Google Problems

[porcupinepete]

Whenever I type in http://www.google.com or http://www.google.ca, I am taken to Topsearch10.com. Each time I'm re-directed there, a virus warning comes up. Is there any way I can get this address to access google, instead of Topsearch? I've run adware checkers and virus checkers, but I can't get to google, and I really miss it. I've checked the registry, too, and am very frustrated with this. Thanks in advance for any help
don

[Detah]

you have a hijacker.
Please post your HiJackThis Log in the HiJackThis Log section of this forum.

HijackThis instructions (~208kB)

• Download HiJackThis v1.99.1 (written by Merijn Bellekom) from
  http://www.spywareinfo.com/~merijn/downloads.html
  Save HijackThis.exe into its own permanent directory, NOT in a TEMPorary folder or on the DESKTOP. Temporary folders get cleaned out periodically and are often destinations for viruses and spyware. So you don't want it there. If you place HJT on the Desktop, then all of your logs and backups will get spread out over the desktop. That is not efficient. For simplicity, I recommend c:/program files/HJT/
  Important: Close all windows/programs, internet connections and especially internet browsers before scanning and fixing with HJT.
• Doubleclick HijackThis.exe. Config | Misc Tools | Check for update online, save into your permanent directory. If you find a new version, then close HJT. Unzip into permanent directory. Replace file=Yes.
• Doubleclick HijackThis.exe. Press the <Scan> button
  DO NOT FIX ANYTHING YET!! Most of the entries found in a HiJackThis scan are programs/files which are REQUIRED for your computer to operate normally.
• Press the <Save Log> button and save into your HJT folder. Change the file name to HJT 9-22-04a.log or some similar dating nomenclature so you can identify each log
• The log should automatically open in Notepad. If not, open the log file from any text editor (Notepad, MS Word, Word Perfect, etc)
• Copy/paste the results here in this forum and let an expert evaluate it for you.
• Close HiJackThis//

----------------------------------------------------------------

[porcupinepete]

Logfile of HijackThis v1.99.0
Scan saved at 9:26:16 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
C:\WINDOWS\system32\NVAREM.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\Hmjevu.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\AnyDVD\AnyDVD.exe
C:\Program Files\CounterSpy Client\sunasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\3l178sbc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\System32\x10nets.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_p...ount_id=132556
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.199.231.174 www.google.com
O1 - Hosts: 66.199.231.174 google.com
O1 - Hosts: 66.199.231.174 www.google.co.uk
O1 - Hosts: 66.199.231.174 google.co.uk
O1 - Hosts: 66.199.231.174 www.google.ca
O1 - Hosts: 66.199.231.174 google.ca
O1 - Hosts: 66.199.231.174 www.google.es
O1 - Hosts: 66.199.231.174 google.es
O1 - Hosts: 66.199.231.174 www.google.de
O1 - Hosts: 66.199.231.174 google.de
O1 - Hosts: 66.199.231.174 www.google.fr
O1 - Hosts: 66.199.231.174 google.fr
O1 - Hosts: 66.199.231.174 www.google.com.au
O1 - Hosts: 66.199.231.174 google.com.au
O1 - Hosts: 66.199.231.173 www.yahoo.com
O1 - Hosts: 66.199.231.173 yahoo.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.176.190 search.msn.com
O1 - Hosts: 66.199.231.171 astalavista.com
O1 - Hosts: 66.199.231.171 www.astalavista.com
O1 - Hosts: 66.199.231.171 astalavista.box.sk
O1 - Hosts: 66.199.231.171 www.astalavista.box.sk
O1 - Hosts: 66.199.231.171 cracks.am
O1 - Hosts: 66.199.231.171 www.cracks.am
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch3.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WINSCHEDULER] C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [NVIDIA Remote Control Panel] NVAREM.EXE /S /Q /R /L /A1 /B0 /C0 /D2 /E0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Hmjevu.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [3l178sbc] C:\WINDOWS\system32\3l178sbc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Event Reminder.lnk = ?
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/applet...applet-epf.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/2...l/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service - X10 - C:\WINDOWS\System32\x10nets.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Detah]

