Free Malware Removal Forum

by **DLIEDKA** » April 6th, 2005, 6:35 pm

HELP!! I HAVE SOMETHING CALLED SEARCH EXTENDER/HOME SHOPPING ASSISTANT/SHOPPING WIZARD THAT I CAN NOT GET RID OF. I HAVE TRIED AD-AWARE SE, SPYBOT AND DONE THE REGEDIT CHANGES NOTHING HELPS. I RAN SOMETHING CALLED HIJACKTHIS AND HERE IS THE LOG.
PLEASE...SOMEONE HELP ME!!!!!!!!!!!!!!!!!!!!! :?

Logfile of HijackThis v1.99.1
Scan saved at 7:54:46 AM, on 4/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\desktop weather\desktopweather_1426334.exe
C:\WINDOWS\System32\mrtMngr.EXE
P:\Pathways\WFMGR\wfmgr.exe
C:\Westwood\DLLs\westwood.exe
C:\WINDOWS\atlwv.exe
C:\WINDOWS\system32\iejx32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dana.OZZIES\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lowva.dll/sp.html#28129
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lowva.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {C5182344-B4CA-EF22-2D53-0FF5F1EB5AF2} - C:\WINDOWS\system32\appjl32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [iejx32.exe] C:\WINDOWS\system32\iejx32.exe
O4 - HKLM\..\RunOnce: [atlwv.exe] C:\WINDOWS\atlwv.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_1426334.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.app-ozzie
O15 - Trusted IP range: 172.16.201.82
O15 - Trusted IP range: http://172.16.201.82
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0032939209
O16 - DPF: {B6C648AA-7FA6-11D1-AF07-006097255F64} (KITWebCrystal.clsCrystal) - http://172.16.201.82/Production//OCXFac ... rystal.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ids.dor.state.co.us/viewer/activ ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://autoprise.webex.com/client/late ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Ozzies.local
O17 - HKLM\Software\..\Telephony: DomainName = Ozzies.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Ozzies.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: Network Security Service ( 11FÃŸÃ¤#Â·ÂºÃ„Ã–`I) - Unknown owner - C:\WINDOWS\system32\ipzs32.exe (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

by **insipid** » April 7th, 2005, 10:10 am

Hi DLIEDKA, welcome to Malware Removal. You have a Coolwebsearch infection that will take a few steps to remove.

You may want to print out these instructions or save them to your desktop as a text file with Notepad because we will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet.

Prepare CWShredder for use:
- Download CWShredder.
- Save CWShredder.exe to a convenient location.
- Please do not do anything with it yet.
Prepare AboutBuster for use:
- Download AboutBuster.
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update".
- You should not run the program yet so click "Exit".

Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.
To return to normal mode just restart your computer as you normally would.

Run CWShredder:
- Double-click on CWShredder.exe.
- Click "Fix ->" and click "OK" at the prompt.
- CWShredder will scan and clean your system of CWS files.
- Click "Next->" and then "Exit".
Run AboutBuster and save the logs:
- Browse to where you saved AboutBuster and run AboutBuster.exe.
- Click "OK" at the directions Read: Important! prompt.
- Click "Start" and then "OK" to allow AboutBuster to scan for Alternate Data Streams.
- Click "Yes" at the About:Buster prompt to allow it to shutdown explorer.exe.
- Please wait while AboutBuster scans your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click "Save Log...". Make sure you save it as I will need a copy of it.
- Click "Exit" and "Exit" again to exit AboutBuster.
Clean out temporary files:
- Start | Run | type cleanmgr | OK
- Let it scan your system for files to remove.
- Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
- Click "OK" to remove them.
- Click "Yes" to confirm the deletion.
Restart your computer normally to return to normal mode.
Free TrendMicro Housecall scan:
- Vist the TrendMicro Housecall website.
- Select your country from the drop-down list and click "Go".
- Choose "Yes" at the ActiveX Security Warning prompt.
- Please wait while the Housecall engine is updated.
- Select the drives to be scanned by placing a check in their respective boxes.
- Check the "Auto Clean" box.
- Click "SCAN" in order to begin scanning your system.
- Please be patient while Housecall scans your system for malicious files.
- If not auto-cleaned, remove anything it finds.
- Click "Close" to exit the Housecall scanner.
- Choose "Yes" at the HouseCall message prompt.
Prepare your reply:
- Please post a fresh HijackThis log
- Please post the AboutBuster log.
- Please note any complications you had.

