Hi there,

I have a question about the files WinStatKeep.exe and WinStat. I did a search of the forums here and found a few things on this that suggest these may be spyware or adware, but I guess I'm still not 100% sure about that.

First, I have run several adware and malware scans using several different programs (AdAware, X Cleaner and Giant) and none of them have picked up WinStatKeep.exe or WinStat. I do notice that they are running processes in the background all the time. When I tell Task Manager to stop running them, it reloads them right away.

I downloaded HijackThis tonight and ran a scan. I will avoid pasting the whole log here unless you think you'd be able to help me out better with the entire log... HijackThis did pick up the WinStatKeep.exe and WinStat.exe processes running in the background:

Logfile of HijackThis v1.99.0
Scan saved at 5:42:20 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
[...]

C:\Program Files\Windows AdStatus\WinStat.exe
C:\Program Files\Windows AdStatus\WinStatKeep.exe

My question's simple: how can I remove these if my spyware removal tools and stopping them through Task Manager and HijackThis do not seem to be working? And should these files be removed at all?

Thanks for any help you can give!

Jackie

Hi Buzzygirl



These are spyware related. Please post the whole log, including the header, as those files rarely occur on their own. There is usually other spyware on the computer and it is difficult to make a judgement without the whole log.

Okay... I think I got rid of WinStat.exe and WinStatKeep, but here's the rest of the Hijack This log. Thanks for any help you can give:

Logfile of HijackThis v1.99.0
Scan saved at 6:13:03 AM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Jackie's Stuff\AIM stuff\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://147.208.11.200/mediaattenza/visitorchat/TLIEFlash.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O16 - DPF: {CAACCAA2-CFCE-11D2-8683-080009FC2B79} (DdiPrintControl Class v1.1) - https://cl.msi-insurance.com/ddrint/work/DdiPrintControl.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe

Hi Buzzygirl

Please disable System Restore - Right Click on the My Computer icon on the desktop and go to the System Restore tab. Put a tick in the "Turn off System Restore on all drives" Apply. OK. You will flush all the restore points by doing this, but it prevents the malware being reinstalled. It can be re-enabled when the system is clean.

Go to Start > Run and type - services.msc - into the box and click OK. On the screen that comes up scroll to the bottom of the list on the extended tab. Find ZESOFT - Right Click and go to Properties. in the screen that comes up - go to Startup Type and use the dropdown box to Disabled. Apply. OK. Then close the window.

Open Control Panel > Add/Remove Programs
Uninstall Viewpoint

You may need to print this out or copy and paste into a Notepad file so you can keep track of what you have to do. You will need to close this window.

Open HijackThis and Click on "Do System Scan". When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
O3 - Toolbar: (no name) - {46AE04C0-BCFA-4728-90E7-00EB4A8B3863} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200207...meInstaller.exe
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - http://147.208.11.200/mediaattenza/visitorchat/TLIEFlash.CAB
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab
O23 - Service: ZESOFT - Unknown - C:\WINDOWS\zeta.exe


Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Open Windows Explorer and go to > Tools> Folder Options> View, select:

*Show hidden files and folders
*Display the contents of system folders

Uncheck:

*Hide protected operating system files

Delete the following folder
C:\Program Files\ Viewpoint\Viewpoint Manager

Delete this file
C:\WINDOWS\zeta.exe

Reboot into Normal Mode and do a new HijackThis log and post it so we can check it's clear.

Ilago: Thank you for your help! I will do this when I get home tonight, then I'll post the results. I appreciate this a lot!

Hello again

Here's the new HT log file, post-cleaning as instructed above:

Logfile of HijackThis v1.99.0
Scan saved at 5:48:42 PM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\crko.exe
C:\WINDOWS\System32\tibs5.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\netrs32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skndi.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [crko.exe] C:\WINDOWS\system32\crko.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\ADRIAN~1\LOCALS~1\Temp\13.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Jackie's Stuff\AIM stuff\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAACCAA2-CFCE-11D2-8683-080009FC2B79} (DdiPrintControl Class v1.1) - https://cl.msi-insurance.com/ddrint/work/DdiPrintControl.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\netrs32.exe

Hi buzzygirl

Sadly that log isn't clean and the computer has picked up some new infections. You will need to take some more prevention and protection action once we have this one cleaned up. I will post some more information on that after you post this log for me. This is a harder fix than the one we did before.

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Hidden files and folders in Windows Explorer should still be configured as in the previous instructions I posted.

