[elevatinglight]

Hello

I am so happy to have come across your site. You look like my last hope...

I've been infected with 2nd thought and have researched its removal and have deleted some of the file folders that ive learned 2nd thought is responsible for, ran pc scans with some popular spyware detectors: adaware, spysweeper, spybot, pandasoft... and yet still--2nd thought is terrorizing my soul...

I downloaded HijackThis...but i did something really bad.<Im sorry! > I deleted an entry without posting my log or asking you first!

Attached is my log. The one entry I already deleted(which is listed on the log is): O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe

I'm so sorry for taking it upon myself to remove it! 2nd thought still pops up after i try to open windows media player. My zone Alarm pro requests my permission for " TODO:file description" whether I give permission or deny it.. 2nd thought asks to be installed!!! please forgive me and take a look at my log. Your immediate consideration and help will be most appreciated!

P.S. I know I got some other garbage on my pc, i would appreciate you informing me of other stuff on there that i should remove in addition to 2nd thought. Im so excited, i think you guys can help me!!!

Regards,

Vee

Logfile of HijackThis v1.98.2
Scan saved at 6:00:09 PM, on 11/23/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\vaida\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [odbccp32] C:\WINDOWS\System32\odbccp32.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.albasoul....081/java/cr.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.s...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...4/pool/pool.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned35.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\Program Files\Internet Researcher\SSPNG.DLL

[Advertisements]

Hi vee, and welcome to Geeks to Go.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

[admin]

Hi vee, and welcome to Geeks to Go.

We can definitely help you, but first you need to help us. The first step in this process is to apply Service Pack 1a for Windows XP. Without this update, you're wide open to re-infection, and we're both just wasting our time.
Click here: http://www.microsoft...p1/default.mspx
Apply the update, reboot, and post a fresh Hijack This log.

[elevatinglight]

HI!

Okay I'm about to download the Service Pack 1a. But there's a problem. I've been trying to download and install it for weeks! and it always fails.... I do the troubleshooting like microsoft suggests but no success. I should inform you that there's soemthign else seriously wrong with my computer: months ago my system restore calendar dissappeared. Poof! just like that. i think it was due to another virus I had long ago, i dont know but i tried everything. system restore is turned on indeed, but the calendar(the box where you are suppose to click the date of the system restore points) is not there. it's blank. and i cant create a restore point either. this is probably an entire new topic on the forum, and i understand its best to tackle one problem at a time but i thought this would be important for you to know regarding my inability to install the service pack 1a. But i'm about to try to download it again as soon as i finish this reply. I hope it successfully installs(crosses fingers) i dont expect a reply from you regarding this information (unless you can tell me something pertinent to it) untill i let you know if i successfully install service pack 1a and submit a fresh hijack this log. Okay, Im off to download the service pack... i'll post in a bit.

p.s im relieved to hear from you and your confidence in helping me with this 2nd thought removal has excited me Thank you. Blessed be thee.

Regards,
Vee

[elevatinglight]

Hello,

I tried downloading the service pack 1a but i had no success. i spoke to the guys at microsoft and they cant help me with the problem either at this time. they are sending me the service pack on a cd rom in hopes that i will be able to install it from there.

I understand in your last post, you made it clear that trying to fix my initial problem with the 2nd thought trojan and any other viruses i may have, is useless unless i install the service pack... but i do hope, considering my catch22, that you'll at least attempt to help me repair at this point in time...untill i can look into the problem with installing updates further.

Please let me know your consensus. I will understand if you choose not to intsruct me what to do at this point, afterall you are the knowledgeable one, but i sincerely hope you'll at least consider it. Im doing a social science research project, and a large part of my research comes from a few interviews online which i can only open with windows media player. So...i request your help to at least give me a temporary fix, even if its likely that i will be reinfected in the future. I promise to look further into it and finally install service pack 1a. Your response is much appreciated. thank you.

Regards,
Vee

p.s. Happy Thanksgiving

[admin]

Happy Thanksgiving! This is a pretty strict rule of ours, but you make a convincing argument, so I'm giving you a pass.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKCU\..\Run: [odbccp32] C:\WINDOWS\System32\odbccp32.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\WINDOWS\System32\version.exe
C:\Program Files\Viewpoint\Viewpoint Manager <- this folder
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\odbccp32.exe

Reboot your PC.

If you would please, rescan with HijackThis and post a fresh log in this same topic, and let us know how your system's working.

[elevatinglight]

Hi!

