Really odd problem with a file ,, any suggestions

Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

I have a computer that i'm working on ,, and i have discovered a little
oddity and can't find an answer to.

I open up task manager and i find a weird looking file running in the
process , let's call this file ekfitve.exe for example ,, then i find this
file in c:\windows\system32 folder ,,, if i put both windows side by side
and then end the process in task mgr ,, i can see this file change it's
name right in front of me ,,,then it appears with that name in task mgr.

The file is always a weird combo of letters and it never seems to repeat
itself ,,, i've tried deleting the file ,,but of course can't access it and
i've tried going through Xp's repair option to try and get it before it
loads ,, but of course with it changing it's name ,, what do i look for?
There's no way of locating it.

I was thinking of one last shot of getting this bugger ,,with any help from
here , before deep sixing the system and starting from scratch.

Any suggestions????

Thanks , Gord
30 answers Last reply
More about really problem file suggestions
  1. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Format and reinstall.

    --

    "Instead of trying to bash me you should try to learn from me and
    archive my posts so you can better help people in the future. If you don't
    understand something I post then ask me my email is valid."

    - pcbutts1.@thisoldtreehouse.com
    - pcbutts1.@seedsv.com


    LouisG wrote:
    > I have a computer that i'm working on ,, and i have discovered a
    > little oddity and can't find an answer to.
    >
    > I open up task manager and i find a weird looking file running in the
    > process , let's call this file ekfitve.exe for example ,, then i find
    > this file in c:\windows\system32 folder ,,, if i put both windows
    > side by side and then end the process in task mgr ,, i can see this
    > file change it's name right in front of me ,,,then it appears with
    > that name in task mgr.
    >
    > The file is always a weird combo of letters and it never seems to
    > repeat itself ,,, i've tried deleting the file ,,but of course can't
    > access it and i've tried going through Xp's repair option to try and
    > get it before it loads ,, but of course with it changing it's name ,,
    > what do i look for? There's no way of locating it.
    >
    > I was thinking of one last shot of getting this bugger ,,with any
    > help from here , before deep sixing the system and starting from
    > scratch.
    >
    > Any suggestions????
    >
    > Thanks , Gord

    --
  2. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    LouisG <imnot@home.com> wrote in
    news:Xns96B964E7D447111241959@216.196.97.142:

    > I have a computer that i'm working on ,, and i have discovered a
    > little oddity and can't find an answer to.
    >
    > I open up task manager and i find a weird looking file running in the
    > process , let's call this file ekfitve.exe for example ,, then i find
    > this file in c:\windows\system32 folder ,,, if i put both windows side
    > by side and then end the process in task mgr ,, i can see this file
    > change it's name right in front of me ,,,then it appears with that
    > name in task mgr.
    >
    > The file is always a weird combo of letters and it never seems to
    > repeat itself ,,, i've tried deleting the file ,,but of course can't
    > access it and i've tried going through Xp's repair option to try and
    > get it before it loads ,, but of course with it changing it's name ,,
    > what do i look for? There's no way of locating it.
    >
    > I was thinking of one last shot of getting this bugger ,,with any help
    > from here , before deep sixing the system and starting from scratch.
    >
    > Any suggestions????
    >
    > Thanks , Gord

    that's not a really odd problem, it's some type of spyware/adware, and this
    is typical behavior.

    try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
  3. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    I've cleaned the computer with these ,, there are six accounts on this
    computer , including the admin through safe mode , with three different
    types of cleaners ,,including spybot ,, and they catch things , but it
    still happens ,,,,the only thing that doesn't seem to get cleaned is a
    key in the registry for Altnet.

    DanS <t.h.i.s.n.t.h.a.t@a.d.e.l.p.h.i.a..n.e.t> wrote in
    news:Xns96B969B485191idispcom@216.196.97.142:

    > LouisG <imnot@home.com> wrote in
    > news:Xns96B964E7D447111241959@216.196.97.142:
    >
    >> I have a computer that i'm working on ,, and i have discovered a
    >> little oddity and can't find an answer to.
    >>
    >> I open up task manager and i find a weird looking file running in the
    >> process , let's call this file ekfitve.exe for example ,, then i find
    >> this file in c:\windows\system32 folder ,,, if i put both windows
    >> side by side and then end the process in task mgr ,, i can see this
    >> file change it's name right in front of me ,,,then it appears with
    >> that name in task mgr.
    >>
    >> The file is always a weird combo of letters and it never seems to
    >> repeat itself ,,, i've tried deleting the file ,,but of course can't
    >> access it and i've tried going through Xp's repair option to try and
    >> get it before it loads ,, but of course with it changing it's name ,,
    >> what do i look for? There's no way of locating it.
    >>
    >> I was thinking of one last shot of getting this bugger ,,with any
    >> help from here , before deep sixing the system and starting from
    >> scratch.
    >>
    >> Any suggestions????
    >>
    >> Thanks , Gord
    >
    > that's not a really odd problem, it's some type of spyware/adware, and
    > this is typical behavior.
    >
    > try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
    >
    >
  4. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    LouisG <imnot@home.com> wrote in news:Xns96B969B5E840B11241959@
    216.196.97.142:

    > I've cleaned the computer with these ,, there are six accounts on this
    > computer , including the admin through safe mode , with three different
    > types of cleaners ,,including spybot ,, and they catch things , but it
    > still happens ,,,,the only thing that doesn't seem to get cleaned is a
    > key in the registry for Altnet.
    >

    Is the AltNet from the Aurora company ? If it is, there will be an
    Add/Remove Programs entry for it that doesn't work. This is a tough one to
    get rid of if so.
  5. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    "LouisG" <imnot@home.com> wrote in message
    news:Xns96B964E7D447111241959@216.196.97.142...
    > I have a computer that i'm working on ,, and i have discovered a little
    > oddity and can't find an answer to.
    >
    > I open up task manager and i find a weird looking file running in the
    > process , let's call this file ekfitve.exe for example ,, then i find this
    > file in c:\windows\system32 folder ,,, if i put both windows side by side
    > and then end the process in task mgr ,, i can see this file change it's
    > name right in front of me ,,,then it appears with that name in task mgr.
    >
    > The file is always a weird combo of letters and it never seems to repeat
    > itself ,,, i've tried deleting the file ,,but of course can't access it
    and
    > i've tried going through Xp's repair option to try and get it before it
    > loads ,, but of course with it changing it's name ,, what do i look for?
    > There's no way of locating it.


    it's a mutating virus...
    you need to run a virus check with a recently updated virus checker...
    but if you delete it and it returns...
    you may need to backup your data and do a fresh install
  6. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Hi,

    Nasty little virus you have there, and that name changing is a means of
    protecting itself and preventing removal. It occurs as there is another
    function in place that checks for the presence of the virus, and if not
    there it creates a new instance (hence the name change you see). The way to
    defeat it is in Safe mode where neither the bug or the check is active. From
    there you will be able to delete the files involved and the registry entries
    that load them. If you do not get the latter, then a new instance will be
    created when you start in normal mode. Make sure to check the run keys in
    all of the HKCU entries in addition to the HKLM keys.

    --
    Best of Luck,

    Rick Rogers, aka "Nutcase" - Microsoft MVP
    http://mvp.support.microsoft.com/
    Associate Expert - WindowsXP Expert Zone
    www.microsoft.com/windowsxp/expertzone
    Windows help - www.rickrogers.org

    "LouisG" <imnot@home.com> wrote in message
    news:Xns96B964E7D447111241959@216.196.97.142...
    >I have a computer that i'm working on ,, and i have discovered a little
    > oddity and can't find an answer to.
    >
    > I open up task manager and i find a weird looking file running in the
    > process , let's call this file ekfitve.exe for example ,, then i find this
    > file in c:\windows\system32 folder ,,, if i put both windows side by side
    > and then end the process in task mgr ,, i can see this file change it's
    > name right in front of me ,,,then it appears with that name in task mgr.
    >
    > The file is always a weird combo of letters and it never seems to repeat
    > itself ,,, i've tried deleting the file ,,but of course can't access it
    > and
    > i've tried going through Xp's repair option to try and get it before it
    > loads ,, but of course with it changing it's name ,, what do i look for?
    > There's no way of locating it.
    >
    > I was thinking of one last shot of getting this bugger ,,with any help
    > from
    > here , before deep sixing the system and starting from scratch.
    >
    > Any suggestions????
    >
    > Thanks , Gord
  7. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Thanks Rick ,, that's what i figured ,, i've run the anti virus through
    this thing many times along with antispyware and keep nailing little
    buggers ,,there's 6 accounts on this computer between normal and safe modes
    and trying to eradicate this thing is just sending me in circles.

    The only thing that the spyware scanners can't get rid of is one key in the
    registry for Altnet , which was probably put there when this person
    installed Kazaa ,,, tried every which way to get this deleted , but can't.

    Could this be the culprit??

