[merbel]

Have XP Pro.
I was able to delete both the appre and apine (end tasked) Did that before but either they were not there or I missed them. Thanks for your patience and help. I have run HiJack and the numbers (html#) but everything else does so I will delete.
Also, I have Quicken with financial info on this computer. Should I be concerned about security breach in reference to that?
I will work through the remainder and repost hijack as soon as possible.

Edited by merbel, 28 April 2005 - 01:29 PM.

[Advertisements]

Also, the O2-BHO (no name) numbers and WINDOWS subset is different rather than /system32/ipsu.dll it is /crsf32.dll. I will assume I should delete anyway as there is no other O2 close....

[merbel]

Also, the O2-BHO (no name) numbers and WINDOWS subset is different rather than /system32/ipsu.dll it is /crsf32.dll. I will assume I should delete anyway as there is no other O2 close....

[-=jonnyrotten=-]

Correct. It looks as if the file name has changed probably because of a reboot. It will continue to do so on every reboot until we get this cleaned. Keep up the good work here and we'll get through this

-=Jonnyrotten=-

[merbel]

Rebooted in regular mode ( up to step 8)
On reboot, got "Windows cannot find C\windows\system32\apine32.exe

I did see an O4 entry in Hijack that had apine in it (deleted the appree32 as instructed) but did not delete as it was not in the list....

Have to stop for a bit. Will be back at it in a couple of hours.

[-=jonnyrotten=-]

That's a good sign. That means Windows is looking for that file (per instructions from the line you saw in Hijack This) and the file is now gone. Now just make sure to remove the entry from Hijack This. The error should then go away.

-=jonnyrotten=-

[merbel]

Hit a snag at Step 8. IE would not let me download the hoster. Get an error message. Can see the file transferring but it doesn't really go. Went to next step for the Del domain and when I try to download, just get a notepad with gear on it-nothing else.

[-=jonnyrotten=-]

Open Internet Explorer and click "Tools" at the top then "Internet Options". Now click the "Security" tab and click the "Default Level" button. Click ok, close IE and reopen it and try again. By the way what is the error message you get when trying to download?

-=jonnyrotten=-

[merbel]

"IE cannot download hoster.zip form members.aol.com. IE was not able to open this internet site. wite either unavail or annot ref-try later"

[merbel]

Did as instructed. Still when I try to download, it looks like it is for a moment-papers moving over-then the error message----same as before

[-=jonnyrotten=-]

Try from here:

DelDomains:
http://ralphcaddell..../deldomains.zip

HostFileReader:
http://www.mdegn.dk/...sFileReader.exe

Now with hostfilereader just double click on the file and click the "Reset Default" button on the right.

-=jonnyrotten=-

[merbel]

Worked on hoster. Still get notepad but no real program on del domain

[-=jonnyrotten=-]

DelDomain is not a program, it's a file and when you get it just right click on it and click "install" that is all you do with it. You probably have been getting the right one the whole time, haha, my fault

-=jonnyrotten=-

[merbel]

When I right click-I don't get that option-both before and after double clicking-just get cut limited options and a notepad

[-=jonnyrotten=-]

When you first download it it is in a .zip file, you must drag and drop the file out of the .zip file to your desktop, and then you will have the install option if you right click it.

-=jonnyrotten=-

[merbel]

I am optimistic. I was able to do all except get the online Housecall virus scan to run. Will try again later or download the free trial. I did run Norton and was clear.

Below is latest HighJack

First, a couple of questions. I now have Service pack 2 but it doesn't see my Norton antivirus-sees it as installed but not on. I bought this used and had it had Norton corporate on it. Runs scans when I go into program but is not on lower tool bar startup menu. Do I need to do something else to the program? Or, is there another you would suggest?

Also, when I startup the computer, I get a signon (network type thing) with user and asks for password. I just hit OK and don't put in a password and it is fine but annoying. Quick way to make that go away?

Anyway, I think I have a clean machine now and have learned alot about computer security in the process.

Here's HighJack and thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 6:09:04 PM, on 4/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\netlg32.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\atlev.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [atlev.exe] C:\WINDOWS\atlev.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} (NeoterisSetup Control) - https://sra.carebrid...oterisSetup.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1098857008188
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\netlg32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe