[steve st]

hello everyone,

new to this forum, found your little space on the WWW after doing a google search on "Ndrv", which is the latest piece of garbage that has found its way into my machine. having two teenage boys that seem to find every malware loaded site on the net, it makes morning start ups interesting!
this am., i was loaded. ad aware took out 192 files, folders, and reg. keys. spybot found one more.
anyways, got Ndrv now.
downloaded and ran hijackthis, and here is the log:
Logfile of HijackThis v1.97.7
Scan saved at 1:24:57 PM, on 06/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MEMORYBOOST\MEMORYBOOST.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\WINDOWS\SYSTEM\NDRV.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ht...x.cfm?p=16&m=41
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/ht...x.cfm?p=16&m=41
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {D5572540-47AD-11D2-A534-00805F8A7AC4} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\RLTDBND.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /waitservice
O4 - HKLM\..\Run: [inyvvqp] C:\WINDOWS\SYSTEM\ssgiso.exe
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
O4 - HKCU\..\Run: [RFAgent] C:\Program Files\Reg1Aid\rfagent.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft...9/conveyer1.cab
O16 - DPF: {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1} (IE Active Setup Control) - http://www.microsoft...df/setupctl.cab
O16 - DPF: {80042CE1-9009-11D1-BE7A-00805F2AEDA7} (LiveStream Control) - http://163.125.19.101/livestream.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O16 - DPF: {BD1F006E-174F-11D2-95C0-00C04F9A8CFA} (SurveyCtl Class) - http://activex.micro...ards/Survey.cab
O16 - DPF: {0A8CA450-22B9-11d2-A507-00805F8A7AC4} (Netscape TuneUp for IE) - ftp://ftp.netscape.com/pub/communicator/s...t/ie/tuneup.cab
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.micro...izards/sw35.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44...etzip/RdxIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www114.coolsa...oad/cscmv4X.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7865.2444444444
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-de...s/GSManager.cab
O16 - DPF: {B9D029D3-CDE3-11CF-855E-00A0C908FAF9} (ActiveX Tree Control) -
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

please advise your thoughts, and thank you in advance!

steve street
rochester, ny.

[Advertisements]

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {D5572540-47AD-11D2-A534-00805F8A7AC4} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\RLTDBND.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O4 - HKLM\..\Run: [inyvvqp] C:\WINDOWS\SYSTEM\ssgiso.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
O16 - DPF: {80042CE1-9009-11D1-BE7A-00805F2AEDA7} (LiveStream Control) - http://163.125.19.101/livestream.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44...etzip/RdxIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www114.coolsa...oad/cscmv4X.cab
O16 - DPF: {B9D029D3-CDE3-11CF-855E-00A0C908FAF9} (ActiveX Tree Control) -
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

Next, reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files and folders, and remove the following files in bold:

O4 - HKLM\..\Run: [inyvvqp] C:\WINDOWS\SYSTEM\ssgiso.exe <-- This File
C:\WINDOWS\SYSTEM\NDrv.exe <-- This File

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log.

[Smokey]

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.presar...&s=search&i=enu
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\OOBE\BLANK.HTM
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {D5572540-47AD-11D2-A534-00805F8A7AC4} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\RLTDBND.DLL
O2 - BHO: (no name) - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\SYSTEM\NZDD0.DLL
O4 - HKLM\..\Run: [inyvvqp] C:\WINDOWS\SYSTEM\ssgiso.exe
O4 - HKCU\..\Run: [NDrv] C:\WINDOWS\SYSTEM\NDrv.exe
O16 - DPF: {80042CE1-9009-11D1-BE7A-00805F2AEDA7} (LiveStream Control) - http://163.125.19.101/livestream.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (IPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.25.44...etzip/RdxIE.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {4129EA54-F04E-11D3-BF96-00C04F0E7BE2} - http://www114.coolsa...oad/cscmv4X.cab
O16 - DPF: {B9D029D3-CDE3-11CF-855E-00A0C908FAF9} (ActiveX Tree Control) -
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://dl.filekicker...IL/PhPSetup.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

Next, reboot in safe mode (by tapping F8 at startup and select safe mode from the menu). Be sure you're able to view hidden files and folders, and remove the following files in bold:

O4 - HKLM\..\Run: [inyvvqp] C:\WINDOWS\SYSTEM\ssgiso.exe <-- This File
C:\WINDOWS\SYSTEM\NDrv.exe <-- This File

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log.

