Things went south today, Excal. I've spent about 12 hours on this thing this weekend...I had to use IE to download Windows updates (or so it said...it would NOT do it in Netscape). I tried to download SP2, but the PC just kept hanging up and dying. It said your hotlink was not a valid site, but I finally manually got to Windows Update by going through the windows.com site and navigating. Finally, it allowed me to do a quick update and downloaded three pieces of software, but SP2 wasn't even on the list. I have not been able to find any menu that will let me select SP2 --- but when I look in Add/Remove Programs, I see lots of Hotfix files with SP2 on them -- do you think I have SP2 already? Then I ran Spybot and AdAware...and they found like 230 items...Spybot found Advertising.com, Avenue A, DoubleClick, EffectiveBandToolbar, ValueClick, FastClick, etc. Adaware found 180Solutiions, BargainBuddy, ClearSearch, DyFuCa, Possible Browser Hijack attempt, SahAgent, Windows, WinUpdate, VX2, etc. It has gotten worse and worse through the day - even with Netscape. I ran Spybot and Adaware about 5 times each today and tried to keep saving the logs, so I do have several of them. The PC said it encountered errors and it was doing a "System Shutdown" several times. The browsers encountered fatal errors and shut down over and over again. I've seen messages that "nail.exe is not a valid application" and also several dialog boxes about something called "sock.exe". The errors occurred mostly when I was in IE, but also in Netscape and also when I was not on the Web at all. No matter what I do, these spyware programs keep coming back --- it's mostly the same programs over and over, but again, Spybot is supposed to be immunizing against them, but they get in undetected time and time again... I think the IE thing allowed it to go hookup to a site and rebuild itself again this weekend, because it's as bad as it was in the beginning again... I also tried to download Firefox using Netscape, but it's just way too slow. I waited over a half an hour and it just sat there, but it says there is data going in and out... For what it's worth, Excal - here is my HJT log from about 20 minutes ago.
Logfile of HijackThis v1.99.1
Scan saved at 9:52:27 PM, on 8/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SM1BG.EXE
C:\windows\sp2update.exe
C:\WINDOWS\System32\qng84ho8.exe
C:\WINDOWS\System32\winssh.exe
C:\windows\system\xpsp2.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\PackethSvc.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMDiag.exe
C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
C:\desktop\ewido\security suite\ewidoctrl.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mim.exe
C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
c:\windows\system32\meeyakv.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\BVR\aurareco.exe
C:\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http:/www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "
http://www.yahoo.com"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Owner\Application Data\Mozilla\Profiles\default\zjx0h2km.slt\prefs.js)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [MimBoot] C:\Program Files\MusicMatch\MusicMatch Jukebox\mimboot.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [sp2update] C:\windows\sp2update.exe
O4 - HKLM\..\Run: [qng84ho8] C:\WINDOWS\System32\qng84ho8.exe
O4 - HKLM\..\Run: [Network Access] winssh.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler] C:\windows\system\xpsp2.exe
O4 - HKLM\..\Run: [iecqde] c:\windows\system32\meeyakv.exe r
O4 - HKLM\..\RunServices: [Network Access] winssh.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .qt: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone:
http://www.lavasoft.deO15 - Trusted Zone:
http://www.pandasoftware.comO15 - Trusted Zone:
http://*.windowsupdate.comO15 - Trusted Zone:
http://download.windowsupdate.com O16 - DPF: {0DC0D258-FC70-456F-8F79-83D7DC20F0AC} (MPChWrapper.Util) -
http://instantsuppor...MPChWrapper.CABO16 - DPF: {17D72920-7A15-11D4-921E-0080C8DA7A5E} (AimSp32 Class) -
http://makeover.subs...ve/makeover.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://update.micros...b?1123443159578O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1123438002984O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoft.../as5/asinst.cabO16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) -
http://download.toon....3.1/ttinst.cabO16 - DPF: {FC67BB52-AAB6-4282-9D51-2DAFFE73AFD0} -
http://download.spys...rCabInstall.cabO17 - HKLM\System\CCS\Services\Tcpip\..\{D914E769-35D4-4FE0-BE77-36EEFB10E0C5}: NameServer = 198.6.100.140 198.6.1.140
O23 - Service: AOL Instant Messanger (AIM) - Unknown owner - C:\WINDOWS\aim.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\ewido\security suite\ewidoctrl.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\mcshield.exe
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Virtual NIC Service (PackethSvc) - America Online, Inc. - C:\WINDOWS\System32\PackethSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
I have another two days and then I will be out of town for 10 days...hopefully you will stay with me and beat this thing. It will probably give me a chance to cool down for a few days anyway. Let me know what you think.
Thanks SO much,
Dimmae