    "Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
    news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:


    > Hi,
    >
    > Nasty little virus you have there, and that name changing is a means
    > of protecting itself and preventing removal. It occurs as there is
    > another function in place that checks for the presence of the virus,
    > and if not there it creates a new instance (hence the name change you
    > see). The way to defeat it is in Safe mode where neither the bug or
    > the check is active. From there you will be able to delete the files
    > involved and the registry entries that load them. If you do not get
    > the latter, then a new instance will be created when you start in
    > normal mode. Make sure to check the run keys in all of the HKCU
    > entries in addition to the HKLM keys.
    >
  8. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Thanks,,,,,,,,,Frank,,,,,,,,,,,,,,for nothing,,,,,,,,,,,,,,,,,,

    "Frank DeLucca, MS-MPV" <frank.delucca.microsoft@gmail.com> wrote in
    news:20050821155250.08C0545796@smtp4.wanadoo.nl:

    >
    >
    > "LouisG" <imnot@home.com> wrote in message
    > news:Xns96B964E7D447111241959@216.196.97.142...
    >>I have a computer that i'm working on ,, and i have discovered a
    >>little
    >> oddity and can't find an answer to.
    >>
    >> I open up task manager and i find a weird looking file running in the
    >> process , let's call this file ekfitve.exe for example ,, then i find
    >> this file in c:\windows\system32 folder ,,, if i put both windows
    >> side by side and then end the process in task mgr ,, i can see this
    >> file change it's name right in front of me ,,,then it appears with
    >> that name in task mgr.
    >>
    >> The file is always a weird combo of letters and it never seems to
    >> repeat itself ,,, i've tried deleting the file ,,but of course can't
    >> access it and
    >> i've tried going through Xp's repair option to try and get it before
    >> it loads ,, but of course with it changing it's name ,, what do i
    >> look for? There's no way of locating it.
    >>
    >> I was thinking of one last shot of getting this bugger ,,with any
    >> help from
    >> here , before deep sixing the system and starting from scratch.
    >>
    >> Any suggestions????
    >>
    >> Thanks , Gord
    >>
    >
    > Your " , " key is b0rken. Replace your keyboard to get rid of your
    > problems. O, and install Service Pak 2, if you haven't done so
    > already.
    >
  9. Archived from groups: microsoft.public.windowsxp.general (More info?)

    LouisG wrote:

    > Thanks Rick ,, that's what i figured ,, i've run the anti virus through
    > this thing many times along with antispyware and keep nailing little
    > buggers ,,there's 6 accounts on this computer between normal and safe modes
    > and trying to eradicate this thing is just sending me in circles.
    >
    > The only thing that the spyware scanners can't get rid of is one key in the
    > registry for Altnet , which was probably put there when this person
    > installed Kazaa ,,, tried every which way to get this deleted , but can't.
    >
    > Could this be the culprit??
    >
    > "Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
    > news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:
    >
    >
    >
    >
    >>Hi,
    >>
    >>Nasty little virus you have there, and that name changing is a means
    >>of protecting itself and preventing removal. It occurs as there is
    >>another function in place that checks for the presence of the virus,
    >>and if not there it creates a new instance (hence the name change you
    >>see). The way to defeat it is in Safe mode where neither the bug or
    >>the check is active. From there you will be able to delete the files
    >>involved and the registry entries that load them. If you do not get
    >>the latter, then a new instance will be created when you start in
    >>normal mode. Make sure to check the run keys in all of the HKCU
    >>entries in addition to the HKLM keys.
    >>
    >
    >

    Have you checked the permissions on that registry key?

    BTW, please don't post Hijackthis logs here. Contrary to pcbutts1, and
    he has been told many times, this is not the forum for it. But HJT is a
    good resource. Download, run it, and post the log to one of the
    specialty forums.

    HijackThis
    http://www.majorgeeks.com/download.php?det=3155

    Forums to Interpret HijackThis Logs:

    http://www.spywareinfo.com/forums/
    http://forum.aumha.org/viewforum.php?f=30
    http://forums.tomcoyote.org/
    http://www.wilderssecurity.com/

    --
    Rock
    MS MVP Windows - Shell/User
  10. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Hi Louis,

    While the spyware is an issue, it's not the cause of this problem, nor are
    spyware cleaners the way to resolve it. Free virus removal tools that can be
    used in Safe mode (run in all accounts beforereturning to normal mode):

    http://vil.nai.com/vil/stinger/
    http://www.emsisoft.com/en/
    http://free.grisoft.com/doc/8/lng/us/tpl/v5/nid/3001#3001
    http://www.f-secure.com/download-purchase/tools.shtml

    --
    Best of Luck,

    Rick Rogers, aka "Nutcase" - Microsoft MVP
    http://mvp.support.microsoft.com/
    Associate Expert - WindowsXP Expert Zone
    www.microsoft.com/windowsxp/expertzone
    Windows help - www.rickrogers.org

    "LouisG" <imnot@home.com> wrote in message
    news:Xns96B96A55BA63F11241959@216.196.97.142...
    > Thanks Rick ,, that's what i figured ,, i've run the anti virus through
    > this thing many times along with antispyware and keep nailing little
    > buggers ,,there's 6 accounts on this computer between normal and safe
    > modes
    > and trying to eradicate this thing is just sending me in circles.
    >
    > The only thing that the spyware scanners can't get rid of is one key in
    > the
    > registry for Altnet , which was probably put there when this person
    > installed Kazaa ,,, tried every which way to get this deleted , but can't.
    >
    > Could this be the culprit??
    >
    > "Rick \"Nutcase\" Rogers" <rick@mvps.org> wrote in
    > news:#H#IvplpFHA.320@TK2MSFTNGP09.phx.gbl:
    >
    >
    >
    >> Hi,
    >>
    >> Nasty little virus you have there, and that name changing is a means
    >> of protecting itself and preventing removal. It occurs as there is
    >> another function in place that checks for the presence of the virus,
    >> and if not there it creates a new instance (hence the name change you
    >> see). The way to defeat it is in Safe mode where neither the bug or
    >> the check is active. From there you will be able to delete the files
    >> involved and the registry entries that load them. If you do not get
    >> the latter, then a new instance will be created when you start in
    >> normal mode. Make sure to check the run keys in all of the HKCU
    >> entries in addition to the HKLM keys.
    >>
    >
  11. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Download, install, update and run all of the following.

    Ad-Aware
    http://www.pcbutts1.com/downloads/aawsepersonal.exe

    Spybot search and destroy
    http://www.pcbutts1.com/downloads/spybotsd14.exe

    Ewido Security Suite Trial version
    http://www.pcbutts1.com/downloads/ewidosetup.exe

    Microsoft Windows AntiSpyware (Beta1)
    http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

    If none of the above fixes the issue then download Hijack this, run it, save
    a copy of the log file and cut and paste it back here to this group so that
    I can analyze it. Ignore anyone who tells you to post it elsewhere. I need
    to see it not them.


