Could someone help me remove these popups!

lordkirky · 01-28-2005, 01:43 AM

For the past couple of days i've been getting popups without even opening explorer, new shortcuts on my desktop, and a rundll 'umonitor' error every time i startup. could someone plz help me remove these things!!

i have adaware se, spybot s&d, spysweeper, and some other antispyware progs but when i remove all the stuff the problems still come up.

here's a hjt log, i tried removing those 01 things but they come back =/

Logfile of HijackThis v1.98.0
Scan saved at 7:42:37 PM, on 28/01/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\SED\SED.exe
C:\Program Files\MYIE2\MyIE.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\NP.NGUYEN\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {2BCFB6CC-18FC-60A4-E59F-42D71720123D} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095065362421
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://download.35mb.com/images/applet/applet_y.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} (CounterX Class) - http://t058.com/cabtest/counter.cab

greyknight17 · 01-28-2005, 09:11 AM

Welcome to TSF.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

C:\Program Files\SED\SED.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

VBouncer

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: (no name) - {2BCFB6CC-18FC-60A4-E59F-42D71720123D} - (no file)
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\SED\
C:\Program Files\VBouncer\

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Do this now - post them along with your updated hijackthis log:

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Please download the following programs required for the removal process:

Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe
PV http://www.greyknight17.com/spy/pv.zip
VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe
Hoster http://www.greyknight17.com/spy/Hoster.exe
CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe
KillBox http://www.greyknight17.com/spy/KillBox.exe
notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it.

Please follow the steps below:

1. Download/run the following uninstallers:

Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller
IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip
ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip

2. Run Kill2Me.

3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!).
a) Open that folder on your Desktop and double click on the runme.bat file.
b) Type in 3 and hit your Enter key. Save the log file.
c) Type in 5 and hit your Enter key. Save the log file.
d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below.

4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later.

5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later.

We also need a list of files in the following folders:

C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here.
C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious.

Post all of the logs in your next post. We need them all to get a fix for this infection.

01-28-2005, 01:43 AM	#1 (permalink)
lordkirky Registered User Join Date: Jan 2005 Posts: 1 OS: XP	Could someone help me remove these popups! For the past couple of days i've been getting popups without even opening explorer, new shortcuts on my desktop, and a rundll 'umonitor' error every time i startup. could someone plz help me remove these things!! i have adaware se, spybot s&d, spysweeper, and some other antispyware progs but when i remove all the stuff the problems still come up. here's a hjt log, i tried removing those 01 things but they come back =/ Logfile of HijackThis v1.98.0 Scan saved at 7:42:37 PM, on 28/01/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\System32\RUNDLL32.EXE C:\Program Files\D-Tools\daemon.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\Program Files\SED\SED.exe C:\Program Files\MYIE2\MyIE.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Documents and Settings\NP.NGUYEN\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.smh.com.au O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {2BCFB6CC-18FC-60A4-E59F-42D71720123D} - (no file) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe O4 - HKLM\..\Run: [mswspl] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe" O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE O4 - Global Startup: Remote Controller.lnk = C:\Program Files\Prolink\PlayTV Pro\TVRMVCR.EXE O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1095065362421 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab O16 - DPF: {771A1334-6B08-4A6B-AEDC-CF994BA2CEBE} (Installer Class) - http://download.35mb.com/images/applet/applet_y.cab O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B4F32846-56DD-4CF5-94FD-17DE1A12E9EB} (CounterX Class) - http://t058.com/cabtest/counter.cab

01-28-2005, 09:11 AM	#2 (permalink)
greyknight17 Analyst, Security Team Join Date: Jul 2004 Location: New York Posts: 14,327 OS: Windows 98 & Windows XP Home/Pro My System	Welcome to TSF. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): C:\Program Files\SED\SED.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: VBouncer Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O1 - Hosts: 69.20.16.183 auto.search.msn.com O1 - Hosts: 69.20.16.183 search.netscape.com O1 - Hosts: 69.20.16.183 ieautosearch O2 - BHO: (no name) - {2BCFB6CC-18FC-60A4-E59F-42D71720123D} - (no file) O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe" O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist: C:\Program Files\SED\ C:\Program Files\VBouncer\ Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum. Do this now - post them along with your updated hijackthis log: Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready): Please download the following programs required for the removal process: Kill2Me http://www.greyknight17.com/spy/Kill2Me.exe PV http://www.greyknight17.com/spy/pv.zip VX2Finder(126) http://www.greyknight17.com/spy/VX2Finder(126).exe Hoster http://www.greyknight17.com/spy/Hoster.exe CleanUp! http://cleanup.stevengould.org/ or http://www.greyknight17.com/spy/Cleanup.exe KillBox http://www.greyknight17.com/spy/KillBox.exe notify.bat - right click on this link http://www.greyknight17.com/spy/notify.bat and choose Save As...Save it. Please follow the steps below: 1. Download/run the following uninstallers: Look2Me Uninstaller http://www.look2me.com/cgi-bin/UnInstaller IGN Keyword Uninstaller http://www.greyknight17.com/spy/NLNUninstall.zip ClearSearch Uninstaller http://www.greyknight17.com/spy/ClrSchUninstall.zip 2. Run Kill2Me. 3. Unzip the pv.zip files contents to your Desktop (NOTE: It MUST be on your Desktop!). a) Open that folder on your Desktop and double click on the runme.bat file. b) Type in 3 and hit your Enter key. Save the log file. c) Type in 5 and hit your Enter key. Save the log file. d) Remember to copy and paste both of these log files in the forum AFTER you are finished with the rest of the steps below. 4. Run notify.bat and it should open up a notify.txt Notepad file. Copy and paste this in the forum later. 5. Run VX2Finder(126) and click on the Find VX2.BetterInternet button. Click Make Log and post this in the forum later. We also need a list of files in the following folders: C:\WINDOWS\Downloaded Program Files\ - for these files, if they just have numbers as the filename, right click on them and go to Properties to see what they are. Post the description for each of those here. C:\Program Files\Internet Explorer\ - there might be a download folder here. We are looking for any randomly named files. Post anything that looks suspicious. Post all of the logs in your next post. We need them all to get a fix for this infection. __________________ Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it. Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D Anti-Spyware Tutorial :: Spyware Prevention Tools