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting - beeps - up again tap the F8 key as you did before. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
-Configure Ad-Aware for a full system scan as described in this thread http://www.geekstogo.com/forum/Malware-Spyware-Cleaning-Guide-t2852.html
-Run it

Clean Up the left overs

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\skndi.dll/sp.html#12345
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", ""); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
O4 - HKLM\..\Run: [crko.exe] C:\WINDOWS\system32\crko.exe
O4 - HKLM\..\Run: [13.tmp] C:\DOCUME~1\ADRIAN~1\LOCALS~1\Temp\13.tmp.exe 0 10001
O4 - HKLM\..\Run: [tibs5] C:\WINDOWS\System32\tibs5.exe
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O23 - Service: Workstation NetLogon Service - Unknown - C:\WINDOWS\netrs32.exe

Then delete the following files (if they exist):

C:\WINDOWS\system32\skndi.dll
C:\WINDOWS\system32\crko.exe
C:\DOCUMENTS AND SETTINGS\ADRIAN~1\LOCAL SETTINGS\Temp\13.tmp.exe 0 10001 - delete all the files in this \temp folder
C:\WINDOWS\System32\tibs5.exe
C:\WINDOWS\netrs32.exe

Delete the contents of the \temp folder for each user on the computer

C:\Documents and Settings\<user name>\Local Settings\Temp - delete all the files in this folder

Reboot into normal mode, and run the following free, online virus scans:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/activescan/co...n_principal.htm
http://housecall.trendmicro.com/housecall/start_corp.asp

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Sigh... my son seems to be responsible for these. I keep telling him NOT to use IE and to stay away from certain sites... well, anyway, my Internet connection is cable, so it's constant. Should I disconnect the cable modem before I do the fix?

Thanks!

Jackie

Hi Buzzygirl

My sympathies - those sites are often a bit of a magnet aren't they

Yes disconnect the cable - that makes sure you aren't connected by accident

Are you using Windows XP Pro or Home? Depending on which version there are some Windows configurations that might be available. Installing Service pack 2 will also help - but don't do that until we are sure it is clean. It can have problems if there's any nasties on the machine.

After we get this cleaned up - there will be some things you can do that will slow down the rate of infection.

You may like to download them now so you can install them straight away if you don't already have them. You already have Spywareguard.

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacoolsoftware.com/spywareblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. The download is long way down the page.
https://netfiles.uiuc.edu/ehowes/www/resource.htm

Thanks a lot! I'll have to do this procedure later on and post the log. Thanks again for your help and expertise!

Okay-- I did everything you listed above... here's the newest log file. Thanks again!:

Logfile of HijackThis v1.99.0
Scan saved at 10:48:43 AM, on 2/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast High-Speed Internet
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Buzzygirl\Application Data\Mozilla\Profiles\default\wjj98p9b.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Jackie's Stuff\AIM stuff\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O15 - Trusted IP range: (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/cha...v45/yacscom.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {CAACCAA2-CFCE-11D2-8683-080009FC2B79} (DdiPrintControl Class v1.1) - https://cl.msi-insurance.com/ddrint/work/DdiPrintControl.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: W2k PCtel speaker phone - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Hi there

Well Done - you got there.

Fix this entry with HijackThis.

R3 - Default URLSearchHook is missing

Re-enable System Restore which should set a restore point of today. My Computer > Right Click > Properties > System Restore Tab > untick "Turn off System Restore on all drives"

This would be a good time to install Service Pack 2 and make sure Windows and Internet Explorer are fully up to date.

http://v5.windowsupdate.microsoft.com/en/default.asp

This site gives some information on how to setup Internet Explorer so it is more secure.

http://www.infinisource.com/techfiles/surf-safe.html - for Service Pack 1
http://www.infinisource.com/techfiles/ie-sp2-surf-safe.html - for Service Pack 2

You have no third party firewall installed and running. If your cable modem has an inbuilt firewall this is not critical. If you are using the Windows firewall, you might give some thought to installing one of the free firewalls available as the Windows firewall has some shortcomings. These are free.

Zone Alarm http://www.Zonelabs.com/
Sygate http://soho.sygate.com/buy/download_buy.htm
Tiny Personal Firewall http://www.webmasterfree.com/tpfw.html
Kerio Personal Firewall http://www.kerio.com/kpf_download.html

If you need any more information, please ask. Someone here will be happy to help you.

Thank you SO much for your help. Regarding third-party firewall software, I've installed several, but unfortunately, they've always ended up causing problems with my Internet connection eventually. I've spoken with Comcast reps about it and they couldn't pinpoint a cause either. Any suggestions there? I have used Black Ice and Zone Alarm-- any known problems with those?

Hi

Both Zone Alarm and BlackIce are widely used and there is quite a lot of help on their websites. Tiny Personal Firewall takes a little configuring but has a small system footprint. The Windows one is better than nothing. The Service Pack 2 upgrade to the Windows firewall has made it a bit more secure than the original one.

Some cable and ADSL modems are temperamental. It might be worth visiting the website for the manufacturer of the modem. Sometimes there is good information in the Support area about bugs they have fixed.

Thanks Ilago-- I will check on the Motorola website for my modem and see if I can find any issues with firewall software. You have been very helpful. I'm very glad I found this board. You're very knowledgeable about spyware and have made more so as well.