by **DLIEDKA** » April 7th, 2005, 11:46 am

ok i did what you said and here are the results

aboutbuster log:

Scanned at: 9:32:03 AM on: 4/7/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

Removed Data Streams:
C:\WINDOWS\CCCLETTR.INI:wzqrv
C:\WINDOWS\KB823182.log:kngxw
C:\WINDOWS\KB841356.log:cluuq
C:\WINDOWS\KB891711.log:bilif
C:\WINDOWS\Q331953.log:dfppp
C:\WINDOWS\Q828026.log:pztfj
C:\WINDOWS\setupapi.log:wwrki
C:\WINDOWS\TABLETOC.LOG:pfnur
C:\WINDOWS\VBADDIN.INI:igndp
C:\WINDOWS\WIASERVC.LOG:rgyri

Removed! : C:\WINDOWS\arllz.dat
Removed! : C:\WINDOWS\atlwv.exe
Removed! : C:\WINDOWS\mska32.exe
Removed! : C:\WINDOWS\msvw32.exe
Removed! : C:\WINDOWS\ntal32.exe
Removed! : C:\WINDOWS\zpiny.dat
Removed! : C:\WINDOWS\System32\crbs32.exe
Removed! : C:\WINDOWS\System32\msot.exe
Removed! : C:\WINDOWS\System32\netjj32.exe
Removed! : C:\WINDOWS\System32\sdmxb.dat
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

Removed Data Streams:
C:\WINDOWS\CCCLETTR.INI:wzqrv
C:\WINDOWS\KB823182.log:kngxw
C:\WINDOWS\KB841356.log:cluuq
C:\WINDOWS\KB891711.log:bilif
C:\WINDOWS\Q331953.log:dfppp
C:\WINDOWS\Q828026.log:pztfj
C:\WINDOWS\setupapi.log:wwrki
C:\WINDOWS\TABLETOC.LOG:pfnur
C:\WINDOWS\VBADDIN.INI:igndp
C:\WINDOWS\WIASERVC.LOG:rgyri

Attempted Clean Of Temp folder.
Pages Reset... Done!

new hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:57:55 AM, on 4/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\Program Files\desktop weather\desktopweather_1426334.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Dana.OZZIES\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lowva.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_1426334.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.app-ozzie
O15 - Trusted IP range: 172.16.201.82
O15 - Trusted IP range: http://172.16.201.82
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0032939209
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B6C648AA-7FA6-11D1-AF07-006097255F64} (KITWebCrystal.clsCrystal) - http://172.16.201.82/Production//OCXFac ... rystal.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ids.dor.state.co.us/viewer/activ ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://autoprise.webex.com/client/late ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Ozzies.local
O17 - HKLM\Software\..\Telephony: DomainName = Ozzies.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Ozzies.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

what do you think? does it look loke it is gone?

by **insipid** » April 7th, 2005, 12:11 pm

Hi DKIEDKA, that looks better, we still have some work to do. First a question: Are you on a LAN (either work or home network)? I ask because this:

Domain = Ozzies.local

Looks like an internal network.

Please go to Add/Remove programs in the Control Panel and uninstall Hotbar and/or Web Tools from Hotbar. (A clean alternative to Desktop Weather can be found here http://www.singerscreations.com/ )

Next, rescan with HijackThis and place a checkmark next to the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\lowva.dll/sp.html#28129
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\lowva.dll/sp.html#28129
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [WeatherOnTray] C:\Program Files\Hotbar\bin\4.4.5.0\WeatherOnTray.exe
O4 - Startup: desktop weather.lnk = C:\Program Files\desktop weather\desktopweather_1426334.exe

Now, close all windows including your browser and then click "Fix Checked" in Hijackthis.

Please delete these folders using Windows Explorer(if present):

C:\Program Files\Hotbar\
C:\Program Files\desktop weather\

Next, clean out all the temporary files and cookies on your system. Go to Start > Run and enter: cleanmgr. Let it scan your system for files to remove. Check these three boxes and then press ok to remove: Temporary Files, Temporary Internet Files, Recycle Bin.