[steve st]

thank you for your prompt reply.

two questions,

www.rr.com (R0 & R1) is my ISP home page for road runner. should i still delete these lines?

when i reboot into safe mode, do i run hijackthis again, to get the other two files?

many thanks!
steve

Edited by steve st, 23 June 2004 - 01:18 PM.

[ditto]

www.rr.com (R0 & R1) is my ISP home page for road runner. should i still delete these lines?

No you dont have to. doesnt look like they redirect to anything suspicious.

when i reboot into safe mode, do i run hijackthis again, to get the other two files?

yes

[Smokey]

I apologize and have edited them out.

[steve st]

hey guys,

no apologies needed !!!
i sincerely appreciate the assistance.

alrighty then, ran hijack this again, and checked the items you listed.
reboot in safe mode, and ran again.
these two did not appear:
O4 - HKLM\..\Run: [inyvvqp] C:\WINDOWS\SYSTEM\ssgiso.exe <-- This File
C:\WINDOWS\SYSTEM\NDrv.exe <-- This File
this is the log from the run in safe mode:

Logfile of HijackThis v1.97.7
Scan saved at 6:19:20 PM, on 06/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ht...x.cfm?p=16&m=41
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/ht...x.cfm?p=16&m=41
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft...9/conveyer1.cab
O16 - DPF: {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1} (IE Active Setup Control) - http://www.microsoft...df/setupctl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O16 - DPF: {BD1F006E-174F-11D2-95C0-00C04F9A8CFA} (SurveyCtl Class) - http://activex.micro...ards/Survey.cab
O16 - DPF: {0A8CA450-22B9-11d2-A507-00805F8A7AC4} (Netscape TuneUp for IE) - ftp://ftp.netscape.com/pub/communicator/s...t/ie/tuneup.cab
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.micro...izards/sw35.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7865.2444444444
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-de...s/GSManager.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

rebooted to normal mode, ran hijack this again.
the log:

Logfile of HijackThis v1.97.7
Scan saved at 9:11:31 PM, on 06/23/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MEMORYBOOST\MEMORYBOOST.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ht...x.cfm?p=16&m=41
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/ht...x.cfm?p=16&m=41
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft...9/conveyer1.cab
O16 - DPF: {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1} (IE Active Setup Control) - http://www.microsoft...df/setupctl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O16 - DPF: {BD1F006E-174F-11D2-95C0-00C04F9A8CFA} (SurveyCtl Class) - http://activex.micro...ards/Survey.cab
O16 - DPF: {0A8CA450-22B9-11d2-A507-00805F8A7AC4} (Netscape TuneUp for IE) - ftp://ftp.netscape.com/pub/communicator/s...t/ie/tuneup.cab
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.micro...izards/sw35.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7865.2444444444
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-de...s/GSManager.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

LMK what you think.
thank you once again for your help.

steve st.
rochester, ny.

[Smokey]

Congratulations! Your system is CLEAN

If everything seems to be working okay you can delete the Hijack This folder.

How do you prevent spyware from being installed again? We strongly recommend installing SpywareBlaster (it's free for personal use).

Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests.
Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
Restrict the actions of potentially dangerous sites in Internet Explorer.
Consumes no system resources.

Download, run, check for updates, download updates, then "Enable All Protection". All done. Check for updates every couple of weeks. Link to SpywareBlaster:
http://www.geekstogo...tion=show&id=12

It's also very important to keep your system up to date to avoid unnecessary security risks. Click Here to make sure that you have the latest patches for Windows.

After doing all these, your system will be thoroughly protected from future threats.

Teenage boys, huh? I'm 17 !

[steve st]

yeah, teenage boys. 17 and 15.

history folder shows one of them hit a bunch of [bleep] sites, must have been after i hit the sack, which explains all the garbage on the machine when i booted up wednesday morning.
no wonder they sleep to noon! up all night yankin it.

but at least you know what you are doing!
a tip of the hat to you, many thanks helping the old guy out.

ready for this one?
hitting ctrl+alt+del to bring up the close window, shows Ndrv running.

click start, then find Ndrv.exe shows it is still in my machine, in C:\WINDOWS\SYSTEM\NDrv.exe.

a search for C:\WINDOWS\SYSTEM\ssgiso.exe comes up empty.

whadda ya think?

steve st.