    HijackThis
    http://www.pcbutts1.com/downloads/HijackThis.zip

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com


    "LouisG" <imnot@home.com> wrote in message
    news:Xns96B969B5E840B11241959@216.196.97.142...
    > I've cleaned the computer with these ,, there are six accounts on this
    > computer , including the admin through safe mode , with three different
    > types of cleaners ,,including spybot ,, and they catch things , but it
    > still happens ,,,,the only thing that doesn't seem to get cleaned is a
    > key in the registry for Altnet.
    >
    > DanS <t.h.i.s.n.t.h.a.t@a.d.e.l.p.h.i.a..n.e.t> wrote in
    > news:Xns96B969B485191idispcom@216.196.97.142:
    >
    >> LouisG <imnot@home.com> wrote in
    >> news:Xns96B964E7D447111241959@216.196.97.142:
    >>
    >>> I have a computer that i'm working on ,, and i have discovered a
    >>> little oddity and can't find an answer to.
    >>>
    >>> I open up task manager and i find a weird looking file running in the
    >>> process , let's call this file ekfitve.exe for example ,, then i find
    >>> this file in c:\windows\system32 folder ,,, if i put both windows
    >>> side by side and then end the process in task mgr ,, i can see this
    >>> file change it's name right in front of me ,,,then it appears with
    >>> that name in task mgr.
    >>>
    >>> The file is always a weird combo of letters and it never seems to
    >>> repeat itself ,,, i've tried deleting the file ,,but of course can't
    >>> access it and i've tried going through Xp's repair option to try and
    >>> get it before it loads ,, but of course with it changing it's name ,,
    >>> what do i look for? There's no way of locating it.
    >>>
    >>> I was thinking of one last shot of getting this bugger ,,with any
    >>> help from here , before deep sixing the system and starting from
    >>> scratch.
    >>>
    >>> Any suggestions????
    >>>
    >>> Thanks , Gord
    >>
    >> that's not a really odd problem, it's some type of spyware/adware, and
    >> this is typical behavior.
    >>
    >> try cleaning IN SAFE MODE, with M$ Antispyware, AdAware, and Spybot.
    >>
    >>
    >
  12. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Logfile of HijackThis v1.99.1
    Scan saved at 11:39:19 AM, on 8/21/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\ewido\security suite\ewidoguard.exe
    C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.exe
    C:\WINDOWS\System32\xzmofgh.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Labtec\moffice.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\Program Files\Labtec\MOUSE32A.DAT
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    A:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://www.iquicksearch.net/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://rogers.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    http://www.iquicksearch.net/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    R3 - Default URLSearchHook is missing
    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    O2 - BHO: (no name) - SOFTWARE - (no file)
    O2 - BHO: (no name) - {05304F16-6B90-4DF6-B537-A5AF69F3B5C2} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {12E63F60-1CF7-46D5-AEDF-6539DCA2A80C} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {1F302361-DE67-46C2-B076-F713FD319563} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {25B633B4-F5AC-42EA-A08B-6E0AA8E1574B} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {27E68F6D-F18D-4133-B8AB-C29D4F08962A} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {288A04BC-275E-4194-9B66-A03F809109A8} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {2A267F59-7549-4E90-A507-1CC19AE039B8} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {2B7BAEDB-E0E4-40A1-A852-603E01000116} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {2FE61C11-3C38-4CD4-85F1-F8ADFFC4DA11} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {31F6C1AE-E283-491E-81F5-4E8A590D90BF} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {3DBF3268-6A9D-4751-AD8C-B905F1AF596A} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
    \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    O2 - BHO: (no name) - {4100741B-0E67-422F-9458-4358139790CA} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {4163C8E3-8B29-4D05-AFAB-FB7C252B093D} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {43B036DC-143A-4EF5-9EF8-BEE04B0B9B33} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {49661D5C-D6E4-A035-C15E-DB98BB45A29F} - C:\WINDOWS
    \System32\lny.dll
    O2 - BHO: (no name) - {4B900EC1-C2DE-44D5-92C0-AD424BA59198} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {4BE852D9-F37D-430D-9BB8-C64D3864CF48} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {50304AFC-D621-4860-8F57-B2356A00CEF8} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {50EBBC08-EC30-4F25-B273-EA71CE928B71} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {516B5C4D-C164-4F31-9A66-A3642B718D33} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {5274F34D-27C5-43E9-97F4-E7631B35A83E} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {5B185C59-9E7A-4269-B2B0-B4598C29A020} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {5D878741-964E-46F3-A6A6-4E78CA79FFF9} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
    1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    O2 - BHO: (no name) - {66192BC7-E190-4869-8196-538CBF6A7FCC} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {66935611-FC52-4D08-91AD-A8E8348216CB} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {69EAD774-5D52-4189-B454-7C0ED79DCB24} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {6C2F3C34-3745-4974-9070-00B42626D328} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {6FA7A7D4-42A6-4D33-8A99-5F5F635A4271} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {78820481-EDEF-4C47-BC5E-B098D4F1828E} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {7FC992CD-B6D9-4CAB-9713-FD401CD171EB} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {86904BCA-D91E-4CE3-986C-535E07547039} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {8F038E9C-E309-43F5-A8B5-C840A01EB73B} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {92E367C0-F36C-4302-BD38-108A45B33249} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {A1ED8367-FC52-48E1-A089-D547527F2226} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {A1FC27AB-D787-424B-B350-C9F5B6C39040} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {A3464DBE-BE74-4C2E-A6ED-4AC9C33A4E58} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {A9BAAB80-EDBC-4784-AB99-73AE226FEA25} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {B199BAFC-DB92-455E-AF16-77B0DD2DECF0} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {B570451E-00F7-4234-9225-6AD5194D17E2} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {B99E1544-FE8E-4AE1-BF16-C7CD05528AD7} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {BE111ACF-0E7B-4D59-944D-7AE096436D18} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {C17184CB-1239-4864-B89E-B5F80EA630F5} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {C1E368F7-DD7A-43D3-81EE-69EE5D7F3924} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {C68DE86F-9611-4738-9A85-3EE3BC847B30} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {CED69274-67B9-4AB8-BB0B-681294DDE067} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {D2F16FB3-FEE4-410F-A2F5-AE57CBA2AA1F} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {D31A67EC-58E1-4713-A05C-9C1C576161FE} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {D35E5601-7BA2-4DC2-BEC6-FEABBA88D4C9} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {D4603105-AA26-4D2C-9C6D-0FA6A878CAE8} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {D9967231-452F-4FCC-A9C7-DBA57FBF1F7D} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {DA021E5B-3F3F-4770-91B2-7B1D03135165} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {DA03C223-2073-4E29-A804-14CB8BEA824D} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {E2B5FB51-3CD3-44CA-A4A3-FE48C8F6022F} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {E4D72068-602F-48BF-967B-D763C185E79C} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {E4F45D9C-6EC3-4351-88B4-035AD6834456} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {E53C6742-A264-4950-BC5A-3DF5A7325AA3} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {EA01ABBE-FCC2-49E6-97CD-1ACE2C3FD5EB} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {ED32D562-5CA5-4D17-8430-3C3394897C55} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {F06B2B78-AA33-4AE1-A11A-EC4B41E006E6} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {FDA8A821-67B5-4E59-94E0-1728AF8919D0} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O2 - BHO: (no name) - {FFF60A14-6FD8-40D7-A02C-9D7CFF458978} - C:\PROGRA~
    1\Lycos\IEagent\IEagent.dll (file missing)
    O3 - Toolbar: (no name) - {A27CB27E-2D1B-4A60-8843-75AE9419FD0E} - (no
    file)
    O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no
    file)
    O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no
    file)
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
    \WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
    Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    \iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    \qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
    \MsgPlus.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [egruxcg] C:\WINDOWS\System32\xzmofgh.exe r
    O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    \tools.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    \Tools\tools.exe
    O4 - HKCU\..\Run: [wmegfi] C:\WINDOWS\System32\wmegfi.exe
    O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    \tools.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
    \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
    00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
    12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
    12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
    00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} -
    file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
    (file missing) (HKCU)
    O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) -
    http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_c
    urrent.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
    - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
    http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/aba
    rth/us/win/QuickTimeInstaller.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw
    eb_site.cab?1120351775546
    O17 - HKLM\System\CCS\Services\Tcpip\..\{5BEA91D4-EEFA-4D4F-BE7E-
    0DAA3A47C660}: NameServer = 49.10.68.10,209.226.175.223
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
    tdbank.ca,ctwan.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
    tdbank.ca,ctwan.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =
    tdbank.ca,ctwan.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
    tdbank.ca,ctwan.com
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program
    Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program
    Files\ewido\security suite\ewidoguard.exe
    O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown
    owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
    \Program Files\iPod\bin\iPodService.exe
    O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
    \soundman.exe" -service (file missing)
    O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:
    \windows\SvcProc.exe
    O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    \SVCH0ST.exe" -service (file missing)


    "pcbutts1" <pcbutts1@seedsv.com> wrote in
    news:f01Oe.104$L77.17@newssvr19.news.prodigy.com:

    > Download, install, update and run all of the following.
    >
    > Ad-Aware
    > http://www.pcbutts1.com/downloads/aawsepersonal.exe
    >
    > Spybot search and destroy
    > http://www.pcbutts1.com/downloads/spybotsd14.exe
    >
    > Ewido Security Suite Trial version
    > http://www.pcbutts1.com/downloads/ewidosetup.exe
    >
    > Microsoft Windows AntiSpyware (Beta1)
    > http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-
    > 4C57-A8BD-DBF62EDA9671&displaylang=en
    >
    > If none of the above fixes the issue then download Hijack this, run
    > it, save a copy of the log file and cut and paste it back here to this
    > group so that I can analyze it. Ignore anyone who tells you to post it
    > elsewhere. I need to see it not them.
    >
    >
    > HijackThis
    > http://www.pcbutts1.com/downloads/HijackThis.zip
    >
  13. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Have hijackthis fix these lines:


    > Logfile of HijackThis v1.99.1
    > Scan saved at 11:39:19 AM, on 8/21/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    > C:\Program Files\iTunes\iTunesHelper.exe
    > C:\Program Files\QuickTime\qttask.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
  14. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    You don't have a problem, but it could be spyware so format and reinstall.


    --

    "Instead of trying to bash me you should try to learn from me and
    archive my posts so you can better help people in the future. If you don't
    understand something I post then ask me my email is valid."