Hello and welcome to TSF-

You have several problems that we need to address. We will be using several anti-spyware, anti-adware and anti-hijack programs. I recommend that you keep these programs on your system permanently.
Only use Hijack This under the guidance of an expert! Accidentally deleting something can disable your operating system. Print out these instructions so you may reference them without any programs open. It is very important that no programs (especially internet browsers) are running when implementing these fixes. [You may leave your firewall and virusscanner running, of course.]
----------------------------------------------------------------
Show Hidden Files instructions (WinXP)
Doubleclick My Computer | Tools | Folder Options | View tab
Select Show Hidden Files and Folders
Uncheck Hide extensions for known file types
Uncheck Hide protected operating system files (Recommended)
Select Apply to All Folders | Yes | Apply | OK
----------------------------------------------------------------
Turn off System Restore instructions (WinXP)
Rightclick My Computer | Properties | System Restore | check “Turn off System Restore”, <Apply>, <OK>. Reboot. When we have confirmed that your log file is clean, you may renable System Restore and create a new restore point.
----------------------------------------------------------------
You have a variant of the CoolWebSearch trojan. Please download and run CWShredder.

CWShredder instructions (137 kB)
Download CWShredder v2 (written by Merijn Bellekom) from
http://www.intermute.com/spysubtract..._download.html
Choose the stand alone version. This is free.
Save cwshredder.exe into its own directory, NOT in a TEMPorary folder or on the DESKTOP.
I recommend, c:/program files/CWShredder/

• Close all browsers
• Unzip into same directory
• Doubleclick CWSInstall.exe
• Click <Check for updates> and let it install all updates
• Click <Fix>
  If it asks you to delete a file, write down the whole path and file name and choose <No>. Post it to the forums.
• Click <Next>
• Close CWShredder//

----------------------------------------------------------------
Regarding C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
This could be 2 different files and I need to be sure which one before taking any action. Please navigate to this location in your Windows Explorer and look at the filename. Is the whole filename WinSched.exe or WinScheduler.exe? Please report the full path (with no tildas) and full filename (with no tildas) in your next post.
----------------------------------------------------------------
Regarding O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
There is a goodguy file called systray.exe, which resides in C:\Windows\System32\
Any files of that name in any other location are all badguys. please search with Windows Explorer and report the full path of every instance found.
----------------------------------------------------------------
Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Config | Misc Tools | Open process manager. Select the following and click <Kill process> for each one if they are still listed (they may not be, and that's ok):

C:\WINDOWS\system32\Hmjevu.exe
C:\WINDOWS\system32\3l178sbc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
*C:\PROGRA~1\INCRED~1\bin\IMApp.exe
This is Incredimail
Caution! The freeware version of this program is adware and phones home frequently to upload ads to your computer. It is unclear at this time if this program is responsible for host file edits. see here for more
http://www.broadbandreports.com/foru...ty,1~mode=flat
If you have the freeware version of Incredimail, I recommend that you uninstall it now and remove all files as outlined below. I will mark them with an asterisk (*). If you are in need of a good free email client, I would be glad to make some recommendations.

----------------------------------------------------------------
Uninstall the following (from Start | Settings | Control Panel | Add/Remove Programs) if they exist:

*Incredimail
ISTBar

----------------------------------------------------------------
Open HiJackThis | Scan,
Put a check next to the following items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.couldnotfind.com/search_...count_id=132556
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O1 - Hosts: 66.199.231.174 www.google.com
O1 - Hosts: 66.199.231.174 google.com
O1 - Hosts: 66.199.231.174 www.google.co.uk
O1 - Hosts: 66.199.231.174 google.co.uk
O1 - Hosts: 66.199.231.174 www.google.ca
O1 - Hosts: 66.199.231.174 google.ca
O1 - Hosts: 66.199.231.174 www.google.es
O1 - Hosts: 66.199.231.174 google.es
O1 - Hosts: 66.199.231.174 www.google.de
O1 - Hosts: 66.199.231.174 google.de
O1 - Hosts: 66.199.231.174 www.google.fr
O1 - Hosts: 66.199.231.174 google.fr
O1 - Hosts: 66.199.231.174 www.google.com.au
O1 - Hosts: 66.199.231.174 google.com.au
O1 - Hosts: 66.199.231.173 www.yahoo.com
O1 - Hosts: 66.199.231.173 yahoo.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.176.190 search.msn.com
O1 - Hosts: 66.199.231.171 astalavista.com
O1 - Hosts: 66.199.231.171 www.astalavista.com
O1 - Hosts: 66.199.231.171 astalavista.box.sk
O1 - Hosts: 66.199.231.171 www.astalavista.box.sk
O1 - Hosts: 66.199.231.171 cracks.am
O1 - Hosts: 66.199.231.171 www.cracks.am
O2 - BHO: (no name) - {1E1B2879-88FF-11D2-8D96-D7ACAC95951F} - (no file)
O3 - Toolbar: (no name) - {A6790AA5-C6C7-4BCF-A46D-0FDAC4EA90EB} - (no file)
O3 - Toolbar: (no name) - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - (no file)
O3 - Toolbar: Search Toolbar - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - C:\WINDOWS\system32\azesearch3.ocx
*O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [secure] C:\WINDOWS\system32\Hmjevu.exe
O4 - HKLM\..\Run: [Tsl2] C:\PROGRA~1\COMMON~1\tsa\tsl2.exe
O4 - HKLM\..\Run: [3l178sbc] C:\WINDOWS\system32\3l178sbc.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - Global Startup: Kodak software updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
O4 - Global Startup: Event Reminder.lnk = ?
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-seg.gc.ca/apple...sapplet-epf.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/cab/prod/DD_v4.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/...ll/gtdownls.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -


Confirm that you have only the ones above checked, then press <Fix checked>
Close HJT
----------------------------------------------------------------
Open Windows Explorer
Now delete the following files (or delete the whole folder if no specific file is given):

C:\WINDOWS\system32\Hmjevu.exe
C:\WINDOWS\system32\3l178sbc.exe
C:\Program Files\Kodak\KODAK Software Updater\7288971\Program\backWeb-7288971.exe
*C:\PROGRA~1\INCRED~1\
C:\WINDOWS\system32\azesearch3.ocx
C:\PROGRA~1\COMMON~1\tsa\

----------------------------------------------------------------
* Empty your c:/windows/temp/ or c:/winnt/temp/ folder. Note: only empty the contents of the folder, leave the folder there.
* Empty your C:/Documents and Settings/LocalService/Local Settings/Temp/
* Empty your C:/Documents and Settings/<All other usernames including Default User and Administrator>/Local Settings/Temp/
* Now empty your Recycle Bin.
* Reboot in Normal Mode.
----------------------------------------------------------------
You have item(s) in your Trusted Zone. This is not safe. There should never ever be anything in here. Badguys hijack known good sites everyday. So don't give them free access to your machine.
To check it periodically go to
IE | Tools | Internet Options | Security tab | Highlight Trusted Sites | Click Sites.
Make sure it is empty
----------------------------------------------------------------
You should run an online virus scan. Select one or more of the following. Online virus scans can be superior to PC scans because some malware can infect your PC virus scanner by disabling it or corrupting the definition files. Select Autoclean if you use TrendMicro's Housecall.
Panda at http://www.pandasoftware.com/actives..._principal.htm
Housecall at http://housecall.trendmicro.com/
RAV Antivirus at http://www.ravantivirus.com/scan
Reboot.
----------------------------------------------------------------
Here are two essential anti-spyware programs which you should run regularly. Updates for these programs come out weekly. Please install, configure and run them both now.

Spybot Search & Destroy instructions (~3.5MB)

• Download Spybot (written by Patrick Kolla). Click <download> from
  http://www.safer-networking.org/
  Save spybotsd13.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/spybot/
• Doubleclick spybotsd13.exe. Make sure to direct the program to install in the c:/program files/spybot/ directory, NOT the default directory.
• Open Spybot from Start | Programs | Spybot | Spybot S&D
• Select <Search for Updates>. Let it install all updates. This is very important!
• Select <Immunize>
• Select <Check for Problems>
• Check all entries that are in RED. Only RED, NOTHING ELSE. For your records, write/print out each item that you have fixed. Date it.
• Select <Fix Selected Problems>
• Close Spybot//

Ad-Aware instructions (2563 kB)

• Download Ad-Aware SE build 1.05 (written by Lavasoft) from
  http://www.lavasoft.de/
  If you have a previous version of AdAware installed, you will be prompted to uninstall or keep the older version during installation. Be sure to choose Uninstall The Previous Version. Save aawsepersonal.exe into its own directory, NOT in a TEMPorary folder or on the Desktop. I recommend c:/program files/Adaware/
• Doubleclick aawsepersonal.exe. Make sure to direct the program to install in the c:/program files/adaware/ directory, NOT the default directory.
• Open AdAware from Start | Programs | Lavasoft | AdAware.
• Select <Check for updates now>, <Proceed>
• Setting adjustments. [[Green = checked]] Click the Gear Icon in the top right corner. New settings:
  
  • By default you begin in the <General> section. The following should be checked:
    