[admin]

Missed one.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL

Reboot in safe mode (by tapping F8 at startup and select safe mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\SYSTEM\NDRV.DLL


Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log.

[steve st]

i'm going to have to share the blame here also.
O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\SYSTEM\NDRV.DLL
it was in the safe mode scan from yesterday, and i missed it.

that's why it was still in my machine last night.
DOH !!!

so, we are a little bit more relaxed today, and here is how it went.
ran HJ, checked and fixed the entry above.
reboot to safe mode.
here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 2:27:13 PM, on 06/24/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ht...x.cfm?p=16&m=41
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/ht...x.cfm?p=16&m=41
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft...9/conveyer1.cab
O16 - DPF: {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1} (IE Active Setup Control) - http://www.microsoft...df/setupctl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O16 - DPF: {BD1F006E-174F-11D2-95C0-00C04F9A8CFA} (SurveyCtl Class) - http://activex.micro...ards/Survey.cab
O16 - DPF: {0A8CA450-22B9-11d2-A507-00805F8A7AC4} (Netscape TuneUp for IE) - ftp://ftp.netscape.com/pub/communicator/s...t/ie/tuneup.cab
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.micro...izards/sw35.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7865.2444444444
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-de...s/GSManager.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

reboot again to standard mode, ran HJ.
the log:

Logfile of HijackThis v1.97.7
Scan saved at 2:33:58 PM, on 06/24/2004
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\ISAFE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\ATICWD32.EXE
C:\WINDOWS\STUTFIX.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\PROGRAM FILES\MEMORYBOOST\MEMORYBOOST.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETMSG.EXE
C:\PROGRAM FILES\COMPUTER ASSOCIATES\ETRUST EZ ARMOR\ETRUST EZ ANTIVIRUS\VETTRAY.EXE
C:\MY DOCUMENTS\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.rr.com/ht...x.cfm?p=16&m=41
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.rr.com/ht...x.cfm?p=16&m=41
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [AtiCwd32] Aticwd32.exe
O4 - HKLM\..\Run: [CPQSTUTFIX] C:\Windows\stutfix.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [MemoryBoost] "C:\Program Files\MemoryBoost\MemoryBoost.exe"
O4 - HKLM\..\Run: [Vet Alert] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETMSG.EXE
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\COMPUT~1\ETRUST~1\ETRUST~1\VETTRAY.EXE
O4 - HKLM\..\Run: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /waitservice
O4 - HKLM\..\RunServices: [Outpost Firewall] C:\PROGRAM FILES\AGNITUM\OUTPOST FIREWALL 1.0\OUTPOST.EXE /service
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [CAISafe] C:\Program Files\Computer Associates\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Instant Messenger (SM) (HKLM)
O16 - DPF: {DC840BE3-16D9-11D0-BA39-00C04FDDB4CD} (Conveyer Control) - http://cdm.microsoft...9/conveyer1.cab
O16 - DPF: {F72A7B0E-0DD8-11D1-BD6E-00AA00B92AF1} (IE Active Setup Control) - http://www.microsoft...df/setupctl.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macr...ector/swdir.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.mac...ash/swflash.cab
O16 - DPF: {F5131C24-E56D-11CF-B78A-444553540000} (Ikonic Menu Control) - http://activex.micro...eb/ikcntrls.cab
O16 - DPF: {BD1F006E-174F-11D2-95C0-00C04F9A8CFA} (SurveyCtl Class) - http://activex.micro...ards/Survey.cab
O16 - DPF: {0A8CA450-22B9-11d2-A507-00805F8A7AC4} (Netscape TuneUp for IE) - ftp://ftp.netscape.com/pub/communicator/s...t/ie/tuneup.cab
O16 - DPF: {8FBFE5FF-5E98-11D3-80AF-00C04FCFBC72} (SurveyCtl35 Class) - http://activex.micro...izards/sw35.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecureca...l/java/RntX.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yaho...talls/yinst.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com...ex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7865.2444444444
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone-de...s/GSManager.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate....nloads/outc.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab

i'm thinkin we have gotten it licked now!

question,
these two items:
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab

to my knowledge, this audio conferencing stuff isn't used, or do i have the microphone, or camera, or anything else to do audio conferencing.
can it be canned???

once again, thank you for your outstanding efforts!


steve st.