    - pcbutts1.@thisoldtreehouse.com
    - pcbutts1.@seedsv.com


    LouisG wrote:
    > Logfile of HijackThis v1.99.1
    > Scan saved at 11:39:19 AM, on 8/21/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > C:\Program Files\ewido\security suite\ewidoctrl.exe
    > C:\Program Files\ewido\security suite\ewidoguard.exe
    > C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\Explorer.exe
    > C:\WINDOWS\System32\xzmofgh.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    > C:\Program Files\iTunes\iTunesHelper.exe
    > C:\Program Files\QuickTime\qttask.exe
    > C:\Program Files\Labtec\moffice.exe
    > C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    > C:\Program Files\Labtec\MOUSE32A.DAT
    > C:\Program Files\iPod\bin\iPodService.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    > A:\HijackThis.exe
    >
    > R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    > http://www.iquicksearch.net/search.htm
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > about:blank
    > R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    > http://rogers.yahoo.com
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant
    > = http://www.iquicksearch.net/search.htm
    > R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    > about:blank
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    > Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    > R3 - Default URLSearchHook is missing
    > F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    > O2 - BHO: (no name) - SOFTWARE - (no file)
    > O2 - BHO: (no name) - {05304F16-6B90-4DF6-B537-A5AF69F3B5C2} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: AcroIEHlprObj Class -
    > {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    > Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: (no name) - {12E63F60-1CF7-46D5-AEDF-6539DCA2A80C} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {1F302361-DE67-46C2-B076-F713FD319563} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {25B633B4-F5AC-42EA-A08B-6E0AA8E1574B} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {27E68F6D-F18D-4133-B8AB-C29D4F08962A} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {288A04BC-275E-4194-9B66-A03F809109A8} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {2A267F59-7549-4E90-A507-1CC19AE039B8} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {2B7BAEDB-E0E4-40A1-A852-603E01000116} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {2FE61C11-3C38-4CD4-85F1-F8ADFFC4DA11} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {31F6C1AE-E283-491E-81F5-4E8A590D90BF} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {3DBF3268-6A9D-4751-AD8C-B905F1AF596A} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
    > C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    > O2 - BHO: (no name) - {4100741B-0E67-422F-9458-4358139790CA} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {4163C8E3-8B29-4D05-AFAB-FB7C252B093D} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {43B036DC-143A-4EF5-9EF8-BEE04B0B9B33} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {49661D5C-D6E4-A035-C15E-DB98BB45A29F} -
    > C:\WINDOWS \System32\lny.dll
    > O2 - BHO: (no name) - {4B900EC1-C2DE-44D5-92C0-AD424BA59198} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {4BE852D9-F37D-430D-9BB8-C64D3864CF48} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {50304AFC-D621-4860-8F57-B2356A00CEF8} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {50EBBC08-EC30-4F25-B273-EA71CE928B71} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {516B5C4D-C164-4F31-9A66-A3642B718D33} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {5274F34D-27C5-43E9-97F4-E7631B35A83E} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    > C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    > O2 - BHO: (no name) - {5B185C59-9E7A-4269-B2B0-B4598C29A020} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {5D878741-964E-46F3-A6A6-4E78CA79FFF9} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
    > C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    > O2 - BHO: (no name) - {66192BC7-E190-4869-8196-538CBF6A7FCC} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {66935611-FC52-4D08-91AD-A8E8348216CB} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {69EAD774-5D52-4189-B454-7C0ED79DCB24} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {6C2F3C34-3745-4974-9070-00B42626D328} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {6FA7A7D4-42A6-4D33-8A99-5F5F635A4271} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {78820481-EDEF-4C47-BC5E-B098D4F1828E} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {7FC992CD-B6D9-4CAB-9713-FD401CD171EB} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {86904BCA-D91E-4CE3-986C-535E07547039} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {8F038E9C-E309-43F5-A8B5-C840A01EB73B} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {92E367C0-F36C-4302-BD38-108A45B33249} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {A1ED8367-FC52-48E1-A089-D547527F2226} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {A1FC27AB-D787-424B-B350-C9F5B6C39040} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {A3464DBE-BE74-4C2E-A6ED-4AC9C33A4E58} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {A9BAAB80-EDBC-4784-AB99-73AE226FEA25} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {B199BAFC-DB92-455E-AF16-77B0DD2DECF0} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {B570451E-00F7-4234-9225-6AD5194D17E2} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {B99E1544-FE8E-4AE1-BF16-C7CD05528AD7} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {BE111ACF-0E7B-4D59-944D-7AE096436D18} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {C17184CB-1239-4864-B89E-B5F80EA630F5} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {C1E368F7-DD7A-43D3-81EE-69EE5D7F3924} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {C68DE86F-9611-4738-9A85-3EE3BC847B30} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {CED69274-67B9-4AB8-BB0B-681294DDE067} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {D2F16FB3-FEE4-410F-A2F5-AE57CBA2AA1F} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {D31A67EC-58E1-4713-A05C-9C1C576161FE} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {D35E5601-7BA2-4DC2-BEC6-FEABBA88D4C9} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {D4603105-AA26-4D2C-9C6D-0FA6A878CAE8} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {D9967231-452F-4FCC-A9C7-DBA57FBF1F7D} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {DA021E5B-3F3F-4770-91B2-7B1D03135165} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {DA03C223-2073-4E29-A804-14CB8BEA824D} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {E2B5FB51-3CD3-44CA-A4A3-FE48C8F6022F} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {E4D72068-602F-48BF-967B-D763C185E79C} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {E4F45D9C-6EC3-4351-88B4-035AD6834456} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {E53C6742-A264-4950-BC5A-3DF5A7325AA3} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {EA01ABBE-FCC2-49E6-97CD-1ACE2C3FD5EB} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {ED32D562-5CA5-4D17-8430-3C3394897C55} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {F06B2B78-AA33-4AE1-A11A-EC4B41E006E6} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {FDA8A821-67B5-4E59-94E0-1728AF8919D0} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O2 - BHO: (no name) - {FFF60A14-6FD8-40D7-A02C-9D7CFF458978} -
    > C:\PROGRA~ 1\Lycos\IEagent\IEagent.dll (file missing)
    > O3 - Toolbar: (no name) - {A27CB27E-2D1B-4A60-8843-75AE9419FD0E} - (no
    > file)
    > O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no
    > file)
    > O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no
    > file)
    > O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:
    > \WINDOWS\System32\msdxm.ocx
    > O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
    > Creator 5\DirectCD\DirectCD.exe"
    > O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    > \iTunesHelper.exe"
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    > \qttask.exe" -atboottime
    > O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program
    > Files\Labtec\moffice.exe O4 - HKLM\..\Run: [MessengerPlus3]
    > "C:\Program Files\MessengerPlus! 3 \MsgPlus.exe"
    > O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > /STARTUP
    > O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    > O4 - HKLM\..\Run: [egruxcg] C:\WINDOWS\System32\xzmofgh.exe r
    > O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O4 - HKLM\..\RunServices: [soundman] soundman.exe
    > O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    > \Tools\tools.exe
    > O4 - HKCU\..\Run: [wmegfi] C:\WINDOWS\System32\wmegfi.exe
    > O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
    > \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    > - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} - C:\Program
    > Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    > O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-
    > 12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file
    > missing) O9 - Extra 'Tools' menuitem: PartyPoker.com -
    > {B7FE5D70-9AA2-40F1-9C6B- 12A255F085E1} - C:\Program
    > Files\PartyPoker\PartyPoker.exe (file missing) O9 - Extra button:
    > Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9- 0050045C3C96} -
    > C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > {E5D12C4E-7B4F-11D3-B5C9- 0050045C3C96} -
    > C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    > O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    > - C:\Program Files\Messenger\MSMSGS.EXE
    > O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
    > 00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    > O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683}
    > - file://C:\Program
    > Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing)
    > (HKCU)
    > O16 - DPF: {4EC8E993-32C1-47F5-A07A-5B0574655AD4} (WXcom Class) -
    > http://us.dl1.yimg.com/download.yahoo.com/dl/controls/ysftcntr/ysftcntr_c
    > urrent.cab
    > O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
    > Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    > O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} -
    > http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/aba
    > rth/us/win/QuickTimeInstaller.exe
    > O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
    > Class) -
    > http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw
    > eb_site.cab?1120351775546
    > O17 - HKLM\System\CCS\Services\Tcpip\..\{5BEA91D4-EEFA-4D4F-BE7E-
    > 0DAA3A47C660}: NameServer = 49.10.68.10,209.226.175.223
    > O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList =
    > tdbank.ca,ctwan.com
    > O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList =
    > tdbank.ca,ctwan.com
    > O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList =
    > tdbank.ca,ctwan.com
    > O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList =
    > tdbank.ca,ctwan.com
    > O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    > O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
    > - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    > \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > O23 - Service: ewido security suite control - ewido networks -
    > C:\Program Files\ewido\security suite\ewidoctrl.exe
    > O23 - Service: ewido security suite guard - ewido networks -
    > C:\Program Files\ewido\security suite\ewidoguard.exe
    > O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) -
    > Unknown owner - C:\Program Files\Intel\Intel NetStructure VPN
    > Client\icsrv.exe O23 - Service: iPod Service (iPodService) - Apple
    > Computer, Inc. - C: \Program Files\iPod\bin\iPodService.exe
    > O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
    > \soundman.exe" -service (file missing)
    > O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:
    > \windows\SvcProc.exe
    > O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    > \SVCH0ST.exe" -service (file missing)
    >
    >
    >
    >
    > "pcbutts1" <pcbutts1@seedsv.com> wrote in
    > news:f01Oe.104$L77.17@newssvr19.news.prodigy.com:
    >
    >> Download, install, update and run all of the following.
    >>
    >> Ad-Aware
    >> http://www.pcbutts1.com/downloads/aawsepersonal.exe
    >>
    >> Spybot search and destroy
    >> http://www.pcbutts1.com/downloads/spybotsd14.exe
    >>
    >> Ewido Security Suite Trial version
    >> http://www.pcbutts1.com/downloads/ewidosetup.exe
    >>
    >> Microsoft Windows AntiSpyware (Beta1)
    >> http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-
    >> 4C57-A8BD-DBF62EDA9671&displaylang=en
    >>
    >> If none of the above fixes the issue then download Hijack this, run
    >> it, save a copy of the log file and cut and paste it back here to
    >> this group so that I can analyze it. Ignore anyone who tells you to
    >> post it elsewhere. I need to see it not them.
    >>
    >>
    >> HijackThis
    >> http://www.pcbutts1.com/downloads/HijackThis.zip

    --
  15. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Ignore that other pcbutts1 he is a name forging troll. Follow the advice I
    give you. If you are not sure who the real one is just email me my email is
    valid. You can also check the message headers and my sig file at the bottom
    of this message.

    You are infected with Aurora/Nail follow the instructions below and then
    post another hijackthis log.
    Please download ewido security suite it is a free version of the program.
    http://www.pcbutts1.com/downloads/ewidosetup.exe
    Install ewido security suite
    When installing, under "Additional Options" uncheck..
    Install background guard
    Install scan via context menu
    Launch ewido, there should be an icon on your desktop, double-click it.
    The program will now open to the main screen.
    When you run ewido for the first time, you will get a warning "Database
    could not be found!". Click OK. We will fix this in a moment.
    You will need to update ewido to the latest definition files.
    On the left hand side of the main screen click update.
    Then click on Start Update.
    The update will start and a progress bar will show the updates being
    installed.
    (the status bar at the bottom will display "Update successful")
    Exit ewido. DO NOT SCAN YET.

    Download CCleaner and install it, but do not run it yet.
    http://www.pcbutts1.com/downloads/ccsetup122.exe

    Please download this file: Revised Installer for the Nailfix Utility
    http://www.pcbutts1.com/downloads/nailfix1.exe
    Save it to your desktop.
    DO NOT RUN IT YET.

    Next configure Windows to show all files

    Do one of the following:
    In Windows XP, on the taskbar, click Start > My Computer.
    In Windows 2000/Me/98, on the Windows desktop, double-click the My Computer
    icon.
    Do one of the following:
    In Windows XP/2000/Me, on the Tools menu, click Folder Options.
    In Windows 98, on the View menu, click Folder Options.
    On the View tab, uncheck Hide file extensions for known file types.
    Do one of the following:
    In Windows XP/2000/Me, uncheck Hide protected operating system files. Then,
    under the "Hidden files" folder, click Show hidden files and folders.
    In Windows 98, in the Advanced Settings box, under the "Hidden files"
    folder, click Show all files.
    If you see a warning message, click Yes.
    Click Apply.
    Click OK.

    Next, please reboot your computer in SafeMode by doing the following:
    Restart your computer.After hearing your computer beep once during startup,
    but before the Windows icon appears, press F8.Instead of Windows loading as
    normal, a menu should appear
    Select the first option, to run Windows in Safe Mode.
    Once in Safe Mode, please double-click on nailfix.exe.
    Click "Next" in the setup
    Make sure "Run Nailfix" is checked and click "Finish".
    Your desktop and icons will disappear and reappear, and a window should open
    and close very quickly --- this is normal.

