Desperately seeking help....

[DoubleShimmer]

Can someone please help me. My dh downloaded 2 programs that came with abunch of garbage that is now stuck in my add/remove programs list. Can someone please take a look at my HJT lista nd tell me what I need to fix it.

Thank you VERY much inadvance.

Logfile of HijackThis v1.98.2
Scan saved at 3:24:06 AM, on 8/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\WINDOWS\System32\rictract.exe
D:\Program Files\Warez P2P Client\Warez.exe
D:\WINDOWS\System32\robdmod.exe
D:\PROGRA~1\Web Offer\wo.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\WINDOWS\explorer.exe
D:\PROGRA~1\Lycos\IEagent\csAOLldr.exe
D:\PROGRA~1\Lycos\IEagent\csAOLldr.exe
D:\PROGRA~1\Lycos\IEagent\csAOLldr.exe
D:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
d:\windows\temp\f8X.exe
d:\windows\temp\xX6Dqz.exe
d:\windows\temp\SvPWxFOwg.exe
D:\Program Files\Common Files\WinTools\WToolsA.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HiJack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/mygroups
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://groups.msn.com/people?pgmarket=en-us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: HyperSearchHook - {6BBC3526-3C01-425D-9005-CB3BAA51DDB4} - D:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - D:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - D:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - D:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - D:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - D:\Documents and Settings\trevor\Local Settings\Temp\wvb8ZUeRh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [IBX] D:\windows\temp\IBX.exe
O4 - HKLM\..\Run: [jB2YEY80x] D:\windows\temp\jB2YEY80x.exe
O4 - HKLM\..\Run: [5FYYDGJ4M23#37] D:\WINDOWS\System32\Ubi05I5Y.exe
O4 - HKLM\..\Run: [o73V3tW] rictract.exe
O4 - HKLM\..\Run: [WinTools] D:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ClrSchLoader] D:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [f8X] d:\windows\temp\f8X.exe
O4 - HKLM\..\Run: [xX6Dqz] d:\windows\temp\xX6Dqz.exe
O4 - HKLM\..\Run: [SvPWxFOwg] d:\windows\temp\SvPWxFOwg.exe
O4 - HKLM\..\RunOnce: [AAW] "D:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [warez] "D:\Program Files\Warez P2P Client\Warez.exe" -h
O4 - HKCU\..\Run: [Zws9Rja3Q] robdmod.exe
O4 - HKCU\..\Run: [eZWO] D:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &AOL Toolbar search - res://D:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - D:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - D:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yaho...st20040510.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

[Pancake]

Hi there...
You have the Peper virus so please get and run the Peper Fix. from my list and then run "Adaware" and "CWshreader" and then post a fresh log for a bit more cleaning..thanks

[tmbm]

boot into safe mode (tapping f8 at startup) and remove the following :

