXE
O4 - HKLM\..\RunServices: [D3KX.EXE] C:\WINDOWS\D3KX.EXE
O4 - HKLM\..\RunServices: [JAVACK32.EXE] C:\WINDOWS\SYSTEM\JAVACK32.EXE
O4 - HKLM\..\RunServices: [IEKB32.EXE] C:\WINDOWS\IEKB32.EXE
O4 - HKCU\..\Run: [nsdriver] C:\WINDOWS\SYSTEM\nssys32.exe

O8 - Extra context menu item: Coupons - file://C:\Program Files\websearch\System\Temp\couponsandoffers_script0.htm
Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Start Killbox and select the option "Delete on reboot".
In the field "Full Path of File to Delete" copy and paste next:

C:\WINDOWS\SYSTEM\NTGX32.EXE
C:\WINDOWS\MFCGG.EXE
C:\WINDOWS\SYSTEM\IPPY.EXE
C:\WINDOWS\SYSTEM\WINQU.EXE
C:\WINDOWS\JAVASL.EXE
C:\WINDOWS\ADDEN.EXE
C:\WINDOWS\APIMD.EXE
C:\WINDOWS\SYSTEM\CRAH32.EXE
C:\WINDOWS\NTPH.EXE
C:\WINDOWS\SYSTEM\APPKJ32.EXE
C:\WINDOWS\JAVANJ.EXE
C:\WINDOWS\SYSTEM\IEBU32.EXE
C:\WINDOWS\SYSTEM\SDKJG32.EXE
C:\WINDOWS\SYSTEM\NTDR32.EXE
C:\WINDOWS\SYSTEM\ADDAG.EXE
C:\WINDOWS\SYSTEM\D3TF.EXE
C:\WINDOWS\SYSTEM\CRKG.EXE
C:\WINDOWS\ADDQZ.EXE
C:\WINDOWS\SDKYV32.EXE
C:\WINDOWS\MSWS.EXE
C:\WINDOWS\SYSTEM\JAVANN.EXE
C:\WINDOWS\SYSTEM\MSSU.EXE
C:\WINDOWS\MSCT32.EXE
C:\WINDOWS\SYSTEM\MFCIM32.EXE
C:\WINDOWS\D3EJ.EXE
C:\WINDOWS\MSRG.EXE
C:\WINDOWS\SYSOG.EXE
C:\WINDOWS\SYSTEM\SYSCA.EXE
C:\WINDOWS\SYSTEM\NTZY32.EXE
C:\WINDOWS\D3KX.EXE
C:\WINDOWS\SYSTEM\JAVACK32.EXE
C:\WINDOWS\IEKB32.EXE
C:\WINDOWS\SYSTEM\nssys32.exe

Choose the option: "unregister dll before deleting"
Click the red circle with the white cross in it.
Killbox will tell you that this file will be deleted on next reboot.. click YES
When killbox asks to reboot now, click YES
If you get the following message: "PendingFileRenameOperations Registry Data has been Removed by External Process!" ,reboot your system manually

Your system will reboot now.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Once all this is done please post a new log from HijackThis.

Wow, thanks for the detailed instructions! Let's take this a step at a time.

1. Firewalls. My parents have Norton Anti-Virus, but no firewall protection. I looked at both Kerio and Zone Alarm. Neither is compatible with their Windows ME OS. I will recommend that they consider upgrading, but for the time being I can't download a firewall system without causing them a lot more headaches than we're trying to clear up here. So for the time being I'm skipping this step.

Randall (more coming)

Continuing...

2. Removable programs. Here's my Uninstall list from HiJack This:

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Reader 6.0.1
Attune 2.3.2
Cayman 3300 Series USB Network Adapter
Corel Applications
couponsandoffers
Creative PCI Audio Drivers
Dell Documents
Dell Resolution Assistant
DellNet by MSN
Family Tree Maker
Family Tree Maker 9.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Extended Capabilities 4.7
HP Image Zone 4.7
HP PSC & OfficeJet 4.7
HP Software Update
i-LEARN My Dell PC
Intel® PRO/DSL Modem & Utilities
Internet Explorer Q891781
Iomega Software
J2SE Runtime Environment 5.0 Update 6
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Lucent Win Modem
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2001
Microsoft Internet Explorer 6 SP1 and Internet Tools
Microsoft Money 2001
Microsoft Outlook Express 6
Microsoft Picture It! Publishing 2001
Microsoft Streets and Trips 2001
Microsoft Word 2000 SR-1
Microsoft Works 2001 Setup Launcher
Microsoft Works 6.0
Microsoft Works Suite Add-in for Microsoft Word
Microsoft XML Parser and SDK
Modem Test
MouseWare 9.01
MSN Explorer
Norton AntiVirus 2005 (Symantec Corporation)
NVIDIA TNT2 M64 4xAGP (Dell)
PhoneTools
RealPlayer
Solution Center
Spybot - Search & Destroy 1.3
Teacher's Toolbox 4.0
Web Search
Windows Millennium Edition KB891711 Update
Windows Millennium Edition Q823559 Update