    Now open ewido and do a scan of your system.
    Click on scanner
    Click on Complete System Scan and the scan will begin.
    NOTE: During some scans with ewido it is finding cases of false positives.**
    You will need to step through the process of cleaning files one-by-one.
    If ewido detects a file you KNOW to be legitimate, select none as the
    action.
    DO NOT select "Perform action on all infections"
    If you are unsure of any entry found select none for now as the action.
    Once the scan has completed, there will be a button located on the bottom of
    the screen named Save report
    Click Save report.
    Save the report .txt file to your desktop or a location where you can find
    it easily.
    **(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere
    and the game "Risk")

    Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
    Now run HijackThis, click Scan, and place a checkmark next to each of the
    following items:

    F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

    Close all open windows except for HJT, then click the Fix Checked button.
    Close HJT.

    Locate and delete the following File
    C:\WINDOWS\Nail.exe
    For Windows NT or 2000 it would be
    C:\winnt\Nail.exe

    Now run CCleaner
    Uncheck "Cookies" under "Internet Explorer".
    If running Firefox: click on the "Applications" tab and uncheck "Cookies"
    under "Firefox".
    Click on Run Cleaner in the lower right-hand corner. This can take quite a
    while to run.

    Finally, restart your computer in normal mode and please post a new
    HijackThis log, as well as the report log from the Ewido scan by using Add
    Reply.

    If IE is not working, the links I gave you are direct download links and
    should work. If they don't then paste them into another browser or explorer
    window. If you have no other browser then email me with a valid email
    address and I will send you one. We will fix IE after all the spyware is
    gone.


    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com
  16. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Okay ,, here are the two new logs,,,

    Logfile of HijackThis v1.99.1
    Scan saved at 5:44:11 PM, on 8/21/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido\security suite\ewidoctrl.exe
    C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Labtec\moffice.exe
    C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Labtec\MOUSE32A.DAT
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\System32\taskmgr.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18
    \2cf41f1db14bc8f414e16e1555b77108\update\update.exe
    C:\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://www.iquicksearch.net/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAgOh
    WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
    \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
    1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
    Creator 5\DirectCD\DirectCD.exe"
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    \iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    \qttask.exe" -atboottime
    O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
    O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
    \MsgPlus.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    \tools.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    \Tools\tools.exe
    O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    \tools.exe
    O8 - Extra context menu item: &Search -
    http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
    \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
    00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
    00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
    - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw
    eb_site.cab?1120351775546
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program
    Files\ewido\security suite\ewidoctrl.exe
    O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown
    owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
    \Program Files\iPod\bin\iPodService.exe
    O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
    \soundman.exe" -service (file missing)
    O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    \SVCH0ST.exe" -service (file missing)


    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 5:31:27 PM, 8/21/2005
    + Report-Checksum: D492D10F

    + Scan result:

    HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
    HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during
    cleaning
    HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error
    during cleaning
    C:\RECYCLER\S-1-5-21-1060284298-1715567821-839522115-500\Dc8.exe ->
    Trojan.Agent.gp : Cleaned with backup
    C:\WINDOWS\system32\EGCOMLIB_1035.dll -> Dialer.Generic : Cleaned
    with backup


    ::Report End


    What do suggest now?? And thanks for your help.

    "pcbutts1" <pcbutts1@seedsv.com> wrote in
    news:CP2Oe.37$sV7.36@newssvr21.news.prodigy.com:

    > Ignore that other pcbutts1 he is a name forging troll. Follow the
    > advice I give you. If you are not sure who the real one is just email
    > me my email is valid. You can also check the message headers and my
    > sig file at the bottom of this message.
    >
    > You are infected with Aurora/Nail follow the instructions below and
    > then post another hijackthis log.
    > Please download ewido security suite it is a free version of the
    > program. http://www.pcbutts1.com/downloads/ewidosetup.exe
    > Install ewido security suite
    > When installing, under "Additional Options" uncheck..
    > Install background guard
    > Install scan via context menu
    > Launch ewido, there should be an icon on your desktop, double-click
    > it. The program will now open to the main screen.
    > When you run ewido for the first time, you will get a warning
    > "Database could not be found!". Click OK. We will fix this in a
    > moment. You will need to update ewido to the latest definition files.
    > On the left hand side of the main screen click update.
    > Then click on Start Update.
    > The update will start and a progress bar will show the updates being
    > installed.
    > (the status bar at the bottom will display "Update successful")
    > Exit ewido. DO NOT SCAN YET.
    >
    > Download CCleaner and install it, but do not run it yet.
    > http://www.pcbutts1.com/downloads/ccsetup122.exe
    >
    > Please download this file: Revised Installer for the Nailfix Utility
    > http://www.pcbutts1.com/downloads/nailfix1.exe
    > Save it to your desktop.
    > DO NOT RUN IT YET.
    >
    > Next configure Windows to show all files
    >
    > Do one of the following:
    > In Windows XP, on the taskbar, click Start > My Computer.
    > In Windows 2000/Me/98, on the Windows desktop, double-click the My
    > Computer icon.
    > Do one of the following:
    > In Windows XP/2000/Me, on the Tools menu, click Folder Options.
    > In Windows 98, on the View menu, click Folder Options.
    > On the View tab, uncheck Hide file extensions for known file types.
    > Do one of the following:
    > In Windows XP/2000/Me, uncheck Hide protected operating system files.
    > Then, under the "Hidden files" folder, click Show hidden files and
    > folders. In Windows 98, in the Advanced Settings box, under the
    > "Hidden files" folder, click Show all files.
    > If you see a warning message, click Yes.
    > Click Apply.
    > Click OK.
    >
    > Next, please reboot your computer in SafeMode by doing the following:
    > Restart your computer.After hearing your computer beep once during
    > startup, but before the Windows icon appears, press F8.Instead of
    > Windows loading as normal, a menu should appear
    > Select the first option, to run Windows in Safe Mode.
    > Once in Safe Mode, please double-click on nailfix.exe.
    > Click "Next" in the setup
    > Make sure "Run Nailfix" is checked and click "Finish".
    > Your desktop and icons will disappear and reappear, and a window
    > should open and close very quickly --- this is normal.
    >
    > Now open ewido and do a scan of your system.
    > Click on scanner
    > Click on Complete System Scan and the scan will begin.
    > NOTE: During some scans with ewido it is finding cases of false
    > positives.** You will need to step through the process of cleaning
    > files one-by-one. If ewido detects a file you KNOW to be legitimate,
    > select none as the action.
    > DO NOT select "Perform action on all infections"
    > If you are unsure of any entry found select none for now as the
    > action. Once the scan has completed, there will be a button located on
    > the bottom of the screen named Save report
    > Click Save report.
    > Save the report .txt file to your desktop or a location where you can
    > find it easily.
    > **(Ewido for example has been flagging parts of AVG Anti-Virus,
    > pcAnywhere and the game "Risk")
    >
    > Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
    > Now run HijackThis, click Scan, and place a checkmark next to each of
    > the following items:
    >
    > F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    >
    > Close all open windows except for HJT, then click the Fix Checked
    > button. Close HJT.
    >
    > Locate and delete the following File
    > C:\WINDOWS\Nail.exe
    > For Windows NT or 2000 it would be
    > C:\winnt\Nail.exe
    >
    > Now run CCleaner
    > Uncheck "Cookies" under "Internet Explorer".
    > If running Firefox: click on the "Applications" tab and uncheck
    > "Cookies" under "Firefox".
    > Click on Run Cleaner in the lower right-hand corner. This can take
    > quite a while to run.
    >
    > Finally, restart your computer in normal mode and please post a new
    > HijackThis log, as well as the report log from the Ewido scan by using
    > Add Reply.
    >
    > If IE is not working, the links I gave you are direct download links
    > and should work. If they don't then paste them into another browser or
    > explorer window. If you have no other browser then email me with a
    > valid email address and I will send you one. We will fix IE after all
    > the spyware is gone.
    >
    >
    >
    >
  17. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Looks clean.


    --

    "Instead of trying to bash me you should try to learn from me and
    archive my posts so you can better help people in the future. If you don't
    understand something I post then ask me my email is valid."