D:\WINDOWS\System32\robdmod.exe
D:\PROGRA~1\Web Offer\wo.exe
D:\PROGRA~1\Lycos\IEagent\csAOLldr.exe
D:\PROGRA~1\Lycos\IEagent\csAOLldr.exe
d:\windows\temp\f8X.exe
d:\windows\temp\xX6Dqz.exe
d:\windows\temp\SvPWxFOwg.exe
D:\Program Files\Common Files\WinTools\WToolsA.exe
D:\Program Files\Common Files\WinTools\WSup.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/mygroups
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://minisearch.startnow.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://minisearch.startnow.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://groups.msn.com/people?pgmarket=en-us
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: HyperSearchHook - {6BBC3526-3C01-425D-9005-CB3BAA51DDB4} - D:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: CSIECore Class - {00000000-0000-0000-0000-000000000221} - D:\PROGRA~1\Lycos\IEagent\CSIE.DLL
O2 - BHO: HyperBHO - {4B2F5308-2CB0-40E2-8030-59936ED5D22C} - D:\Program Files\Common Files\Hyperbar\Hyperbar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Search404 Class - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - D:\Program Files\404Search\404Search.dll (file missing)
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - D:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - D:\Documents and Settings\trevor\Local Settings\Temp\wvb8ZUeRh.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [IBX] D:\windows\temp\IBX.exe
O4 - HKLM\..\Run: [jB2YEY80x] D:\windows\temp\jB2YEY80x.exe
O4 - HKLM\..\Run: [5FYYDGJ4M23#37] D:\WINDOWS\System32\Ubi05I5Y.exe
O4 - HKLM\..\Run: [o73V3tW] rictract.exe
O4 - HKLM\..\Run: [WinTools] D:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [ClrSchLoader] D:\PROGRA~1\Lycos\IEagent\Loader.exe
O4 - HKLM\..\Run: [f8X] d:\windows\temp\f8X.exe
O4 - HKLM\..\Run: [xX6Dqz] d:\windows\temp\xX6Dqz.exe
O4 - HKLM\..\Run: [SvPWxFOwg] d:\windows\temp\SvPWxFOwg.exe
O4 - HKLM\..\RunOnce: [AAW] "D:\PROGRA~1\Lavasoft\AD-AWA~2\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [warez] "D:\Program Files\Warez P2P Client\Warez.exe" -h
O4 - HKCU\..\Run: [Zws9Rja3Q] robdmod.exe
O4 - HKCU\..\Run: [eZWO] D:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\spydoctor.exe" /Q
O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZNxdm414
O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - D:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - D:\WINDOWS\System32\ms.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yah...nst20040510.cab
O16 - DPF: {610FB8B8-2427-4375-BCF9-2F7AE17173A6} (Snapfish File Upload ActiveX Control) - http://www.snapfish.com/SnapfishUpload.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yah...utocomplete.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O2 - BHO: G1.GZ - {79C03BC5-6C55-4B5B-921F-C02B6F1ABD7B} - D:\DOCUME~1\ALLUSE~1\APPLIC~1\Pribi\Pribi.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - D:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O4 - HKLM\..\Run: [IBX] D:\windows\temp\IBX.exe
O4 - HKLM\..\Run: [jB2YEY80x] D:\windows\temp\jB2YEY80x.exe
O4 - HKLM\..\Run: [5FYYDGJ4M23#37] D:\WINDOWS\System32\Ubi05I5Y.exe
O4 - HKLM\..\Run: [o73V3tW] rictract.exe
O4 - HKLM\..\Run: [WinTools] D:\Program Files\Common Files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [f8X] d:\windows\temp\f8X.exe
O4 - HKLM\..\Run: [xX6Dqz] d:\windows\temp\xX6Dqz.exe
O4 - HKLM\..\Run: [SvPWxFOwg] d:\windows\temp\SvPWxFOwg.exe
O4 - HKCU\..\Run: [Zws9Rja3Q] robdmod.exe
O4 - HKCU\..\Run: [eZWO] D:\PROGRA~1\Web Offer\wo.exe

if you dont use AOL remove
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe



computer should run much better.

Run HTJ and post your results here

[DoubleShimmer]

Just so i don't do anything wrong should I do the peper fixer first or just run in safe mode and take those off?

[mike]

Hi DoubleShimmer ,

Good idead to double-check.

Delete Wintools from Add/Remove Programs. ( if present)

Run the Peper Remover, then CWShredder, then Adaware as per Pancake.


Empty TEMP folders before running Adaware:

Remove all the files and sub-folders from the below TEMP Folders:

D:\Documents and Settings\trevor\Local Settings\Temp\

D:\temp ( if present )

D:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .


Reboot inbetween cleaners.

Post back a new HJT log , please.

Cheers

[DoubleShimmer]