[ditto]

question,
these two items:
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab

to my knowledge, this audio conferencing stuff isn't used, or do i have the microphone, or camera, or anything else to do audio conferencing.
can it be canned???

yes it can be.

[steve st]

sweet !

looks like we are living large now, no signs of any garbage left on my machine.

many, many thanks for your help, and quick precise responses.


while i have your attention, perhaps you can share some info on this issue.
the people at CA are really of no help.
at start up, EZ anti virus gives me this error:

Network Test Failed!
EZ Antivirus has found a problem with your networking. It appears that a simple networking test has failed. This could mean that you may experience problems with network connectivity or email. The cause is most likely a Layered Service Provider (LSP) conflict or other LSP related problem. Please click here for details on what to do next.

click here sends you to this page:

Networking Conflict Detected!


EZ Antivirus has detected a conflict with your networking. This is most likely due to the presence of one or more LSPs installed on your system. LSPs (or Layered Service Providers) interface with a component of Windows' networking service, known as Winsock. They are generally responsible for intercepting networking data. Although many legitimate programs use LSP's, it is common for Spyware and Adware programs to use them in a malicious manner.



EZ Antivirus' email scanning component (ISafe) relies on the use of LPS's to function. If another program is using LSPs, it may conflict with the ISafe's LSP's causing the loss of Internet, email and other network connectivity. The conflict may arise if the existing LSP is corrupted, or poorly written. Although the conflict is not a fault in the ISafe LSP, it is currently recommended you disable EZ Antivirus' email scanning to restore your networking functionality. To do this, follow the procedure below:

Open EZ Antivirus and select OPTIONS | REAL-TIME PROTECTION.

Un-tick the boxed marked 'Enable Real-Time Email Monitor'.

Restart the computer for the changes to take effect.

It should be noted that during the time you have disabled the email monitor, your email will not be scanned during delivery, however, it will be scanned by EZ Antivirus' real-time file monitor when an attempt to open the email attachment is made.


What should I do?

It is advised that you complete the following procedure to attempt to resolve the conflict with EZ Antivirus' email scanning component.

As there are several legitimate programs using LSP's you may not know if the LSP we have detected is going to cause problems. Therefore, it is advised that you check your list of installed programs, and remove any irregular or dubious programs that you don't recognize to be software you have purposely installed. To check the installed programs on your system click:


START | SETTINGS | CONTROL PANEL. Then Double click the 'Add Remove Programs' icon.


Once you have removed any suspicious or dubious programs, you should enable the email monitor using the real-time protection dialog mentioned above, then restart the computer to see if you get this warning again.

If the startup warning appears again:

Download and install a common Adware/Spyware detection utility and scan your system for known Adware and Spyware programs. Although My-eTrust cannot individually promote or take responsibility for the use of Adware/Spyware detection utilities, it is recommended that you run a utility to detect and remove any Adware or Spyware on your system. These types of programs can easily be found on common shareware websites such as http://www.download.com

Check our list of programs we have compiled which are known to use LSPs. If you have any of these programs installed, try uninstalling these programs prior to installing EZ Antivirus . If the uninstallation results in normal functionality report the conflict to the software vendor.
Still have problems?

If at any stage you appear to be in a situation where you have lost Internet, email and other networking functionality, please disable the real-time email monitor as described above. You can then contact support to discuss the issue further.

Help us help you:

If you have identified a program which is causing a conflict with EZ Antivirus' ISafe LSP's, please report the program to us to help us maintain and compile our list of known conflicting programs.

now, this has not caused any problems, e-mail, and internet connection is OK.
when i ask support about what i should try to do to correct this, they just sent me back to the page above, even after i told them in my mail that i checked through all that.
any ideas??

thanks!

steve st.

[Kat]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.