    • Automatically save logfile
    • Automatically quarantine objects prior to removal
    • Safe Mode (always request confirmation)
    • Prompt to update outdated confirmation - change to "7 days"
  • Click <Scanning>
    
    • Check Scan within Archives
    • Select "Select drives & folders to scan", check all of your harddrives. Usually its just c:/, <Proceed>
    • Under Memory & Registry, select all options
  • Click <Advanced>
    
    • Under Shell Integration, select "Move deleted files to Recycle Bin"
    • Under Logfile detail, select all options
  • Click <Defaults>
    
    • Type in the full URL of what you want as your default homepage and search page eg. http://www.google.com
      
  • Click <Tweak>
    
    • Expand Scanning Engine and make sure the following are selected:
      
      • Unload recognized processes during scanning
      • Obtain command line of scanned processes
      • Scan registry for all users instead of current user only
    • Expand Cleaning Engine and make sure the following are selected:
      
      • Always try to unload modules before deletion
      • During removal, unload explorer and IE if necessary
      • Let Windows remove files in use at next reboot
      • Delete quarantined objects after restoring
    • Expand Safety Settings and make sure the following are selected:
      
      • Write-protect system files after repair (Hosts file, etc)
        
• Click <Proceed> | <Start> | select Use custom scanning options | <Next>
• When the scan is finished, rightclick on any entry and choose <Select All Objects>.
• Select <Clean>
• Close AdAware//

When you are done, post a new HJT log.

[porcupinepete]

You wanted this path: C:\Program Files\InterVideo\WinDVR\WinScheduler.exe

Logfile of HijackThis v1.99.0
Scan saved at 6:10:24 PM, on 5/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\MXOALDR.EXE
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\CounterSpy Client\sunasDtServ.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\CounterSpy Client\sunasServ.exe
C:\Program Files\Greetings Workshop\GWREMIND.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboForm.dll
O2 - BHO: ToolHelper - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\Toolbar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [WINSCHEDULER] C:\PROGRA~1\INTERV~1\WinDVR\WINSCH~1.EXE
O4 - HKLM\..\Run: [NVIDIA Remote Control Panel] NVAREM.EXE /S /Q /R /L /A1 /B0 /C0 /D2 /E0
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [MXO Auto Loader] C:\WINDOWS\MXOALDR.EXE
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [sunasDTServ] C:\Program Files\CounterSpy Client\sunasDtServ.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\CounterSpy Client\sunasServ.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Nero\Nero BackItUp\NBJ.exe"
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: Customize Menu &4 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm &2 - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Kodak Camera Connection Software - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScsiAccess - Unknown - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: Sony SPTI Service - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service - X10 - C:\WINDOWS\System32\x10nets.exe
O23 - Service: Iomega Active Disk - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

[Detah]

Lookin good. One last item.

Reboot in Safe Mode instructions. During reboot, tap the F8 key. Select Safe Mode.
----------------------------------------------------------------
Open HiJackThis | Scan,
Put a check next to the following items.

O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -


Confirm that you have only the ones above checked, then press <Fix checked>
Close HJT
----------------------------------------------------------------
Reboot in normal mode.

Im pleased to see that you installed Spybot. I cannot tell from your log, but I hope you also installed AdAware. Both are great programs for scanning for malware.

Preventing future infections:
As a first line of defense I strongly recommend a good firewall, like Norton Firewall 2004, ZoneAlarm Pro or Kerio; all three are very highly rated. If you are short on $ there are several free options available to you. Consider ZoneAlarm or Outpost.
Running Spybot S&D and AdAware regularly are a good second line of defense.

Additional protections
SpywareGuard is live protection from spyware. SpywareBlaster and IE-SpyAd are run-once prevention programs which are also free. You only need to update them periodically.

SpywareGuard (1.96 MB) functions like an antivirus program, scanning files before they are opened and downloaded, but for spyware. It also protects your internet browser from hijacks.

SpywareBlaster (2.1 MB) is not a system cleaner like Spybot; rather it blocks/prevents bad ActiveX and malevolent cookies from entering your system in the first place.

IE-SpyAd (227 kB) places over 5000 sites into your Restricted Zone so you do not accidentally visit known evil sites.

See also So how did I get infected in the first place? for more information about spyware prevention.

[porcupinepete]

Thank you. I did use Adaware and it was great. How refreshing it was to get my Google back. Thank you so much for your time. I am sending a donation. Thanks so much, once again.
don