    - pcbutts1.@thisoldtreehouse.com
    - pcbutts1.@seedsv.com


    LouisG wrote:
    > Okay ,, here are the two new logs,,,
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 5:44:11 PM, on 8/21/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > C:\Program Files\ewido\security suite\ewidoctrl.exe
    > C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    > C:\Program Files\iTunes\iTunesHelper.exe
    > C:\Program Files\QuickTime\qttask.exe
    > C:\Program Files\Labtec\moffice.exe
    > C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    > C:\Program Files\iPod\bin\iPodService.exe
    > C:\Program Files\Labtec\MOUSE32A.DAT
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\taskmgr.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18
    > \2cf41f1db14bc8f414e16e1555b77108\update\update.exe
    > C:\HijackThis.exe
    >
    > R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    > http://www.iquicksearch.net/search.htm
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAgOh
    > WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    > R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    > about:blank
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    > Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    > O2 - BHO: AcroIEHlprObj Class -
    > {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
    > Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
    > C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    > O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    > C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    > O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
    > C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    > O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
    > Creator 5\DirectCD\DirectCD.exe"
    > O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    > \iTunesHelper.exe"
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    > \qttask.exe" -atboottime
    > O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program
    > Files\Labtec\moffice.exe O4 - HKLM\..\Run: [MessengerPlus3]
    > "C:\Program Files\MessengerPlus! 3 \MsgPlus.exe"
    > O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > /STARTUP
    > O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    > O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O4 - HKLM\..\RunServices: [soundman] soundman.exe
    > O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    > \Tools\tools.exe
    > O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O8 - Extra context menu item: &Search -
    > http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    > O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
    > \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}
    > - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    > O9 - Extra 'Tools' menuitem: Sun Java Console -
    > {08B0E5C0-4FCB-11CF-AAA5- 00401C608501} - C:\Program
    > Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    > O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    > 0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger -
    > {E5D12C4E-7B4F-11D3-B5C9- 0050045C3C96} -
    > C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    > O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683}
    > - C:\Program Files\Messenger\MSMSGS.EXE
    > O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
    > 00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    > O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload
    > Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    > O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl
    > Class) -
    > http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw
    > eb_site.cab?1120351775546
    > O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o.
    > - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    > \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > O23 - Service: ewido security suite control - ewido networks -
    > C:\Program Files\ewido\security suite\ewidoctrl.exe
    > O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) -
    > Unknown owner - C:\Program Files\Intel\Intel NetStructure VPN
    > Client\icsrv.exe O23 - Service: iPod Service (iPodService) - Apple
    > Computer, Inc. - C: \Program Files\iPod\bin\iPodService.exe
    > O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
    > \soundman.exe" -service (file missing)
    > O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    > \SVCH0ST.exe" -service (file missing)
    >
    >
    > ---------------------------------------------------------
    > ewido security suite - Scan report
    > ---------------------------------------------------------
    >
    > + Created on: 5:31:27 PM, 8/21/2005
    > + Report-Checksum: D492D10F
    >
    > + Scan result:
    >
    > HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
    > HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during
    > cleaning
    > HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error
    > during cleaning
    > C:\RECYCLER\S-1-5-21-1060284298-1715567821-839522115-500\Dc8.exe ->
    > Trojan.Agent.gp : Cleaned with backup
    > C:\WINDOWS\system32\EGCOMLIB_1035.dll -> Dialer.Generic : Cleaned
    > with backup
    >
    >
    >>> Report End
    >
    >
    >
    > What do suggest now?? And thanks for your help.
    >
    > "pcbutts1" <pcbutts1@seedsv.com> wrote in
    > news:CP2Oe.37$sV7.36@newssvr21.news.prodigy.com:
    >
    >> Ignore that other pcbutts1 he is a name forging troll. Follow the
    >> advice I give you. If you are not sure who the real one is just email
    >> me my email is valid. You can also check the message headers and my
    >> sig file at the bottom of this message.
    >>
    >> You are infected with Aurora/Nail follow the instructions below and
    >> then post another hijackthis log.
    >> Please download ewido security suite it is a free version of the
    >> program. http://www.pcbutts1.com/downloads/ewidosetup.exe
    >> Install ewido security suite
    >> When installing, under "Additional Options" uncheck..
    >> Install background guard
    >> Install scan via context menu
    >> Launch ewido, there should be an icon on your desktop, double-click
    >> it. The program will now open to the main screen.
    >> When you run ewido for the first time, you will get a warning
    >> "Database could not be found!". Click OK. We will fix this in a
    >> moment. You will need to update ewido to the latest definition files.
    >> On the left hand side of the main screen click update.
    >> Then click on Start Update.
    >> The update will start and a progress bar will show the updates being
    >> installed.
    >> (the status bar at the bottom will display "Update successful")
    >> Exit ewido. DO NOT SCAN YET.
    >>
    >> Download CCleaner and install it, but do not run it yet.
    >> http://www.pcbutts1.com/downloads/ccsetup122.exe
    >>
    >> Please download this file: Revised Installer for the Nailfix Utility
    >> http://www.pcbutts1.com/downloads/nailfix1.exe
    >> Save it to your desktop.
    >> DO NOT RUN IT YET.
    >>
    >> Next configure Windows to show all files
    >>
    >> Do one of the following:
    >> In Windows XP, on the taskbar, click Start > My Computer.
    >> In Windows 2000/Me/98, on the Windows desktop, double-click the My
    >> Computer icon.
    >> Do one of the following:
    >> In Windows XP/2000/Me, on the Tools menu, click Folder Options.
    >> In Windows 98, on the View menu, click Folder Options.
    >> On the View tab, uncheck Hide file extensions for known file types.
    >> Do one of the following:
    >> In Windows XP/2000/Me, uncheck Hide protected operating system files.
    >> Then, under the "Hidden files" folder, click Show hidden files and
    >> folders. In Windows 98, in the Advanced Settings box, under the
    >> "Hidden files" folder, click Show all files.
    >> If you see a warning message, click Yes.
    >> Click Apply.
    >> Click OK.
    >>
    >> Next, please reboot your computer in SafeMode by doing the following:
    >> Restart your computer.After hearing your computer beep once during
    >> startup, but before the Windows icon appears, press F8.Instead of
    >> Windows loading as normal, a menu should appear
    >> Select the first option, to run Windows in Safe Mode.
    >> Once in Safe Mode, please double-click on nailfix.exe.
    >> Click "Next" in the setup
    >> Make sure "Run Nailfix" is checked and click "Finish".
    >> Your desktop and icons will disappear and reappear, and a window
    >> should open and close very quickly --- this is normal.
    >>
    >> Now open ewido and do a scan of your system.
    >> Click on scanner
    >> Click on Complete System Scan and the scan will begin.
    >> NOTE: During some scans with ewido it is finding cases of false
    >> positives.** You will need to step through the process of cleaning
    >> files one-by-one. If ewido detects a file you KNOW to be legitimate,
    >> select none as the action.
    >> DO NOT select "Perform action on all infections"
    >> If you are unsure of any entry found select none for now as the
    >> action. Once the scan has completed, there will be a button located
    >> on the bottom of the screen named Save report
    >> Click Save report.
    >> Save the report .txt file to your desktop or a location where you can
    >> find it easily.
    >> **(Ewido for example has been flagging parts of AVG Anti-Virus,
    >> pcAnywhere and the game "Risk")
    >>
    >> Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
    >> Now run HijackThis, click Scan, and place a checkmark next to each of
    >> the following items:
    >>
    >> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    >>
    >> Close all open windows except for HJT, then click the Fix Checked
    >> button. Close HJT.
    >>
    >> Locate and delete the following File
    >> C:\WINDOWS\Nail.exe
    >> For Windows NT or 2000 it would be
    >> C:\winnt\Nail.exe
    >>
    >> Now run CCleaner
    >> Uncheck "Cookies" under "Internet Explorer".
    >> If running Firefox: click on the "Applications" tab and uncheck
    >> "Cookies" under "Firefox".
    >> Click on Run Cleaner in the lower right-hand corner. This can take
    >> quite a while to run.
    >>
    >> Finally, restart your computer in normal mode and please post a new
    >> HijackThis log, as well as the report log from the Ewido scan by
    >> using Add Reply.
    >>
    >> If IE is not working, the links I gave you are direct download links
    >> and should work. If they don't then paste them into another browser
    >> or explorer window. If you have no other browser then email me with a
    >> valid email address and I will send you one. We will fix IE after all
    >> the spyware is gone.

    --
  18. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    "pcbutts1" <pcbuttshead1@seedsv.cum> wrote in
    news:1124662548.cf3b34cc4689750171a2f3ba90f4b9ef@teranews:

    > Looks clean.
    >
    >
    Thank you very much,,,,but it's not and you know it.
  19. Archived from groups: microsoft.public.windowsxp.general (More info?)

    LouisG wrote:

    > Okay ,, here are the two new logs,,,
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 5:44:11 PM, on 8/21/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >

    Louis, don't post Hijackthis logs here. This is not the place for it.
    Post it to one of the specialty forums for it.

    Forums to Interpret HijackThis Logs:

    http://www.spywareinfo.com/forums/
    http://forum.aumha.org/viewforum.php?f=30
    http://forums.tomcoyote.org/
    http://www.wilderssecurity.com/

    --
    Rock
    MS MVP Windows - Shell/User
  20. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    That ewido log is too short make sure you update it and run it again. Have
    hijackthis fix the following lines

    R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    http://www.iquicksearch.net/search.htm
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAgOh
    WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    about:blank
    O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
    \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
    1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)

    O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    \tools.exe
    O4 - HKLM\..\RunServices: [soundman] soundman.exe
    O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    \Tools\tools.exe
    O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    \tools.exe
    O8 - Extra context menu item: &Search -
    http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    \SVCH0ST.exe" -service (file missing)

    Download, install, update and run all of the following. make sure you update
    all of them and let them delete Allnet it is spyware, if you want to use P2P
    software then use Limewire www.limewire.com.

    Ad-Aware
    http://www.pcbutts1.com/downloads/aawsepersonal.exe

    Spybot search and destroy
    http://www.pcbutts1.com/downloads/spybotsd14.exe

    Ewido Security Suite Trial version
    http://www.pcbutts1.com/downloads/ewidosetup.exe

    Microsoft Windows AntiSpyware (Beta1)
    http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en


