[bizzycook]

mk:@MSITStore:C:\spe\start.chm::/start.html# is the page that it opens up to, i've tried to just change the homepage setting but it goes back to the same thing, then i tried cwshereder, ad-aware. no luck with either so i'm going to post my log and see if anyone can see something i don't



Logfile of HijackThis v1.99.1
Scan saved at 8:45:57 PM, on 3/20/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin....php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin....php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F1 - win.ini: run=hpfsched
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\REMOVE_ME.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O9 - Extra button: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL (HKCU)
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\REMOVE_ME.DLL (HKCU)
O13 - DefaultPrefix: http://www.heretofin...ow.php?id=15&q=
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EB} - ms-its:mhtml:file://C:\MAIN.MHT!http://69.50.164.12/...gaInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EE} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/...gaInstaller.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab

[Advertisements]

Hi bizzycook

Sorry about the delay in responding. The forum has been very busy lately.

Please download this utility to fix the Start.chm Hijack:
http://tools.zerosre...startchmfix.exe
(The following is typically seen in the HijackThis log: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html)

Run it and extract the folder to the desktop preferably.
Open the folder after extracted.
Double click the fix.bat
Please make sure all Internet Explorer windows are closed.
Only run it once or you will lose the backups although they shouldn't be needed.
Notepad will open at the end with a message and the bad file listing at the end. Reboot Windows and delete that bad file.

Download, install and update Adaware if you don't already have it - from here: http://www.geekstogo...ction=show&id=5

To show all files and folders
* Open My Computer - double click on the My Computer icon.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

You might like to print out the rest of these steps so you can follow them when you are disconnected from the internet.

Open HijackThis again and click on Do System Scan only. Check all the following items if they are still there. Close Internet Explorer, disconnect from the internet, close all open windows and unnecessary programs like Yahoo messenger, ICQ etc. Click on Fixed Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin....php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin....php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL (HKCU)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\REMOVE_ME.DLL (HKCU)
O13 - DefaultPrefix: http://www.heretofin...ow.php?id=15&q=
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EB} - ms-its:mhtml:file:// C:\MAIN.MHT!http://69.50.164.12/...gaInstaller.exe
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EE} - ms-its:mhtml:file://C: ie.mht!http:// 69.50.164.12/exp/mht/pop01.chm::/MegaInstaller.exe

Restart your computer and reboot into Safe Mode by tapping F8 as your computer starts to boot up - straight after the beep. Select Safe Mode. Open Windows Explorer and delete the following files and folders.

Open Control Panel Add/Remove Programs and remove Spyhunter. It's unnecessary to have in addition to Spyware Doctor which is a better program. See this page for more information on Spyhunter http://www.spywarewa...are.htm#sh_note

Open Windows Explorer and delete the following files and folders if they are still there.

C:\WINDOWS\REMOVE_ME.DLL - Delete file only
There will be another copy of REMOVE_ME.DLL that must be deleted - you will need to use Windows Explorer > Find Files to search your entire c:\ drive to make sure it's found and deleted. It is usually in the \temp folder but do a full search to make sure.
C:\WINDOWS\SYSTEM\INTLMAIN.DLL - Delete this file
C:\spe - delete entire folder
C:\PROGRAM FILES\SPYHUNTER - Delete entire folder if it is still there

Reboot into Normal Mode.

Go to Start > Programs > Accessories > System Tools > Disk Cleanup tool

Make sure that you select temp and temporary internet files, the recycle bin, cookies and anything else you want cleaned and run the tool. If you clean cookies you may lose some saved passwords so make sure you have them written down or clean up cookies manually.

Open Adaware and set the configuration as follows:

1. Reconfigure Ad-Aware for Full Scan as per the following instructions - if any options are greyed out leave them and continue with the rest:

• Launch the program, and click on the Gear at the top of the start screen.
  
• Under General Settings the following boxes should all be checked off:

(Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)

• "Automatically save logfile"
  
• "Automatically quarantine objects prior to removal"
  
• Safe Mode (always request confirmation)
  
• Prompt to update outdated confirmation) - Change to 7 days.
  
• Click the "Scanning" button (On the left side).
  
• Under Drives & Folders, select "Scan within Archives"
  
• Click "Click here to select Drives + folders" and select your installed hard drives.
  
• Under Memory & Registry, select all options.
  
• Click the "Advanced" button (On the left hand side).
  
• Under "Shell Integration", select "Move deleted files to Recycle Bin".
  
• Under "Log-file detail", select all options.
  
• Click on the "Defaults" button on the left.
  
• Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  
• Click the "Tweak" button (Again, on the left hand side).
  
• Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
  [o] "Unload recognized processes during scanning."
  [o] "Obtain command line of scanned processes"
  [o] "Scan registry for all users instead of current user only"
  
• Under "Cleaning Engine", select the following:
  [o] "Automatically try to unregister objects prior to deletion."
  [o] "During removal, unload explorer and IE if necessary"
  [o] "Let Windows remove files in use at next reboot."
  [o] "Delete quarrantined objects after restoring"
  
• Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  
• Click on "Proceed" to save these Preferences.
  
• Click on the "Scan Now" button on the left.
  
• Under "Select Scan Mode, be sure to select "Use Custom Scanning Options"

2. Close all programs except ad-aware.
3. Click on "Next" in the bottom right corner to start the scan.
4. Run the Ad-Aware scan and allow it to remove everything it finds in the Critical Objects screen and then REBOOT - Even if not prompted to.
5. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Do a fresh HijackThis log so we can check that everything is now cleaned.

[ilago]

Hi bizzycook

Sorry about the delay in responding. The forum has been very busy lately.

Please download this utility to fix the Start.chm Hijack:
http://tools.zerosre...startchmfix.exe
(The following is typically seen in the HijackThis log: R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\WINDOWS\start.chm::/start.html)

Run it and extract the folder to the desktop preferably.
Open the folder after extracted.
Double click the fix.bat
Please make sure all Internet Explorer windows are closed.
Only run it once or you will lose the backups although they shouldn't be needed.
Notepad will open at the end with a message and the bad file listing at the end. Reboot Windows and delete that bad file.

Download, install and update Adaware if you don't already have it - from here: http://www.geekstogo...ction=show&id=5

To show all files and folders
* Open My Computer - double click on the My Computer icon.
* Select the View menu and click Folder Options.
* Select the View Tab.
* In the Hidden files section select Show all files.
* Click OK.

You might like to print out the rest of these steps so you can follow them when you are disconnected from the internet.

Open HijackThis again and click on Do System Scan only. Check all the following items if they are still there. Close Internet Explorer, disconnect from the internet, close all open windows and unnecessary programs like Yahoo messenger, ICQ etc. Click on Fixed Checked

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin....php?id=15&q=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.heretofin....php?id=15&q=%s
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = mk:@MSITStore:C:\spe\start.chm::/start.html#
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [SpyHunter] C:\PROGRAM FILES\SPYHUNTER\SPYHUNTER.exe
O4 - Startup: Microsoft Office.lnk = C:\WINDOWS\Application Data\Microsoft\Installer\{00010409-78E1-11D2-B60F-006097C998E7}\misc.exe
O9 - Extra button: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL (HKCU)
O9 - Extra 'Tools' menuitem: Corel Network monitor worker - {1942E340-10D6-11D9-BC6D-0050BACB50CB} - C:\WINDOWS\SYSTEM\INTLMAIN.DLL (HKCU)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\REMOVE_ME.DLL (HKCU)
O13 - DefaultPrefix: http://www.heretofin...ow.php?id=15&q=
O13 - WWW Prefix:
O13 - Home Prefix:
O13 - Mosaic Prefix:
O13 - FTP Prefix:
O13 - Gopher Prefix:
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EB} - ms-its:mhtml:file:// C:\MAIN.MHT!http://69.50.164.12/...gaInstaller.exe
O16 - DPF: {563ED66E-531B-51D2-5DB0-5080C83DA4EE} - ms-its:mhtml:file://C: ie.mht!http:// 69.50.164.12/exp/mht/pop01.chm::/MegaInstaller.exe

Restart your computer and reboot into Safe Mode by tapping F8 as your computer starts to boot up - straight after the beep. Select Safe Mode. Open Windows Explorer and delete the following files and folders.

Open Control Panel Add/Remove Programs and remove Spyhunter. It's unnecessary to have in addition to Spyware Doctor which is a better program. See this page for more information on Spyhunter http://www.spywarewa...are.htm#sh_note

Open Windows Explorer and delete the following files and folders if they are still there.

C:\WINDOWS\REMOVE_ME.DLL - Delete file only
There will be another copy of REMOVE_ME.DLL that must be deleted - you will need to use Windows Explorer > Find Files to search your entire c:\ drive to make sure it's found and deleted. It is usually in the \temp folder but do a full search to make sure.
C:\WINDOWS\SYSTEM\INTLMAIN.DLL - Delete this file
C:\spe - delete entire folder
C:\PROGRAM FILES\SPYHUNTER - Delete entire folder if it is still there

Reboot into Normal Mode.