Reboot and post a fresh HJT log for review.

by **DLIEDKA** » April 7th, 2005, 12:46 pm

YES THIS CIMPUTER IS ON A NETWORK WITH 5 OTHER COMPUTERS DOES THAT CREATE A PROBLEM? SHOULD I PROCEED WITH THE LATES INSTRUCTIONS?

by **insipid** » April 7th, 2005, 12:55 pm

No, it doesn't create a problem

. I just wanted to make sure those lines were legitimate. Go ahead with my other instructions.

by **DLIEDKA** » April 7th, 2005, 1:08 pm

OK I WILL DO WHAT YOU SAY AND GET BACK WITH YOU. BY THE WAY THANK YOU SO MUCH FOR YOU HELP SO FAR!!!!

by **DLIEDKA** » April 7th, 2005, 1:12 pm

PROBLEM... YOU SAID TO UNISTALL HOTBAR AND/OR WEB TOOL FROM HOTBAR IN ADD/REMOVE PROGRAMS..WELL I DO NOT SEE THOSE PROGRAMS INSTALLED. ARE YOU TALKING ABOUT THE WEATHER THING I HAVE INSTALLED?

by **DLIEDKA** » April 7th, 2005, 3:55 pm

Ok i think i have uninstalled everything and deledted the files you told me to and here is the lastest hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:08:01 PM, on 4/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Westwood\DLLs\westwood.exe
P:\Pathways\WFMGR\wfmgr.exe
C:\Documents and Settings\Dana.OZZIES\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.app-ozzie
O15 - Trusted IP range: 172.16.201.82
O15 - Trusted IP range: http://172.16.201.82
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0032939209
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B6C648AA-7FA6-11D1-AF07-006097255F64} (KITWebCrystal.clsCrystal) - http://172.16.201.82/Production//OCXFac ... rystal.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ids.dor.state.co.us/viewer/activ ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://autoprise.webex.com/client/late ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Ozzies.local
O17 - HKLM\Software\..\Telephony: DomainName = Ozzies.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Ozzies.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

what do you think? is everything finally gone?

by **insipid** » April 7th, 2005, 3:56 pm

Yes, Desktop Weather is the problem application. It's supposed to come bundled with the other two I mentioned, but if it's alone uninstall it please

.

by **DLIEDKA** » April 7th, 2005, 4:43 pm

weather tool and the programs are now uninstalled... here is ther current hijackthis log: how does it look now, every thing ok now?

Logfile of HijackThis v1.99.1
Scan saved at 2:56:44 PM, on 4/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\mnmsrvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jucheck.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\WINDOWS\system32\ntvdm.exe
C:\Westwood\DLLs\westwood.exe
P:\Pathways\WFMGR\wfmgr.exe
C:\Documents and Settings\Dana.OZZIES\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://*.app-ozzie
O15 - Trusted IP range: 172.16.201.82
O15 - Trusted IP range: http://172.16.201.82
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 0032939209
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {B6C648AA-7FA6-11D1-AF07-006097255F64} (KITWebCrystal.clsCrystal) - http://172.16.201.82/Production//OCXFac ... rystal.ocx
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (Crystal Report Viewer Control) - http://ids.dor.state.co.us/viewer/activ ... viewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://autoprise.webex.com/client/late ... eatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Ozzies.local
O17 - HKLM\Software\..\Telephony: DomainName = Ozzies.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Ozzies.local
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Unknown owner - C:\Program Files\Symantec\pcAnywhere\awhost32.exe (file missing)
O23 - Service: Carbon Copy Access Edition (CarbonCopy32) - Compaq Computer Corporation. - C:\WINDOWS\System32\ccsrvc.exe
O23 - Service: Carbon Copy Scheduler (CarbonCopyScheduler) - Compaq Computer Corporation. - C:\WINDOWS\System32\schdsrvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

by **insipid** » April 8th, 2005, 12:05 am

DLIEDKA, that log looks pretty clean, you did a great job

. However, there are two new running processes in the latest log. One indicates you work at a mechanic shop of some sort (P:\Pathways\WFMGR\wfmgr.exe), the other I'm not sure about, it could go a few different ways:

C:\Westwood\DLLs\westwood.exe

is the item. Do you know what this is? It's important we find out. If you don't know or can't find out, there are ways we can check.

by **DLIEDKA** » April 8th, 2005, 9:15 am

you are right i work at a body shop! pathways is our estimatimg system and the westwood you see is for our management system. it is a web based system. so at this point do i need to do any thind else? should i run ad-aware se? i normally run it every mornng since my posistion requires that i am on the internet alot.?

by **insipid** » April 8th, 2005, 10:13 am

In that case, your log IS clean, and running Ad-aware is always a good idea. There are a few more steps to take.