    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com


    "LouisG" <imnot@home.com> wrote in message
    news:Xns96B9B65FDAFAB11241959@216.196.97.142...
    > Okay ,, here are the two new logs,,,
    >
    > Logfile of HijackThis v1.99.1
    > Scan saved at 5:44:11 PM, on 8/21/2005
    > Platform: Windows XP SP1 (WinNT 5.01.2600)
    > MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >
    > Running processes:
    > C:\WINDOWS\System32\smss.exe
    > C:\WINDOWS\system32\winlogon.exe
    > C:\WINDOWS\system32\services.exe
    > C:\WINDOWS\system32\lsass.exe
    > C:\WINDOWS\system32\svchost.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\system32\spoolsv.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > C:\Program Files\ewido\security suite\ewidoctrl.exe
    > C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    > C:\WINDOWS\System32\svchost.exe
    > C:\WINDOWS\Explorer.EXE
    > C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
    > C:\Program Files\iTunes\iTunesHelper.exe
    > C:\Program Files\QuickTime\qttask.exe
    > C:\Program Files\Labtec\moffice.exe
    > C:\Program Files\MessengerPlus! 3\MsgPlus.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    > C:\Program Files\iPod\bin\iPodService.exe
    > C:\Program Files\Labtec\MOUSE32A.DAT
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\System32\taskmgr.exe
    > C:\WINDOWS\System32\wuauclt.exe
    > C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18
    > \2cf41f1db14bc8f414e16e1555b77108\update\update.exe
    > C:\HijackThis.exe
    >
    > R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    > http://www.iquicksearch.net/search.htm
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAgOh
    > WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    > R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    > about:blank
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title =
    > Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
    > C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    > O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} - C:
    > \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    > O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
    > Files\Spybot - Search & Destroy\SDHelper.dll
    > O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} - C:\DOCUME~
    > 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    > O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD
    > Creator 5\DirectCD\DirectCD.exe"
    > O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes
    > \iTunesHelper.exe"
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime
    > \qttask.exe" -atboottime
    > O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Labtec\moffice.exe
    > O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3
    > \MsgPlus.exe"
    > O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    > /STARTUP
    > O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    > O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O4 - HKLM\..\RunServices: [soundman] soundman.exe
    > O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    > \Tools\tools.exe
    > O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O8 - Extra context menu item: &Search -
    > http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    > O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:
    > \PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    > O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
    > C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    > O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
    > 00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
    > O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    > 0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    > O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-
    > 0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
    > O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -
    > C:\Program Files\Messenger\MSMSGS.EXE
    > O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-
    > 00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    > O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool)
    > - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
    > O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
    > http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuw
    > eb_site.cab?1120351775546
    > O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
    > C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    > O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:
    > \PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    > O23 - Service: ewido security suite control - ewido networks - C:\Program
    > Files\ewido\security suite\ewidoctrl.exe
    > O23 - Service: Intel® NetStructure(TM) VPN Client (ICService) - Unknown
    > owner - C:\Program Files\Intel\Intel NetStructure VPN Client\icsrv.exe
    > O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:
    > \Program Files\iPod\bin\iPodService.exe
    > O23 - Service: soundman - Unknown owner - C:\WINDOWS\System32
    > \soundman.exe" -service (file missing)
    > O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    > \SVCH0ST.exe" -service (file missing)
    >
    >
    > ---------------------------------------------------------
    > ewido security suite - Scan report
    > ---------------------------------------------------------
    >
    > + Created on: 5:31:27 PM, 8/21/2005
    > + Report-Checksum: D492D10F
    >
    > + Scan result:
    >
    > HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
    > HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during
    > cleaning
    > HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error
    > during cleaning
    > C:\RECYCLER\S-1-5-21-1060284298-1715567821-839522115-500\Dc8.exe ->
    > Trojan.Agent.gp : Cleaned with backup
    > C:\WINDOWS\system32\EGCOMLIB_1035.dll -> Dialer.Generic : Cleaned
    > with backup
    >
    >
    > ::Report End
    >
    >
    >
    > What do suggest now?? And thanks for your help.
    >
    > "pcbutts1" <pcbutts1@seedsv.com> wrote in
    > news:CP2Oe.37$sV7.36@newssvr21.news.prodigy.com:
    >
    >> Ignore that other pcbutts1 he is a name forging troll. Follow the
    >> advice I give you. If you are not sure who the real one is just email
    >> me my email is valid. You can also check the message headers and my
    >> sig file at the bottom of this message.
    >>
    >> You are infected with Aurora/Nail follow the instructions below and
    >> then post another hijackthis log.
    >> Please download ewido security suite it is a free version of the
    >> program. http://www.pcbutts1.com/downloads/ewidosetup.exe
    >> Install ewido security suite
    >> When installing, under "Additional Options" uncheck..
    >> Install background guard
    >> Install scan via context menu
    >> Launch ewido, there should be an icon on your desktop, double-click
    >> it. The program will now open to the main screen.
    >> When you run ewido for the first time, you will get a warning
    >> "Database could not be found!". Click OK. We will fix this in a
    >> moment. You will need to update ewido to the latest definition files.
    >> On the left hand side of the main screen click update.
    >> Then click on Start Update.
    >> The update will start and a progress bar will show the updates being
    >> installed.
    >> (the status bar at the bottom will display "Update successful")
    >> Exit ewido. DO NOT SCAN YET.
    >>
    >> Download CCleaner and install it, but do not run it yet.
    >> http://www.pcbutts1.com/downloads/ccsetup122.exe
    >>
    >> Please download this file: Revised Installer for the Nailfix Utility
    >> http://www.pcbutts1.com/downloads/nailfix1.exe
    >> Save it to your desktop.
    >> DO NOT RUN IT YET.
    >>
    >> Next configure Windows to show all files
    >>
    >> Do one of the following:
    >> In Windows XP, on the taskbar, click Start > My Computer.
    >> In Windows 2000/Me/98, on the Windows desktop, double-click the My
    >> Computer icon.
    >> Do one of the following:
    >> In Windows XP/2000/Me, on the Tools menu, click Folder Options.
    >> In Windows 98, on the View menu, click Folder Options.
    >> On the View tab, uncheck Hide file extensions for known file types.
    >> Do one of the following:
    >> In Windows XP/2000/Me, uncheck Hide protected operating system files.
    >> Then, under the "Hidden files" folder, click Show hidden files and
    >> folders. In Windows 98, in the Advanced Settings box, under the
    >> "Hidden files" folder, click Show all files.
    >> If you see a warning message, click Yes.
    >> Click Apply.
    >> Click OK.
    >>
    >> Next, please reboot your computer in SafeMode by doing the following:
    >> Restart your computer.After hearing your computer beep once during
    >> startup, but before the Windows icon appears, press F8.Instead of
    >> Windows loading as normal, a menu should appear
    >> Select the first option, to run Windows in Safe Mode.
    >> Once in Safe Mode, please double-click on nailfix.exe.
    >> Click "Next" in the setup
    >> Make sure "Run Nailfix" is checked and click "Finish".
    >> Your desktop and icons will disappear and reappear, and a window
    >> should open and close very quickly --- this is normal.
    >>
    >> Now open ewido and do a scan of your system.
    >> Click on scanner
    >> Click on Complete System Scan and the scan will begin.
    >> NOTE: During some scans with ewido it is finding cases of false
    >> positives.** You will need to step through the process of cleaning
    >> files one-by-one. If ewido detects a file you KNOW to be legitimate,
    >> select none as the action.
    >> DO NOT select "Perform action on all infections"
    >> If you are unsure of any entry found select none for now as the
    >> action. Once the scan has completed, there will be a button located on
    >> the bottom of the screen named Save report
    >> Click Save report.
    >> Save the report .txt file to your desktop or a location where you can
    >> find it easily.
    >> **(Ewido for example has been flagging parts of AVG Anti-Virus,
    >> pcAnywhere and the game "Risk")
    >>
    >> Download HijackThis http://www.pcbutts1.com/downloads/HijackThis.zip
    >> Now run HijackThis, click Scan, and place a checkmark next to each of
    >> the following items:
    >>
    >> F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
    >>
    >> Close all open windows except for HJT, then click the Fix Checked
    >> button. Close HJT.
    >>
    >> Locate and delete the following File
    >> C:\WINDOWS\Nail.exe
    >> For Windows NT or 2000 it would be
    >> C:\winnt\Nail.exe
    >>
    >> Now run CCleaner
    >> Uncheck "Cookies" under "Internet Explorer".
    >> If running Firefox: click on the "Applications" tab and uncheck
    >> "Cookies" under "Firefox".
    >> Click on Run Cleaner in the lower right-hand corner. This can take
    >> quite a while to run.
    >>
    >> Finally, restart your computer in normal mode and please post a new
    >> HijackThis log, as well as the report log from the Ewido scan by using
    >> Add Reply.
    >>
    >> If IE is not working, the links I gave you are direct download links
    >> and should work. If they don't then paste them into another browser or
    >> explorer window. If you have no other browser then email me with a
    >> valid email address and I will send you one. We will fix IE after all
    >> the spyware is gone.
    >>
    >>
    >>
    >>
    >
  21. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    I've got all those programs updated and it runs ,, catchs Altnet ,, but
    says it can't delete as it's in memory and asks if it can run on start up
    ,, but still can't rid the system of it.


    "pcbutts1" <pcbutts1@seedsv.com> wrote in
    news:D47Oe.48$5k1.26@newssvr27.news.prodigy.net:

    > That ewido log is too short make sure you update it and run it again.
    > Have hijackthis fix the following lines
    >
    > R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    > http://www.iquicksearch.net/search.htm
    > R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    > http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAg
    > Oh WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    > R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    > about:blank
    > O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
    > C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    > O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
    > C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    >
    > O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O4 - HKLM\..\RunServices: [soundman] soundman.exe
    > O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    > \Tools\tools.exe
    > O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    > \tools.exe
    > O8 - Extra context menu item: &Search -
    > http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    > O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    > \SVCH0ST.exe" -service (file missing)
    >
    > Download, install, update and run all of the following. make sure you
    > update all of them and let them delete Allnet it is spyware, if you
    > want to use P2P software then use Limewire www.limewire.com.
    >
    > Ad-Aware
    > http://www.pcbutts1.com/downloads/aawsepersonal.exe
    >
    > Spybot search and destroy
    > http://www.pcbutts1.com/downloads/spybotsd14.exe
    >
    > Ewido Security Suite Trial version
    > http://www.pcbutts1.com/downloads/ewidosetup.exe
    >
    > Microsoft Windows AntiSpyware (Beta1)
    > http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-
    > 4C57-A8BD-DBF62EDA9671&displaylang=en
    >
    >
  22. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Format and reinstall.


    --

    "Instead of trying to bash me you should try to learn from me and
    archive my posts so you can better help people in the future. If you don't
    understand something I post then ask me my email is valid."

