I see that notepad.exe is not listed as one of the running proccesses, and there are no more immediately suspicious filenames, so we’ve get at least part of the problem fixed. But the problem persists? Hmmm…this is a tricky one, indeed. Check the Properties for each copy of notepad.exe. They should all be 50,960 bytes long, no more, no less. If you have the newer version, it would be 66,048 bytes, like mine.
FYI Q.E.D., I just did a search of notepad.exe on a fresh 2000 machine with no virus or other issues. The executable is located in both C:\WINNT and C:\WINNT\SYSTEM32
Maybe the original install puts notepad.exe in the root folder of windows, and then when I did a service pack update, it throws a copy of it into the system32 folder?
Dunno, but I’ve got a legitimate copy there, too, and in fact, just discovered that my Start menu shortcut to it points to there. Never noticed that before. It must be an NT thing. I have NO idea why it would be necessary to have two separate copies of the same executable in two different places. Seems wasteful, but then, it’s Windows. shrug
First off, wolf_meister, you’ve got a pretty (un)healthy load of spyware/adware on your system. I see you visited the computer questions sticky, did you run any of the spyware/adware removal tools? Your posted logfile has a ton of stuff in it. I don’t think that’s the cause of your notepad problem though, just an FYI.
Second, your symptoms sound like you might be infected with the QAZ virus. In regedit, navigate to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key and see if there is a string value of startIE "notepad qazwsx.hsq"
That will tell us for sure. Also, did you run any of the free online virus scanners in the sticky? Just because you have Norton Antivirus installed does not mean you are protected.
berkut
I ran Spybot, Ad-A-Ware and CWShredder yesterday. It’s unbelievable that either the spyware missed that stuff OR it accumulated over the last 12 hours.
As far as anti-virus, I rely on Norton and am naive enough to think it should do the job. (Guess not).
Okay, I went to the HKEY registry and this is the file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Synchronization Manager”=“mobsync.exe /logon”
“PROMon.exe”=“PROMon.exe”
“NAV Agent”=“C:\PROGRA~1\NORTON~1
avapw32.exe”
“IgfxTray”=“C:\WINNT\System32\igfxtray.exe”
“HotKeysCmds”=“C:\WINNT\System32\hkcmd.exe”
“Motive SmartBridge”=“C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe”
“IPInSightLAN 01”="“C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe” -l"
“IPInSightMonitor 01”="“C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe”"
“a-winpoet-service”="“C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe”"
“TkBellExe”="“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot"
“LXSUPMON”=“C:\WINNT\System32\LXSUPMON.EXE RUN”
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe”
“QuickTime Task”="“C:\Program Files\QuickTime\qttask.exe” -atboottime"
“WildTangent CDA”=“RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain”
“webHancer Survey Companion”="“C:\Program Files\webHancer\Programs\whSurvey.exe”"
“NaviSearch”=“C:\Program Files\NaviSearch\bin
ls.exe”
“CashBack”=“C:\Program Files\CashBack\bin\cashback.exe”
“TBPS”=“C:\PROGRA~1\Toolbar\TBPS.exe”
“loads.exe”=“C:\WINNT\medload.exe”
“WinTools”=“C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
“Installed”=“1”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
“NoChange”=“1”
“Installed”=“1”
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
“Installed”=“1”
I didn’t see any “start IE” notepad, etc but I thought I’d post this anyway.
Gah! You’re loaded down with the stuff.
No, I would not count on it doing the job. At all. Go to Free Online Virus Scan | Trend Micro HouseCall and run their free online scanner. Preferably in safe mode, if able.
Yeah, I don’t see any traces of QAZ in there, but there’s plenty of other junk to be found:
All this stuff is bad, but I would be more concerned with your possible virus problem first. Run that online virus scanner (in safe mode if you can, please) and report back. I’m pretty sure you will have something to report back.
If AdAware, Spybot S&D, and Norton AV aren’t catching all this crap, it makes me suspect that perhaps you haven’t updated them recently. You can’t just install them and then expect them to catch all the new stuff that comes down the pike.