This infection attempts to delete some important files, which need to be restored if in fact they were deleted. Please verify their existence, and replace them as necessary.

[*]Restore (possibly) deleted files:

[*]control.exe - Visit this page.

Download the version of control.exe that corresponds to your operating system.
If you are running Windows 95, 98, or ME copy it to C:\WINDOWS.
If you are running Windows 2000 copy it to C:\WINNT\system32.
If you are running Windows XP copy it to C:\WINDOWS\system32.

[*]HOSTS - Download the Hoster.

Unzip Hoster to a convenient folder such as C:\Hoster.
Run Hoster.exe, click Restore Original Hosts and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

[*]SDHelper.dll - If you have Spybot Search & Destroy installed download a new SDHelper.dll from here and copy it to the default Spybot folder.

The normal path is C:\Program Files\Spybot - Search & Destroy.

[*]shell.dll - Visit this page.

This infection also attempts to reset your Internet Explorer security settings. I recommend checking them.

In Internet Explorer, Tools | Internet Options | Security tab | Custom Level. Make sure that the following settings are correct:
- Download signed ActiveX controls (Prompt)
- Download unsigned ActiveX controls (Disable)
- Initialize and script ActiveX controls not marked as safe (Disable)
- Run ActiveX controls and plug-ins (Enabled)
- Script ActiveX controls marked safe for scripting (Prompt)

Windows System Restore can and does backup malware files which can then be reinstalled if you ever restore to a previous point. To prevent this, we need to purge your Restore points:

Go to Start->Control Panel->System, System Restore. Click "Turn off System Restore". That will erase all restore points. You will be prompted to reboot. When Windows restarts, immediately go back in and uncheck "Turn off System Restore" to re-enable it. Windows will automatically create a new restore point.

To reduce re-infection potential for malware in the future:

Please read Tony Klein's article: So how did I get infected in the first place?.

It is extremely important to keep Windows and Internet Explorer up-to-date. Please go to http://v5.windowsupdate.microsoft.com/v ... x?ln=en-us regularly and install ALL critical updates.

It would be a good idea to install a firewall if you don't have one . Here are a few free ones:
Kerio Personal Firewall
Zone Alarm
Sygate Personal Firewall
For ease of use, I recommend Zonealarm.

I strongly recommend installing three free programs: SpywareBlaster, SpywareGuard, and IE/Spyad.

Use AdAware SE and Spybot S&D regularly to scan your system. Links to excellent tutorials on these programs are in my signature below.

by **DLIEDKA** » April 11th, 2005, 10:40 am

SORRY I WAS OUT ON FRIDAY.. I WILL TRY TO GET THIS DONE TODAY AND LET YOU KNOW HOW IT WORKS...SO FAR EVERYTHING ELSE SEEMS TO BE WORING GREAT!!! FROM WHAT I CAN TELL EVERYTHING IS BACK TO NORMAL. THANKS AGAIN FOR ALL YOUR HELP. YOU WERE GREAT..ITS AMAZING THAT OUR COMPUTER REPAIR GUY COULD NOT GET RID OF THIS THING AFTER 4 DIFFERENT ATTEMPS (AND $396.00 LATER) AND WAS READY TO SCRAP MY COMPUTER AND STAR OVER, AND YOU HAD IT GONE ON THE FIRST ATTMPT!! IF I EVER HAVE HAVE PROBLEMS AGAIN I WILL DEFINATLY COME TO YOU FIRST!!! GOOD WORK......................THANKS

Free Malware Removal Forum

HOW DO I GET RID OF THIS?????

HOW DO I GET RID OF THIS?????

scans done

Who is online