Here is my new list after running the above instructions

Logfile of HijackThis v1.98.2
Scan saved at 12:01:00 PM, on 8/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\windows\temp\IBX.exe
D:\windows\temp\jB2YEY80x.exe
D:\WINDOWS\System32\rictract.exe
D:\windows\temp\f8X.exe
D:\windows\temp\xX6Dqz.exe
D:\windows\temp\SvPWxFOwg.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\documents and settings\trevor\local settings\temp\L7OIEF.exe
D:\documents and settings\trevor\local settings\temp\5Fy2LLrcN.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\Program Files\Common Files\WinTools\WToolsS.exe
D:\documents and settings\trevor\local settings\temp\qdh.exe
D:\WINDOWS\System32\robdmod.exe
D:\PROGRA~1\ezula\mmod.exe
D:\Program Files\VBouncer\VirtualBouncer.exe
D:\Program Files\Common Files\WinTools\WSup.exe
D:\Program Files\ClearSearch\csAOLldr.exe
D:\PROGRA~1\WEBOFF~1\wo.exe
D:\Program Files\Common Files\WinTools\WToolsA.exe
D:\WINDOWS\explorer.exe
C:\Program Files\HiJack This\HijackThis.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://D:\PROGRA~1\Toolbar\toolbar.dll/sa
O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll
O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - D:\Program Files\SEP\sep.dll
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - D:\Documents and Settings\trevor\Local Settings\Temp\wvb8ZUeRh.dll
O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - D:\Program Files\SEP\sep.dll
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [L7OIEF] D:\documents and settings\trevor\local settings\temp\L7OIEF.exe
O4 - HKLM\..\Run: [5Fy2LLrcN] D:\documents and settings\trevor\local settings\temp\5Fy2LLrcN.exe
O4 - HKLM\..\Run: [qdh] D:\documents and settings\trevor\local settings\temp\qdh.exe
O4 - HKLM\..\Run: [Bakra] D:\WINDOWS\System32\IEHost.exe
O4 - HKLM\..\Run: [Pcsv] D:\WINDOWS\system32\pcs\pcsvc.exe
O4 - HKLM\..\Run: [Dpi] D:\Program Files\Common Files\Dpi\dpi.exe
O4 - HKLM\..\Run: [WinTools] D:\Program Files\Common Files\WinTools\WToolsA.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.co...1141040727.EXE
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)


Hopefully most of this is gone. When i open my IE I am still getting this little box that says "loading skin" and then my IE toolbar gets some kind of snowy scene on it. I don't want it to pop up anymore how can I remove this?
Thank you soooo much for everyone's help, I am eternally grateful!!

[mike]

Hi DoubleShimmer ,


Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key)

2.
Make sure you set windows to see Hidden files and Folders, Directions HERE

3.
Close ALL browser Windows, only have HijackThis running.
Check the boxes beside the below entries, then click on "Fix checked" .

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
res://D:\PROGRA~1\Toolbar\toolbar.dll/sa

O2 - BHO: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - D:\PROGRA~1\Toolbar\toolbar.dll

O2 - BHO: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - D:\Program Files\SEP\sep.dll

O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - D:\Documents and Settings\trevor\Local Settings\Temp\wvb8ZUeRh.dll

O3 - Toolbar: Band Class - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - D:\Program Files\SEP\sep.dll

O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - D:\PROGRA~1\Toolbar\toolbar.dll


O4 - HKLM\..\Run: [L7OIEF] D:\documents and settings\trevor\local settings\temp\L7OIEF.exe

O4 - HKLM\..\Run: [5Fy2LLrcN] D:\documents and settings\trevor\local settings\temp\5Fy2LLrcN.exe

O4 - HKLM\..\Run: [qdh] D:\documents and settings\trevor\local settings\temp\qdh.exe

O4 - HKLM\..\Run: [Bakra] D:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [Pcsv] D:\WINDOWS\system32\pcs\pcsvc.exe

O4 - HKLM\..\Run: [Dpi] D:\Program Files\Common Files\Dpi\dpi.exe

O4 - HKLM\..\Run: [WinTools] D:\Program Files\Common Files\WinTools\WToolsA.exe


O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44297DA} - http://bannerfarm.ace.advertising.c...r1141040727.EXE

O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - (no file)

Close HijackThis.

3.
Then delete the below files and Folders in Safe Mode:


D:\PROGRAM FIles\Toolbar <--- delete the Toolbar folder

D:\WINDOWS\System32\IEHost.exe <--- delete the file

D:\WINDOWS\system32\pcs <--- delete the pcs folder

D:\Program Files\Common Files\Dpi <--- delete the Dpi folder

D:\Program Files\Common Files\WinTools <--- delete the WinTools folder

Remove all the files and sub-folders from the below TEMP Folders:

D:\Documents and Settings\trevor\Local Settings\Temp\

D:\temp ( if present )

D:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Reboot computer

What hasppened to Spybot S+D and Incredimail ,Google bar?
Did you remove what tmbm said.....

Cheers

[DoubleShimmer]

Yes I did do what tmbm said. Is his ok? I figured I can always redownload them if they are gone. I didn't have any problems with the puter till my dh decided to download 2 programs onto the computer 1. Ares and 2.Warez I guess they are some kind of p2p file sharing sites. I was against but can't tell him anything, LOL.

