[la2jax]

Please help. I have followed all recommendations: Spybot, AdAware, MS AntiSpyware, MS Windows Update. I have run them all numerous times (except Update), and re-booted each time. I continue to get regular pop-ups and the "Search the Web" toolbar pop-up. Every time I run AntiSpyware I discover "iSearch" and "ShopatHome". AdAware keeps discovering Sah Agent. AntiSpyware blocks "pinmdlg.exe" and "Apropos Media" every so often. When I re-boot, "hpdll.exe" has to be shut down manually at times.
Thanks in advance!!
Dave


Logfile of HijackThis v1.99.0
Scan saved at 3:15:50 PM, on 2/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\wanmpsvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\apvdlkzp\apvdlkzp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\hpdll\hpdll.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\System32\vmss\vmss.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\gah95on6.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\sysmonnt.exe
C:\Documents and Settings\DJC\Application Data\eetu.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\l?a**.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\gahimg.exe
C:\WINDOWS\System32\gpkvoica.exe
C:\Program Files\CxtPls\CxtPls.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll
O2 - BHO: (no name) - {174119A7-FF58-40E1-8A20-EFFC36AA73CD} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: SDWin32 Class - {3B09BA27-5CD9-49AF-84FB-93EC7BADBFE8} - C:\WINDOWS\System32\jouxp.dll
O2 - BHO: (no name) - {4D6EE2BE-CAED-49CF-BEC8-BD507C69C966} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {584E8661-69AE-3A7E-83D4-6034E254EFE7} - C:\WINDOWS\System32\ropv.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {5CC1C8EF-95BE-43F7-A3F5-4F5745385074} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: SDWin32 Class - {67B3C7A8-0C3B-4819-AF5A-84CC856B7A51} - C:\WINDOWS\System32\nvpkq.dll
O2 - BHO: (no name) - {72D89985-09BA-4497-BF35-0ED420969EE1} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {8C0F771F-3123-CCA1-0666-C5F91B9390B9} - (no file)
O2 - BHO: (no name) - {A9CE60F7-2182-4E58-BCB7-E732D342CA93} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {C68268C4-D0FF-40E6-A332-93DD6A059518} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\COMPAQ DESKTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P22 "\\COMPAQ DESKTOP\EPSON" /O22 "\\COMPAQ DESKTOP\EPSON" /M "Stylus CX5400"
O4 - HKLM\..\Run: [apvdlkzp] C:\Program Files\apvdlkzp\apvdlkzp.exe
O4 - HKLM\..\Run: [texbmzht] c:\windows\system32\texbmzht.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [u7ES39l] gpkvoica.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fwx2RVJ9l] gahimg.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\DJC\Application Data\eetu.exe
O4 - HKCU\..\Run: [Hdz] C:\WINDOWS\System32\l?a**.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Advertisements]

Hi la2jax

You've certainly got some problems. Please disable System Restore. Right click the My Computer icon on the Desktop > Properties > System Restore tab. Put a tick in the box "Turn off System Restore on all drives". You can re-enable it when the system is cleaned up.

Right click the Microsoft Antispyware icon in the system tray and exit/shutdown the monitoring program. It will restart when you reboot later on. Real time monitoring programs can interfere with the removal process.

Download CWShredder from here http://www.geekstogo...action=cat&id=3 Don't use it yet.

Download and install the trial version of The Cleaner and updates from here http://www.moosoft.com Don't use it yet.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the deletions when you are not connected to the internet and when working in Safe Mode.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this process in the list, select it and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

