Dreq

Hi,

Been having more trouble than usual with spyware of late. Repeated cleansings with various spyware removers haven't seemed to get it all. I followed the instructions on www.grayknight17.com/spyware.htm, and am down to this.

I ran HJT in normal Windows XP mode after I had used task manager to shut down all processes, except for itself and CCAPP.exe, whatever that is (says I can't shut it down.) I'm not sure whether I was supposed to do that, or run HJT in safe mode without shutting programs down. Either way, here is the HJT log after being put through the KRC Hijack This Analyzer.

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 1:34:30 AM, on 1/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\wuyyyq.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.emachines.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {7ABD20BD-B65C-938A-7966-9ADC4968B0CA} - C:\WINDOWS\system32\jpzu.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ntxp2] C:\WINDOWS\system32\ntxp2.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\dolsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\aklsp.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15009/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23f218931170f41...p/RdxIE601.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15010/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{953C40DC-200E-4E10-A7E8-7CFDE0DF6765}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe


End of KRC HijackThis Analyzer Log.
====================================================================

Thanks a lot for any help :).

Pancake

Hi and Welcome
It may help you if you print out or copy this page for easy reference.. Make sure to work through the fixes in the exact order. Please Keep your browser closed when you are carrying out the fixes.Please do not run HJT on the desktop or a temp folder.Its best run in a dedicated folder of its own.

First get the LSPFix and run it....To remove aklsp.dll and dolsp.dll from your winsock layers click the "I know what I'm doing" checkbox and check all the instances of aklsp.dll and dolsp.dll (and nothing else). Then move checked file/s to the "Remove" pane and click Finish and reboot.


Make sure to run Adaware and Spybot (check for updates) for a preliminary cleanup first.Some files below may not be present after running the above programs



Then....
Run hjt in safe mode... HOW TO RUN SAFE MODE and have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes and selecting "fix checked".Please post a new log when finished.

With the EXE files that have been selected go into HijackThis/Config/Misc/Tools/ and open process manager. Select the EXE files (if they are there) and click Kill process before deleting.

Have your system set to show hidden files and folders.. HOW TO SHOW FILES. When done download Cleanup to clean out your tempory files.

Folders that have been highlighted RED in the log will need to be uninstalled.Check first as some folders maybe uninstalled via the Add/Remove program.

Files highlighted in BLACK in the log will need to be removed from your hard drive.

R3 - URLSearchHook: (no name) - _{20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: BTGrabObj Class - {00000000-F09C-02B4-6EC2-AD0300000000} - C:\WINDOWS\BTGrab.dll
O2 - BHO: (no name) - {7ABD20BD-B65C-938A-7966-9ADC4968B0CA} - C:\WINDOWS\system32\jpzu.dll
O3 - Toolbar: (no name) - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - (no file)
O4 - HKLM\..\Run: [SESync] "C:\Program Files\SED\SED.exe"
O4 - HKLM\..\Run: [Dvx] C:\WINDOWS\system32\wsxsvc\wsxsvc.exe
O4 - HKLM\..\Run: [ntxp2] C:\WINDOWS\system32\ntxp2.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [lmu] C:\WINDOWS\LMU.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [TV Media] C:\Program Files\TV Media\Tvm.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/23f218931170f4...ip/RdxIE601.cab
O23 - Service: LicCtrl Service - Unknown - C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\wuyyyq.exe

Dreq

First of all, thanks for the helpful and quick response. You guys are doing a great service to us poor spyware-infested people. Keep up the good work.