Go to Start > Programs > Accessories > System Tools > Disk Cleanup tool

Make sure that you select temp and temporary internet files, the recycle bin, cookies and anything else you want cleaned and run the tool. If you clean cookies you may lose some saved passwords so make sure you have them written down or clean up cookies manually.

Open Adaware and set the configuration as follows:

1. Reconfigure Ad-Aware for Full Scan as per the following instructions - if any options are greyed out leave them and continue with the rest:

• Launch the program, and click on the Gear at the top of the start screen.
  
• Under General Settings the following boxes should all be checked off:

(Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)

• "Automatically save logfile"
  
• "Automatically quarantine objects prior to removal"
  
• Safe Mode (always request confirmation)
  
• Prompt to update outdated confirmation) - Change to 7 days.
  
• Click the "Scanning" button (On the left side).
  
• Under Drives & Folders, select "Scan within Archives"
  
• Click "Click here to select Drives + folders" and select your installed hard drives.
  
• Under Memory & Registry, select all options.
  
• Click the "Advanced" button (On the left hand side).
  
• Under "Shell Integration", select "Move deleted files to Recycle Bin".
  
• Under "Log-file detail", select all options.
  
• Click on the "Defaults" button on the left.
  
• Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
  
• Click the "Tweak" button (Again, on the left hand side).
  
• Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
  [o] "Unload recognized processes during scanning."
  [o] "Obtain command line of scanned processes"
  [o] "Scan registry for all users instead of current user only"
  
• Under "Cleaning Engine", select the following:
  [o] "Automatically try to unregister objects prior to deletion."
  [o] "During removal, unload explorer and IE if necessary"
  [o] "Let Windows remove files in use at next reboot."
  [o] "Delete quarrantined objects after restoring"
  
• Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
  
• Click on "Proceed" to save these Preferences.
  
• Click on the "Scan Now" button on the left.
  
• Under "Select Scan Mode, be sure to select "Use Custom Scanning Options"

2. Close all programs except ad-aware.
3. Click on "Next" in the bottom right corner to start the scan.
4. Run the Ad-Aware scan and allow it to remove everything it finds in the Critical Objects screen and then REBOOT - Even if not prompted to.
5. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Do a fresh HijackThis log so we can check that everything is now cleaned.

[bizzycook]

Well i did everything you told me to and it seems to work! and i'm glad lol took me about 3 hours but i was kinda dozin off also, I think you very much for taking the time to go over my log and I'm glad theirs people out there that will help, heres the log after i got done

Logfile of HijackThis v1.99.1
Scan saved at 4:08:50 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\NORTON SYSTEMWORKS\NORTON UTILITIES\NPROTECT.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\YAHOO!\MESSENGER\YMSGR_TRAY.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\UNZIPPED\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\CCHELPER.DLL
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDSG.DLL
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [NPROTECT] C:\Program Files\Norton SystemWorks\Norton Utilities\nprotect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Spyware Doctor] "C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\TOOLS\IESDPB.DLL
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop...p/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: Yahoo! Poker - http://download.game...nts/y/pt3_x.cab

[Hemal]

Open up Add/Remove programs and look for Pa&nicware Pop-Up Stopper, if you see it remove it, but if not, close all open windows and log off all programs and then open up Hijack This and scan your system, then put a check mark in

-O3 - Toolbar: Pa&nicware Pop-Up Stopper - {7E82235C-F31E-46CB-AF9F-1ADD94C585FF} - C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\PSTOPPER.DLL

reboot your computer-

in order to stop pop-up's, i recommend using the google toolbar which gives you many more other features- just type in Google Toolbar to the google search and download it

[ilago]

Hi bizzycook

That looks a lot better than it did.

Visit Microsoft Update to update Windows and Internet Explorer. Updates often fix exploits used by malware. Click on the update icon in the Start menu or here http://www.windowsupdate.com/

This topic http://www.geekstogo...ources-t38.html has a lot of information and links about extra protection you can install.

I'd recommend installing a firewall - there are several free ones
Install Spywareblaster
Install Spywareguard

Think about using Firefox and Thunderbird instead of Internet Explorer and Outlook Express. http://www.mozilla.org

Keep all antivirus and antispyware software up to date and do regular scans.

Stay Safe Online http://www.staysafeo.../home-tips.html

Iwill close this topic. If you would like it re-opened please PM me or a Moderator.

Edited by ilago, 03 April 2005 - 06:42 AM.