apvdlkzp.exe
hpdll.exe
desktop.exe
vmss.exe
gah95on6.exe
sysmonnt.exe bad
eetu.exe
AutoUpdate.exe
gahimg.exe
gpkvoica.exe
CxtPls.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {174119A7-FF58-40E1-8A20-EFFC36AA73CD} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: SDWin32 Class - {3B09BA27-5CD9-49AF-84FB-93EC7BADBFE8} - C:\WINDOWS\System32\jouxp.dll
O2 - BHO: (no name) - {4D6EE2BE-CAED-49CF-BEC8-BD507C69C966} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {584E8661-69AE-3A7E-83D4-6034E254EFE7} - C:\WINDOWS\System32\ropv.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {5CC1C8EF-95BE-43F7-A3F5-4F5745385074} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: SDWin32 Class - {67B3C7A8-0C3B-4819-AF5A-84CC856B7A51} - C:\WINDOWS\System32\nvpkq.dll
O2 - BHO: (no name) - {72D89985-09BA-4497-BF35-0ED420969EE1} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {8C0F771F-3123-CCA1-0666-C5F91B9390B9} - (no file)
O2 - BHO: (no name) - {A9CE60F7-2182-4E58-BCB7-E732D342CA93} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {C68268C4-D0FF-40E6-A332-93DD6A059518} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O4 - HKLM\..\Run: [apvdlkzp] C:\Program Files\apvdlkzp\apvdlkzp.exe
O4 - HKLM\..\Run: [texbmzht] c:\windows\system32\texbmzht.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [u7ES39l] gpkvoica.exe
O4 - HKCU\..\Run: [fwx2RVJ9l] gahimg.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\DJC\Application Data\eetu.exe
O4 - HKCU\..\Run: [Hdz] C:\WINDOWS\System32\l?a**.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Open Control Panel and go to Add/Remove Programs.
Uninstall these programs if listed
AproposClient
CxtPls

Open Windows Explorer and go to > Tools> Folder Options> View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Delete all the files and folders noted in bold below. Some may not still be there but use the search function in Windows Explorer to make sure.

Go to "Find all Files and Folders". Copy and paste this file name into the "All or Part of a File Name" and Select "Local Hard Drives" in the drop-down box. Delete each instance of it that is found.


C:\Program Files\CxtPls\cxtpls.dll - Delete entire folder
C:\Program Files\apvdlkzp\apvdlkzp.dll - Delete entire folder
C:\Program Files\hpdll\hpdll.exe - Delete entire folder
C:\WINDOWS\isrvs\desktop.exe - Delete entire folder
C:\WINDOWS\System32\vmss\vmss.exe - Delete entire folder
C:\Program Files\Windows AdStatus\WinStat.exe - Delete entire folder
C:\Program Files\AutoUpdate\AutoUpdate.exe - Delete entire folder
C:\WINDOWS\System32\jouxp.dll - file only
C:\WINDOWS\System32\ropv.dll - file only
C:\WINDOWS\System32\nvpkq.dll - file only
c:\windows\system32\texbmzht.exe - file only
C:\WINDOWS\System32\exp.exe - file only
C:\WINDOWS\System32\gah95on6.exe - file only
C:\WINDOWS\System32\sysmonnt - file only
C:\Documents and Settings\DJC\Application Data\eetu.exe - file only
gpkvoica.exe - Use the search function to find this and delete all instances
gahimg.exe - Use the search function to find this and delete all instances

C:\Documents and Settings\<user name>\Local Settings\Temp\ - Delete all the files in this folder for each user if there is more than one user.

Run CWShredder - twice - it may not find anything

Reboot into Normal Mode.

Open Notepad, and copy the lines in red into a new text file. Go to File> Save As > Call it FindFile.bat. Save it to your Desktop.


dir C:\WINDOWS\System32\l?a**.exe /a h > files.txt
notepad files.txt

Double click the FindFile.bat on your Desktop. It will open Notepad with some text in it. Please copy and paste all the text in your next post.

Do an online Virus scan here http://housecall.trendmicro.com Let it fix anything it finds and reboot if required.

Do a full scan with The Cleaner. Let it fix anything it finds and reboot if required.

Do a new HijackThis log and post it AND the text from Findfile.bat so we can check it.

[ilago]

Hi la2jax

You've certainly got some problems. Please disable System Restore. Right click the My Computer icon on the Desktop > Properties > System Restore tab. Put a tick in the box "Turn off System Restore on all drives". You can re-enable it when the system is cleaned up.

Right click the Microsoft Antispyware icon in the system tray and exit/shutdown the monitoring program. It will restart when you reboot later on. Real time monitoring programs can interfere with the removal process.