Here is my new HJT log, after being put through the Hijack This Analyzer:

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 1/23/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.0
Scan saved at 1:43:09 PM, on 1/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.emachines.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Drew\Application Data\Mozilla\Profiles\default\7ck5h7pg.slt\prefs.js)
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wuyyyq.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Drew\Application Data\rpen.exe
O4 - HKCU\..\Run: [Qyujfdf] C:\WINDOWS\system32\??rvices.exe
O4 - Global Startup: BigFix.lnk.disabled
O4 - Global Startup: hgyyyf.exe
O4 - Global Startup: Microsoft Office.lnk.disabled
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab28578.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su-newocx/ocx/15009/CTSUEng.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay102.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/soft...ch/alaunch.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...tatsClient.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su-newocx/ocx/15010/CTPID.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...reShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{953C40DC-200E-4E10-A7E8-7CFDE0DF6765}: NameServer = 205.171.3.65,205.171.2.65
O23 - Service: ENUFF XP Service - Akrontech - C:\WINDOWS\system32\CVSEXPSS.EXE


End of KRC HijackThis Analyzer Log.
====================================================================

Thanks again.

greyknight17

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should not have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that Display the contents of System Folders' is checked. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer. After we are finished with your log file and verified that it's clean, you may turn it back on and create a new restore point.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O4 - HKLM\..\Run: [Narrator] C:\WINDOWS\system32\wuyyyq.exe
O4 - HKCU\..\Run: [Usrr] C:\Documents and Settings\Drew\Application Data\rpen.exe
O4 - HKCU\..\Run: [Qyujfdf] C:\WINDOWS\system32\??rvices.exe
O4 - Global Startup: hgyyyf.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{953C40DC-200E-4E10-A7E8-7CFDE0DF6765}: NameServer = 205.171.3.65,205.171.2.65

Do you know what the following program(s) are for?

O23 - Service: ENUFF XP Service - Akrontech - C:\WINDOWS\system32\CVSEXPSS.EXE

If you don't know what it's for, do the following:
I can't find enough information for this file -> C:\WINDOWS\system32\CVSEXPSS.EXE
Right click on that file and go to Properties. Then go to the Version tab and see what information you can get from there (Company, Description, etc.) and post it here.

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\WINDOWS\system32\wuyyyq.exe
C:\Documents and Settings\Drew\Application Data\rpen.exe
C:\WINDOWS\system32\??rvices.exe - do a search for ??rvices.exe and right click and go to Properties. Then go to the Version tab and see if it's from Microsoft. Do this for each file found.
hgyyyf.exe

Reboot into Normal Mode and run new HijackThis scan. If there were some entries that didn't show up in Safe Mode, you may check and fix those that appear now in normal mode (if you do that, make sure to run a new scan again). Save the log file and run KRC HijackThis Analyzer in the same folder to get the result.txt log. Just post the contents of the result.txt file in the forum.

Do this now - post the along with the updated HijackThis log:

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! (Alternate Link if main link don't work) and install it. Do not run it yet.

Before doing anything, MAKE SURE that you can keep your computer on (at least until we get it fixed). This infection requires us to detect and remove it without rebooting or restarting your computer (unless the instructions say so). If you can't keep your computer on today, then I suggest that you don't get the logs yet until you are ready. With that said (when ready):

Open up HijackThis and go to Config->Misc Tools and check the first two boxes there. Now click on the Generate StartupList log button. Post that log in your next post.

Right click on this link and choose Save As...Save it to your Desktop. Make sure you have disabled any programs that may block/disable scripts (ex: Ad-Watch, TeaTimer, Norton, etc.). Double click on Silent Runners to run it. This will take a few minutes. It will create a file called Startup Programs followed by your computer name and current date. Open up that file and post all the contents here in your next post.

Download Find-qoologic. Unzip the files to your Desktop. Open the qoologic folder and run the qoologic.bat file. Wait a few minutes for it to finish. When the dos window disappears, go to your C: drive and open up the log.txt file. Copy and paste the whole log in your next post.

Download DllCompare and run it. Click on the Locate.com button. Wait a few seconds and then click on the Compare button. Let it run, then click on Make a log of what was found. Post that log here. Note: If you are having problems using DllCompare (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now run DllCompare.

Post all of the logs in your next post. We need them all to get a fix for this infection.

__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.

Adaware :: CWShredder :: HijackThis :: Panda ActiveScan :: Spybot S&D

Anti-Spyware Tutorial :: Spyware Prevention Tools