    - pcbutts1.@thisoldtreehouse.com
    - pcbutts1.@seedsv.com


    LouisG wrote:
    > I've got all those programs updated and it runs ,, catchs Altnet ,,
    > but says it can't delete as it's in memory and asks if it can run on
    > start up ,, but still can't rid the system of it.
    >
    >
    > "pcbutts1" <pcbutts1@seedsv.com> wrote in
    > news:D47Oe.48$5k1.26@newssvr27.news.prodigy.net:
    >
    >> That ewido log is too short make sure you update it and run it again.
    >> Have hijackthis fix the following lines
    >>
    >> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    >> http://www.iquicksearch.net/search.htm
    >> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAg
    >> Oh WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    >> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    >> about:blank
    >> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
    >> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    >> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
    >> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    >>
    >> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    >> \tools.exe
    >> O4 - HKLM\..\RunServices: [soundman] soundman.exe
    >> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    >> \Tools\tools.exe
    >> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    >> \tools.exe
    >> O8 - Extra context menu item: &Search -
    >> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    >> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    >> \SVCH0ST.exe" -service (file missing)
    >>
    >> Download, install, update and run all of the following. make sure you
    >> update all of them and let them delete Allnet it is spyware, if you
    >> want to use P2P software then use Limewire www.limewire.com.
    >>
    >> Ad-Aware
    >> http://www.pcbutts1.com/downloads/aawsepersonal.exe
    >>
    >> Spybot search and destroy
    >> http://www.pcbutts1.com/downloads/spybotsd14.exe
    >>
    >> Ewido Security Suite Trial version
    >> http://www.pcbutts1.com/downloads/ewidosetup.exe
    >>
    >> Microsoft Windows AntiSpyware (Beta1)
    >> http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-
    >> 4C57-A8BD-DBF62EDA9671&displaylang=en
  23. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    Ad-aware and spybot will get it.

    --


    The best live web video on the internet http://www.seedsv.com/webdemo.htm
    NEW Embedded system W/Linux. We now sell DVR cards.
    See it all at http://www.seedsv.com/products.htm
    Sharpvision simply the best http://www.seedsv.com


    "LouisG" <imnot@home.com> wrote in message
    news:Xns96B9BB477465C11241959@216.196.97.142...
    > I've got all those programs updated and it runs ,, catchs Altnet ,, but
    > says it can't delete as it's in memory and asks if it can run on start up
    > ,, but still can't rid the system of it.
    >
    >
    > "pcbutts1" <pcbutts1@seedsv.com> wrote in
    > news:D47Oe.48$5k1.26@newssvr27.news.prodigy.net:
    >
    >> That ewido log is too short make sure you update it and run it again.
    >> Have hijackthis fix the following lines
    >>
    >> R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL =
    >> http://www.iquicksearch.net/search.htm
    >> R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
    >> http://www.ifmvfyojbuqhzwmrrthdou.com/tXqXi73nsPy1MshyBoNpdy1wWwXuDDvAg
    >> Oh WVpwQWGcyhr1BiqNldfHza2mEDP8C.jpg
    >> R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
    >> about:blank
    >> O2 - BHO: Scriptlet.Tools - {3E4563A4-2A9B-4912-BE38-906A0CB702CC} -
    >> C: \DOCUME~1\ALLUSE~1\APPLIC~1\Tools\tools.dll
    >> O2 - BHO: (no name) - {611559C3-4AE0-E79B-345C-EDD8928B0427} -
    >> C:\DOCUME~ 1\Alex\APPLIC~1\COOLMP~1\borerect.exe (file missing)
    >>
    >> O4 - HKLM\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    >> \tools.exe
    >> O4 - HKLM\..\RunServices: [soundman] soundman.exe
    >> O4 - HKLM\..\RunServices: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1
    >> \Tools\tools.exe
    >> O4 - HKCU\..\Run: [\tools.exe] C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tools
    >> \tools.exe
    >> O8 - Extra context menu item: &Search -
    >> http://bar.mywebsearch.com/menusearch.html?p=ZSzeb04440US
    >> O23 - Service: Wi2n loahder - Unknown owner - C:\WINDOWS\System32
    >> \SVCH0ST.exe" -service (file missing)
    >>
    >> Download, install, update and run all of the following. make sure you
    >> update all of them and let them delete Allnet it is spyware, if you
    >> want to use P2P software then use Limewire www.limewire.com.
    >>
    >> Ad-Aware
    >> http://www.pcbutts1.com/downloads/aawsepersonal.exe
    >>
    >> Spybot search and destroy
    >> http://www.pcbutts1.com/downloads/spybotsd14.exe
    >>
    >> Ewido Security Suite Trial version
    >> http://www.pcbutts1.com/downloads/ewidosetup.exe
    >>
    >> Microsoft Windows AntiSpyware (Beta1)
    >> http://www.microsoft.com/downloads/details.aspx?FamilyId=321CD7A2-6A57-
    >> 4C57-A8BD-DBF62EDA9671&displaylang=en
    >>
    >>
    >
  24. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Thank you!

    --

    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com
    http://www.kellys-korner-xp.com/taskbarplus!.htm


    "Rock" <rock@mail.nospam.net> wrote in message
    news:eM%23BIYspFHA.616@TK2MSFTNGP15.phx.gbl...
    > LouisG wrote:
    >
    >> Okay ,, here are the two new logs,,,
    >>
    >> Logfile of HijackThis v1.99.1
    >> Scan saved at 5:44:11 PM, on 8/21/2005
    >> Platform: Windows XP SP1 (WinNT 5.01.2600)
    >> MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    >>
    >
    > Louis, don't post Hijackthis logs here. This is not the place for it.
    > Post it to one of the specialty forums for it.
    >
    > Forums to Interpret HijackThis Logs:
    >
    > http://www.spywareinfo.com/forums/
    > http://forum.aumha.org/viewforum.php?f=30
    > http://forums.tomcoyote.org/
    > http://www.wilderssecurity.com/
    >
    > --
    > Rock
    > MS MVP Windows - Shell/User
    >
  25. Archived from groups: alt.os.windows-xp,microsoft.public.windowsxp.general (More info?)

    You don't have a problem, but it could be spyware so format and reinstall.


    --

    "Instead of trying to bash me you should try to learn from me and
    archive my posts so you can better help people in the future. If you don't
    understand something I post then ask me my email is valid."

    - pcbutts1.@thisoldtreehouse.com
    - pcbutts1.@seedsv.com


    LouisG wrote:
    > I have a computer that i'm working on ,, and i have discovered a
    > little oddity and can't find an answer to.
    >
    > I open up task manager and i find a weird looking file running in the
    > process , let's call this file ekfitve.exe for example ,, then i find
    > this file in c:\windows\system32 folder ,,, if i put both windows
    > side by side and then end the process in task mgr ,, i can see this
    > file change it's name right in front of me ,,,then it appears with
    > that name in task mgr.
    >
    > The file is always a weird combo of letters and it never seems to
    > repeat itself ,,, i've tried deleting the file ,,but of course can't
    > access it and i've tried going through Xp's repair option to try and
    > get it before it loads ,, but of course with it changing it's name ,,
    > what do i look for? There's no way of locating it.
    >
    > I was thinking of one last shot of getting this bugger ,,with any
    > help from here , before deep sixing the system and starting from
    > scratch.
    >
    > Any suggestions????
    >
    > Thanks , Gord

    --
  26. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Kelly wrote:

    > Thank you!
    >

    YW...nice seeing you back, though only occasionally.

    --
    Rock
    MS MVP Windows - Shell/User
  27. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Thank you, Rock. Is nice to be missed, I think! <w>

    Have been so busy with school taking back in.

    --

    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com
    http://www.kellys-korner-xp.com/taskbarplus!.htm


    "Rock" <rock@mail.nospam.net> wrote in message
    news:uzddiR8pFHA.2776@TK2MSFTNGP10.phx.gbl...
    > Kelly wrote:
    >
    >> Thank you!
    >>
    >
    > YW...nice seeing you back, though only occasionally.
    >
    > --
    > Rock
    > MS MVP Windows - Shell/User
    >
  28. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Kelly wrote:

    > Thank you, Rock. Is nice to be missed, I think! <w>
    >
    > Have been so busy with school taking back in.
    >

    Lol..rereading what I wrote it could be interpreted as meaning
    occasionally it's nice to see you back here, or...it's nice seeing you
    back here since lately it's been only occasionally. I'm sure you know
    which branch I meant ;-)

    You're going back to school...

    --
    Rock
    MS MVP Windows - Shell/User
  29. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Caught the correct branch and thanks again! <w>

    As for school, not me three degrees are enough. Will get to my masters one
    day (I hope)!

    Meant my boys still at home. High School took back for them two weeks now.
    Summer was short and Halo2 driven. I survived that; however, the 360 is
    just around the corner. :o)

    --

    All the Best,
    Kelly (MS-MVP)

    Troubleshooting Windows XP
    http://www.kellys-korner-xp.com
    http://www.kellys-korner-xp.com/taskbarplus!.htm


    "Rock" <rock@mail.nospam.net> wrote in message
    news:%23rWPyuIqFHA.2240@tk2msftngp13.phx.gbl...
    > Kelly wrote:
    >
    >> Thank you, Rock. Is nice to be missed, I think! <w>
    >>
    >> Have been so busy with school taking back in.
    >>
    >
    > Lol..rereading what I wrote it could be interpreted as meaning
    > occasionally it's nice to see you back here, or...it's nice seeing you
    > back here since lately it's been only occasionally. I'm sure you know
    > which branch I meant ;-)
    >
    > You're going back to school...
    >
    > --
    > Rock
    > MS MVP Windows - Shell/User
    >
  30. Archived from groups: microsoft.public.windowsxp.general (More info?)

    Kelly wrote:
    > Caught the correct branch and thanks again! <w>
    >
    > As for school, not me three degrees are enough. Will get to my masters one
    > day (I hope)!
    >
    > Meant my boys still at home. High School took back for them two weeks now.
    > Summer was short and Halo2 driven. I survived that; however, the 360 is
    > just around the corner. :o)
    >

    It's always something.

    --
    Rock
    MS MVP Windows - Shell/User
Ask a new question

Read More

Windows XP