You should be running AdAware SE 1.05, with the Oct. 7 definitions file. Spybot S&D should be version 1.3, with the Sept. 30 updates. The latest Norton AV definitions file is dated Oct. 6.
The other thing you may have to do is to run scans with each of these from Safe Mode.
Hope you get well soon!
I tried to download and run AVG anti-virus software on the SDMB Computer Questions Sticky and when I tried to install it I got a message of:
C:\WINNT\SYSTEM32\AUTOEXEC.NT The system file is not suitable for running MS-DOS and Microsoft Windows Applications. Choose ‘Cloce’ to terminate the application.
So then I tried going to the Trend Micro site and using their online virus scanner as you suggested. (I couldn’t connect to the Internet in Safe Mode). So I downloaded their “online scanner”. (Why do I have to download an online scanner?) Anyway, I got a setup file and when I went to install it, I got the EXACT message that I got with the AVG anti-virus setup program. This seems really bad doesn’t it ?
Ouch. Yeah, your stuff is sick. If you check, that autoexec.nt probably doesn’t even exist at that location anymore.
Do you have your Windows 2000 disk? Restoring that file from the CD will probably let you run the virus scan. Stick your Win2000 CD in the drive, open up a command prompt, and type expand D:\i386\autoexec.nt_ c:\windows\system32\autoexec.nt Replace “D” with the drive letter of your CD drive. Once that’s done, try running the Trendmicro Virus Scan again. Try not to reboot between restoring that file and running the scanner. Let us know how it goes.
Okay here’s the latest highjackthis file:
Logfile of HijackThis v1.98.2
Scan saved at 1:13:37 AM, on 10/11/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSEC.EXE
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\Verizon Online\WinPoET\WrOS.EXE
C:\Program Files\Common Files\WinTools\WToolsS.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\PROMon.exe
C:\PROGRA~1\NORTON~1
avapw32.exe
C:\WINNT\System32\igfxtray.exe
C:\WINNT\System32\hkcmd.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINNT\medload.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\WinTools\WSup.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mad.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Verizon Online\SupportCenter\bin\mpbtn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\PROGRA~1\Motive\ASSTCO~1\MOTIVE~1.EXE
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://www.excite.com”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM…\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM…\Run: [PROMon.exe] PROMon.exe
O4 - HKLM…\Run: [NAV Agent] C:\PROGRA~1\NORTON~1
avapw32.exe
O4 - HKLM…\Run: [IgfxTray] C:\WINNT\System32\igfxtray.exe
O4 - HKLM…\Run: [HotKeysCmds] C:\WINNT\System32\hkcmd.exe
O4 - HKLM…\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM…\Run: [IPInSightLAN 01] “C:\Program Files\Verizon Online\VisualIPInsight\IPClient.exe” -l
O4 - HKLM…\Run: [IPInSightMonitor 01] “C:\Program Files\Verizon Online\VisualIPInsight\IPMon32.exe”
O4 - HKLM…\Run: [a-winpoet-service] “C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe”
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [LXSUPMON] C:\WINNT\System32\LXSUPMON.EXE RUN
O4 - HKLM…\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM…\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM…\Run: [WildTangent CDA] RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain
O4 - HKLM…\Run: [NaviSearch] C:\Program Files\NaviSearch\bin
ls.exe
O4 - HKLM…\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM…\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM…\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM…\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKCU…\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: hp psc 1000 series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: Microsoft Office.lnk = C:\MSOffice\Office\OSA9.EXE
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0819.dll
O9 - Extra button: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra ‘Tools’ menuitem: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra ‘Tools’ menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://support.gateway.com/support/contact/formassist.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_file.php?bt=ie&p=5d15351b96687ac90b54afcc18827f4e0c2e1af8d6b2139a6d78fa1ba96d9d848d38af6822d00ec9f99362db9dd3db34d4b55fa34a893c9a5b532161d5cd35:316ec1697e4766858480d3e80deecaa8
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/156b0b300cbbb3a32a06/netzip/RdxIE601.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
Berkut
I followed your instructions precisely and it came up with an error message that it couldn’t find the file i386 - and I tried this with both Windows 2000 Disks.