Thank you I am going to do what you have directed me to now. I just restarted and will let you see the HJT log from my reboot. here it is....

Logfile of HijackThis v1.98.2
Scan saved at 1:24:44 PM, on 8/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\documents and settings\trevor\local settings\temp\L7OIEF.exe
D:\documents and settings\trevor\local settings\temp\5Fy2LLrcN.exe
D:\WINDOWS\system32\pcs\pcsvc.exe
C:\Program Files\HiJack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/MyGroups.msnw
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - D:\Documents and Settings\trevor\Local Settings\Temp\JkG.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [L7OIEF] D:\documents and settings\trevor\local settings\temp\L7OIEF.exe
O4 - HKLM\..\Run: [5Fy2LLrcN] D:\documents and settings\trevor\local settings\temp\5Fy2LLrcN.exe
O4 - HKLM\..\Run: [Pcsv] D:\WINDOWS\system32\pcs\pcsvc.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

I will soon return with a new log, lol.

[DoubleShimmer]

I did everything you said in the last post you left and here is my new log. I also made the hidden files visible like you said. I had a few files that I didn't find in some places so I'm assuming they are gone already. I will post the ones that weren't found after the HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 2:00:05 PM, on 8/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
C:\Program Files\HiJack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/MyGroups.msnw
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab


These are the files that were not found:

D:\PROGRAM FIles\Toolbar <--- delete the Toolbar folder

D:\WINDOWS\System32\IEHost.exe <--- delete the file

D:\WINDOWS\system32\pcs <--- delete the pcs folder

D:\Program Files\Common Files\WinTools <--- delete the WinTools folder

[mike]

Hi ,
Looking much better,

Download Ad-aware to finish cleaning up.
It is critical that you UPDATE Ad-aware, before scanning.
Ad-aware download HERE
and please read :HOW TO PERFORM A FULL SYSTEM SCAN With Ad-aware 6 Build 181
Remove all that Ad-aware finds.

Reboot computer and post back a new HJT log to this thread, please.

Cheers

[DoubleShimmer]

Ok here is my Ad-aware scan, then rebooted and ran HJT. Did I get it all? LOL


Here is my HJT log as of now.

Logfile of HijackThis v1.98.2
Scan saved at 6:20:40 PM, on 8/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
D:\Program Files\Real\RealPlayer\RealPlay.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
D:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\wanmpsvc.exe
C:\Program Files\HiJack This\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://groups.msn.com/MyGroups.msnw
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Update Detection] D:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [AOLDialer] D:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] D:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "D:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.0) -
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents...r/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab

[tmbm]

if you just did what i said it would of been alot quicker

[mike]

Hi DoubleShimmer ,

[q] from, tmbm:
if you just did what i said it would of been alot quicker[/q]

Heres what tmbm had you partly remove that needs to be restored....
Google Toolbar, Windows MediaPlayer Toolbar, Spybot S+D, Incredimail, Yahoo messenger,

My apologies, ..I should have edited his post.

If you want to restore them , you can use HijackThis.

Print the list below, open HijackThis, and click on "config"--> "Backups"
Look for and highlight each entry, then click "Restore".

( Or you can download and reinstall the above programs. )

Restore these:
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar3.dll

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: America Online 9.0 Tray Icon.lnk = D:\Program Files\America Online 9.0a\aoltray.exe

O8 - Extra context menu item: &Add animation to IncrediMail Style Box - D:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm

O8 - Extra context menu item: &Google Search - res://d:\program files\google\GoogleToolbar3.dll/cmsearch.html

O8 - Extra context menu item: Backward Links - res://d:\program files\google\GoogleToolbar3.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://d:\program files\google\GoogleToolbar3.dll/cmcache.html

O8 - Extra context menu item: Similar Pages - res://d:\program files\google\GoogleToolbar3.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://d:\program files\google\GoogleToolbar3.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - D:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe

2.

YOur HJT log looks good, well done

Only these minor ones left,....Close IE, open HJT and FIX the below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {C5183ABC-EB6E-4E05-B8C9-500A16B6CF94} - (no file)

Close HJT, Reboot.

Post back a new log after restore , if you want.

Cheers