Thnks a million for going ahead with me. Below is my fresh log. I should let you know in following your instructions in safe mode the files you told me to remove were not present:
C:\WINDOWS\System32\version.exe
C:\Program Files\Viewpoint\Viewpoint Manager <- this folder
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\odbccp32.exe

But wait just a minute..perhaps I really didnt understand what you meant by remove these files...? This is what I did: I booted my computer into SafeMode and then I went to Start then I went to Run --- then I typed msconfig and looked at the startup tab. And thats where I looked for these files. Is that what I was suppose to do? well they weren't there.

maybe you wanted me to open these files from the My Computer Folder?
so sorry...please explain again if i didnt do what you instructed me to do. Nevertheless, I tried opening windows media player and 2nd thought aks to be installed again...

Please don't give up on me. i'm dying...

<more information below the log>


Logfile of HijackThis v1.98.2
Scan saved at 8:55:15 PM, on 11/27/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.albasoul....081/java/cr.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.s...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...4/pool/pool.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned35.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\Program Files\Internet Researcher\SSPNG.DLL

One more thing:

in the startup tab there was a suspicious file there, that i unchecked months ago per the instruction of a Dell technician over the phone. The file in my startup tab is: dp_623011805 C:\Documents and Settings\Vaida\dp_623011805.exe

it's unchecked which i suppose means it's not loading... but the file is still in my documents and settings folder. could it be a virus?

More information: I told you in my first post that I don't have the ability to do a system restore? and that i thought it was a virus? here is my virus history from Norton Antivirus--

I have multiple recurrences of these viruses since august 27th 2004:
aug 27 =A0033999.exe, astart.exe
sept 9 =A0033999.exe, astart.exe
sept 10 =A0033999.exe, astart.exe
sept 17 =A0033999.exe, astart.exe
sept 24 =A0033999.exe, astart.exe
oct 1 =A0033999.exe, astart.exe
oct 8 =A0033999.exe, astart.exe
oct 15 =A0033999.exe, astart.exe
oct 22 =A0033999.exe, astart.exe
oct 29 8:02:34 = odbccp32.exe
oct 29 8:02:35 = odbccp32.exe
oct 29 8:02:36 = odbccp32.exe
oct 29 8:03:16 =A0033999.exe
oct 29 8:03:22 =astart.exe
oct 30 6:32:59 =odbccp32.exe
oct 30 7:13:53 =A0077031.exe
nov 5 8:02:22 =A0033999.exe
nov 5 8:02_24 =astart.exe
nov 5 8:02:26 =A0077031
nov 5 8:02:28 =odbccp32.exe
nov 19 8:14:17 = A0033999.exe
nov 19 8:14:20 = astart.exe
nov 19 8:14:21 = A0077031.exe
nov 19 8:14:23 = odbccp32.exe
nov 20 12:23:32= mp_sys.exe
nov 20 3:04:40 = A0071932.exe
nov 24 4:34:37 = A0071932.exe
nov 24 4:35:01 = A0033999.exe
nov 24 4:35:01 = mp_sys.exe
nov 24 4:35:02 = astart.exe
nov 24 4:35:03 = A0077031.exe
nov 24 4:35:04 = odbccp32.exe

The original location for viruses A0033999.exe, A0071932.exe, A0071932.exe was:C:\System Volume Information\_restore{11B4CBBO-31BO-483C-A4FE...(etc

All others including mpsys.exe were in C\Windows/System32

Isnt that first one my system restore folder? could that be why i have no system restore. what do i do? Im sure this is another post on the forum but i just wanted to inform you of all of this in case it is related to the 2nd thought spyware. something odd i wanted to point out about my NAV log of these viruses: all are listed to clean the virus from file but the secondary action lists some of these as "leave alone(log only)" and others. "quarantine infected file".

All viruses on the 24th of Nov were"left Alone"
viruses on Nov 20th were "quarantined"
viruses on Nov 5th and 9th were "left alone"
viruses on Oct 30 were "quarantined"
viruses on August 27th to oct 29th were "left alone"

And all are unable to be repaired everytime i update my new virus defintions.

is there a pattern here? amd why is NAV choosing to take no action on some viruses and quarantine others --without me telling it to do so? how can i fix that?

last point regarding this matter: the log file tell me that the location of all of these viruses are in quarantine except for : odbccp32.exe This file still seems to be located in C:\windows\System32

Ok my saving grace...perhaps i didnt do exactly what you told me to do, so i apologize for not strictly understanding your instructions but please dont give up on me give me another try?