Download CWShredder from here http://www.geekstogo...action=cat&id=3 Don't use it yet.

Download and install the trial version of The Cleaner and updates from here http://www.moosoft.com Don't use it yet.

You may need to print this out or copy and paste into a Notepad file so you can keep track of the deletions when you are not connected to the internet and when working in Safe Mode.

Open HijackThis and click on "Open Misc Tools Section" and "Open Process Manager"

Find this process in the list, select it and click on "Kill Process". Read the name very carefully as there may be some names that are similar but that are genuine files.

apvdlkzp.exe
hpdll.exe
desktop.exe
vmss.exe
gah95on6.exe
sysmonnt.exe bad
eetu.exe
AutoUpdate.exe
gahimg.exe
gpkvoica.exe
CxtPls.exe

Then click on Back which will open the HijackThis Scan Screen. Click on Scan. When the scan is complete check all the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsear...sidesearch.html
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll O2 - BHO: (no name) - {174119A7-FF58-40E1-8A20-EFFC36AA73CD} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: SDWin32 Class - {3B09BA27-5CD9-49AF-84FB-93EC7BADBFE8} - C:\WINDOWS\System32\jouxp.dll
O2 - BHO: (no name) - {4D6EE2BE-CAED-49CF-BEC8-BD507C69C966} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {584E8661-69AE-3A7E-83D4-6034E254EFE7} - C:\WINDOWS\System32\ropv.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {5CC1C8EF-95BE-43F7-A3F5-4F5745385074} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: SDWin32 Class - {67B3C7A8-0C3B-4819-AF5A-84CC856B7A51} - C:\WINDOWS\System32\nvpkq.dll
O2 - BHO: (no name) - {72D89985-09BA-4497-BF35-0ED420969EE1} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {8C0F771F-3123-CCA1-0666-C5F91B9390B9} - (no file)
O2 - BHO: (no name) - {A9CE60F7-2182-4E58-BCB7-E732D342CA93} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O2 - BHO: (no name) - {C68268C4-D0FF-40E6-A332-93DD6A059518} - C:\Program Files\apvdlkzp\apvdlkzp.dll
O4 - HKLM\..\Run: [apvdlkzp] C:\Program Files\apvdlkzp\apvdlkzp.exe
O4 - HKLM\..\Run: [texbmzht] c:\windows\system32\texbmzht.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [HPNT] C:\Program Files\hpdll\hpdll.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [vmss] C:\WINDOWS\System32\vmss\vmss.exe
O4 - HKLM\..\Run: [Windows AdStatus] C:\Program Files\Windows AdStatus\WinStat.exe
O4 - HKLM\..\Run: [gah95on6] C:\WINDOWS\System32\gah95on6.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [u7ES39l] gpkvoica.exe
O4 - HKCU\..\Run: [fwx2RVJ9l] gahimg.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\System32\sysmonnt
O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\DJC\Application Data\eetu.exe
O4 - HKCU\..\Run: [Hdz] C:\WINDOWS\System32\l?a**.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking.

Open Control Panel and go to Add/Remove Programs.
Uninstall these programs if listed
AproposClient
CxtPls

Open Windows Explorer and go to > Tools> Folder Options> View, select:*Show hidden files and folders
*Display the contents of system folders
Uncheck:*Hide protected operating system files
Set search options
Next go to Search > All files and folders > More advanced options and click.

Be sure the first three boxes are selected:*Search System folders
*Search Hidden Files and folders
*Search SubFolders
Delete all the files and folders noted in bold below. Some may not still be there but use the search function in Windows Explorer to make sure.

Go to "Find all Files and Folders". Copy and paste this file name into the "All or Part of a File Name" and Select "Local Hard Drives" in the drop-down box. Delete each instance of it that is found.