I see a few things in here we want off, but when I try to uninstall them, it doesn't work: Web Search and couponsandoffers, for example.

Randall (more coming)

Moving on...

3. Downloaded Killbox, DelDomains, Hoster, and AboutBuster.

> I clicked on Killbox.exe, but wasn't sure if I was supposed to do anything else.

> The AboutBuster log is below.

> Problem: Ran HiJack this. Killed KERNEL32.DLL, but HiJack froze before it disappeared. Restarted. Tried again. Froze again. Can I move on or must I figure this out first?

AboutBuster Log:

boutBuster 6.05
Scan started on [8/7/2006] at [10:46:15 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
Removed File! : C:\WINDOWS\pqvtsl.log
Removed File! : C:\WINDOWS\vemjhf.txt
Removed File! : C:\WINDOWS\lgsdl.txt
Removed File! : C:\WINDOWS\wfajf.txt
Removed File! : C:\WINDOWS\pngbal.txt
Removed File! : C:\WINDOWS\qcvak.txt
Removed File! : C:\WINDOWS\SYSTEM\vjpjm.txt
Removed File! : C:\WINDOWS\SYSTEM\jjhxr.txt
Removed File! : C:\WINDOWS\SYSTEM\zlyhp.txt
Removed File! : C:\WINDOWS\SYSTEM\iqafp.log
-------------------------------------------------------------
Removed Temp Files
Internet Explorer Settings Reset!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 10:55:23 AM


AboutBuster 6.05
Scan started on [8/7/2006] at [10:58:39 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was ABORTED at 10:59:51 AM


AboutBuster 6.05
Scan started on [8/7/2006] at [11:01:23 AM]
-------------------------------------------------------------
Internet Explorer Instances Terminated!
HomeSearch Service stopped if present
-------------------------------------------------------------
Streams(ADS) not scanned: System not NTFS
-------------------------------------------------------------
No Files Found!
-------------------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 11:06:46 AM


Will wait for reply,
Randall

Hi smurf_inferno,

Open "Add/Remove Programs" in the Control Panel. Select the following items:

• Attune 2.3.2
• couponsandoffers
• Web Search

and click "Remove" for each of them. If one of the uninstallers wants to download stuff or needs an Internet connection, skip that one and report them to me.

Can you do it again? Please tell me what happens when you click on them.

What do you mean with this? Did you follow the rest of the instructions? The copy/paste of the list I created for you, etc.

Go to Online malware scan and submit C:\WINDOWS\SYSTEM\KERNEL32.DLL.

Tell me the result.

The AboutBuster log looks good, but I am afraid it will not suffice. Can you skip the ending of the process in HijackThis and execute the checking/fixing instructions and the rest.

Hey Bobbi,
This is smurf_inferno's sister at a different location.

Our parents' computer is now excrutiatingly slow to boot up, so these last instructions may take a while.

We're in Washington state, by the way. Let us know if there's any way to expedite the start-up process.

Thanks

Hi smurf_inferno's sister,

I'll be here, so don't worry about it. I get notified when someone posts to the thread, so as soon as thereis news I'll know.


I'm in Holland Europe, by the way. So usually I answer when you are asleep (you're nine hours earlier than I am).

Bobbi,

Just a quick, final update. Suffice it to say our hard drive went belly up. We fought long and hard, but lost, and now we have a spanking new hard drive, and we're busy with reinstallation and file recovery. Thanks for all the asistance. GSF is always a great help those of us navigating the dangerous waters of the web, and I really appreciated your posts.

I also want to give a shout out to Greg Hunter at Vashon IT (Washington, USA) who labored hard on our computer.

Thanks again,
Randall

Good luck with the new hard disc.

Surf Safe,

BF