Regards,

Melancholy Vee
<sitting by anxiously awaiting your reply>

[coachwife6]

'hnks a million for going ahead with me. Below is my fresh log. I should let you know in following your instructions in safe mode the files you told me to remove were not present:
C:\WINDOWS\System32\version.exe
C:\Program Files\Viewpoint\Viewpoint Manager <- this folder
C:\WINDOWS\System32\stcloader.exe
C:\WINDOWS\System32\odbccp32.exe

But wait just a minute..perhaps I really didnt understand what you meant by remove these files...? This is what I did: I booted my computer into SafeMode and then I went to Start then I went to Run --- then I typed msconfig and looked at the startup tab. And thats where I looked for these files. Is that what I was suppose to do? blushing.gif well they weren't there.

maybe you wanted me to open these files from the My Computer Folder?
so sorry.."

Go to My computer>>tools>>folder options>>view make sure hidden files are showing and the hide protected operating systems is unchecked. Then do a search for the folders/files that admin. asked you to delete.

Follow his instructions, clean out your temp. files and post a new log.

[elevatinglight]

Hi Coachwife, and ADMIN

thnks for clearing that up for me! Much appreciated! )it was silly of me not to know to do that but i'm still learning)

The file out of the four that i was instructed to delete, that i found present was C:\Windows\system32\stcloader.exe , i deleted it and its sitting in my recycle bin (dont know if i should empty it out or not)

and i also deleted the Viewpoint Manage folder in C:\ProgramFiles\Viewpont\ViewpointManager<----this folder

below is my fresh log and i still have sad news... 2nd thought still asks to be installed when i try to open windows media player. I hope all the information regarding the viruses I found thru NAV might point you in a further direction

I'm scared. Please tell me your consensus. I beg that there is still hope for me.


Logfile of HijackThis v1.98.2
Scan saved at 5:08:09 PM, on 11/28/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PPMemCheck] "C:\Program Files\PestPatrol\PPMemCheck.exe"
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.albasoul....081/java/cr.cab
O16 - DPF: symsupportutil - https://www-secure.s...supportutil.CAB
O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.s...yog/y/fs9_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {2ED9BC2B-4DF1-472E-9B5E-55477D2C97F5} (Microsoft Data Collection Control) - https://support.micr...ActiveX/odc.cab
O16 - DPF: {33E54F7F-561C-49E6-929B-D7E76D3AFEB1} (Pool Control) - http://mirror.worldw...4/pool/pool.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.co...clean_micro.exe
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldw...ared/dephlp.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://mirror.worldw...ed/wwlaunch.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instants...erxsigned35.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai...uditControl.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://dgl.microsoft...nloads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.s.../ActiveData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://mirror.worldw...ool/h2hpool.cab
O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\Program Files\Internet Researcher\SSPNG.DLL

[admin]

Your log is looking good. Are you able to install Windows Updates now?

[elevatinglight]

Hi ADMIN!

still unable to install windows updates. i got another microsoft technician on it and I'm following some generic steps but the generic is just about ready to close my case as he can not figure out a solution.

2nd thought still loads what are you thinking?

,

Nervous Vee

[elevatinglight]

i meant " *the technician* is about to close my case..."

[admin]

Missed one. (Thanks CoachWife6)

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.
O18 - Protocol: sspng - {1E8068DE-05AD-11D4-ACC8-EF447469245E} - C:\Program Files\Internet Researcher\SSPNG.DLL

Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):
C:\Program Files\Internet Researcher <- this folder

Maybe you'll have better luck after that.

[elevatinglight]

okie doke!

Im right on it! MWAH! : P <kiss for the two you!>

[elevatinglight]

Hi there...

Me again.

Followed your instructions. removed internet researcher. tried opening windows media player. and you know how the story goes...

Dear Sir,

I have been filled with great appreciation towards you and this site of yours that you've dedicated to innocent people like me, who've been hijacked and terrorized by creeps like the guy that owns 2nd thought.

I'll be just about...devastated-- if this is it for me. I understand that there's only so much a computer geek can do, but I beg you not to leave me openended here. If you feel it's best tp was yoru hands of me at this point, then please kindly provide me with mor einstruction on who I can turn to foe this issue. Is my last hope to wipe out my computer and start from scratch by reinstalling windows xp? or is that even an option for me? i have a feeling that won;t fix my problem either...

Your generous sympathy and advice is requested. Thnk you once again for coming this far with me, i'll never forget it.

Regards,

Vee

p.s. i stand awaiting your reply

[elevatinglight]

typo

..."if you feel it's best to wash your hands of me..."

<i pray not>