C:\Program Files\CxtPls\cxtpls.dll - Delete entire folder
C:\Program Files\apvdlkzp\apvdlkzp.dll - Delete entire folder
C:\Program Files\hpdll\hpdll.exe - Delete entire folder
C:\WINDOWS\isrvs\desktop.exe - Delete entire folder
C:\WINDOWS\System32\vmss\vmss.exe - Delete entire folder
C:\Program Files\Windows AdStatus\WinStat.exe - Delete entire folder
C:\Program Files\AutoUpdate\AutoUpdate.exe - Delete entire folder
C:\WINDOWS\System32\jouxp.dll - file only
C:\WINDOWS\System32\ropv.dll - file only
C:\WINDOWS\System32\nvpkq.dll - file only
c:\windows\system32\texbmzht.exe - file only
C:\WINDOWS\System32\exp.exe - file only
C:\WINDOWS\System32\gah95on6.exe - file only
C:\WINDOWS\System32\sysmonnt - file only
C:\Documents and Settings\DJC\Application Data\eetu.exe - file only
gpkvoica.exe - Use the search function to find this and delete all instances
gahimg.exe - Use the search function to find this and delete all instances

C:\Documents and Settings\<user name>\Local Settings\Temp\ - Delete all the files in this folder for each user if there is more than one user.

Run CWShredder - twice - it may not find anything

Reboot into Normal Mode.

Open Notepad, and copy the lines in red into a new text file. Go to File> Save As > Call it FindFile.bat. Save it to your Desktop.


dir C:\WINDOWS\System32\l?a**.exe /a h > files.txt
notepad files.txt

Double click the FindFile.bat on your Desktop. It will open Notepad with some text in it. Please copy and paste all the text in your next post.

Do an online Virus scan here http://housecall.trendmicro.com Let it fix anything it finds and reboot if required.

Do a full scan with The Cleaner. Let it fix anything it finds and reboot if required.

Do a new HijackThis log and post it AND the text from Findfile.bat so we can check it.

[la2jax]

I've done everything that you suggested. Here are the logs:

Volume in drive C has no label.
Volume Serial Number is 7085-2A2A

Directory of C:\WINDOWS\System32

08/29/2002 05:00 AM 11,776 LSASS.EXE
1 File(s) 11,776 bytes

Directory of C:\Documents and Settings\DJC\Desktop




Logfile of HijackThis v1.99.0
Scan saved at 6:49:25 AM, on 2/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\RegSrvc.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\The Cleaner\tcm.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Downloads\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8C0F771F-3123-CCA1-0666-C5F91B9390B9} - (no file)
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [\\COMPAQ DESKTOP\EPSON] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE /P22 "\\COMPAQ DESKTOP\EPSON" /O22 "\\COMPAQ DESKTOP\EPSON" /M "Stylus CX5400"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Intel NCS NetService - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe




Thanks!!!!!!!

[ilago]

Hi la2jax

Just a couple of things left.

Open Hijack and Do System Scan only. Check the following items. Then disconnect from the internet and close all open windows including this browser window and all instant messaging - Yahoo messenger, MSN messenger, ICQ and anything else that is not essential and click on Fix checked.

O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {8C0F771F-3123-CCA1-0666-C5F91B9390B9} - (no file)
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
ffisearch.exe

Reboot into Safe Mode by continually tapping the F8 key as soon as the computer starts to boot up - after the beep. When the Windows XP Safe Mode menu comes up - Choose Safe Mode. You don't need any networking. You should still have all your settings in windows explorer as before.

Delete this folder
C:\WINDOWS\isrvs Delete this folder

Reboot into normal mode and do a new HijackThis log for a check.

[SaiKrish]

Sometimes simple things will solve the problem rather than diagnosing things in detail. As for this gah95on6 problem, first thing to do is to have a peep at the regular Add/Remove programs. If anything unrelated to our operation, business, should be deleted. For example, I have found a program called ShopAtHome which was throwing lot of critical objects at AdAware scans and probably the gah95on6.exe when it was removed with some password it provides, the file was not loaded in memory the critical objects number drastically went down.

Secondly if anything is in C:\temp folder we have to peep and remove.

Interesting thing is the only programme the above adware affected was FREECELL game which was creating problem. But once gah95on6 was removed FREECELL started working fine.

So we may look out for available simple solutions first