At least it was good trying something from DOS - something I know about.
I’ve said this before but Windows is getting TOO F**KING COMPLICATED !!!
Wow there’s about a zillion HKey Registry Files and zillions of exe files which to me increases the possibility of something screwing up by a factor of about a million.
Here’s an interesting link:
http://poll.excite.com/poll/home.jsp?cat_id=1
It’s the result of a poll in which the House of Representatives are considering a bill with a penalty of up to 5 years for people who put spyware on a computer.
So far, the poll is showing 94% in favor of the bill.
I’m surprised that the percentage is that LOW.
Can you check around in the CD and see if you can find that directory?
Berkut
I searched both disks for “i386” and the results were nothing.
2:00 a.m. here - I’m not going to work on it anymore tonight .
Sounds like you might have a recovery disk rather than a Windows 2000 disk, no?
Berkut
Yes, it seems I was using restoation disks. :smack:
I cannot find the Win2000 disks (I always keep everything that comes with a computer but somehow they got lost). :smack:
I do have another computer (uninfected) running Win 2000. Is it possible to copy the i386 file from that computer? OR can Windows only be installed with the ORIGINAL Win 2000 disks?
Well, we’re kinda starting to take the long way around here, but offhand I can’t think of any reason why you shouldn’t. Copy the C:\WINNT\SYSTEM32\AUTOEXEC.NT file from your good machine to the same path on the infected one, and (without rebooting) try running the Trendmicro online scan and let us know how it turns out.
I think your problem is approaching the limits of online help. At least MY online help, anyway. I wish I had your machine in front of me.
Well I did change the autoexec file and tried to install the setup file from Trend Micro and the Install Shield goes to 100% (as it has done on previous attempts) and just idles. Should I replace the Install Shield with a good one? Yep I did that - no change. Yes, I’m giving up though I appreciate everyone’s help in this thread.
Well, it’s not as if we didn’t give this one good try.
Who knows, maybe the Notepad prompt is the worst thing that occurred.
OK, I think this is fixable. Here are the steps I’d use.
-
Get the latest versions of Ad-aware and Spybot S&D as Early Out said. Update their definition files, but don’t scan with them yet.
-
Download Stinger, but don’t scan with it either. Just save it to your C: drive.
-
Shut down and power off your machine, then start it back up in Safe Mode.
-
Run full scans with Stinger, Ad-aware, and Spybot. Remove anything they find.
-
Run HijackThis and remove the following lines (if one of the other utilities hasn’t already):
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.excite.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\PROGRA~1\Toolbar oolbar.dll/sa
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref(“browser.startup.homepage”, “http://www.excite.com”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
N3 - Netscape 7: user_pref(“browser.search.defaultengine”, “engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src”); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\snju7uhy.slt\prefs.js)
O2 - BHO: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - C:\PROGRA~1\COMMON~1\WinTools\WToolsB.dll
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINNT\system32\mscb.dll (file missing)
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O3 - Toolbar: (no name) - {339BB23F-A864-48C0-A59F-29EA915965EC} - (no file)
O4 - HKLM…\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM…\Run: [WildTangent CDA] RUNDLL32.exe “C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll”,cdaEngineMain
O4 - HKLM…\Run: [NaviSearch] C:\Program Files\NaviSearch\bin
ls.exe
O4 - HKLM…\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM…\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM…\Run: [loads.exe] C:\WINNT\medload.exe
O4 - HKLM…\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O9 - Extra button: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O9 - Extra ‘Tools’ menuitem: Anquiro Toolbar - {A4F64D63-3576-4754-8DD5-4D0A49345FD5} - C:\Program Files\aniquro\anquiro.dll
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windupdates.com/get_f...480d3e80deecaa8
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/156b0b300cbbb3...ip/RdxIE601.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {87067F04-DE4C-4688-BC3C-4FCF39D609E7} - http://download.websearch.com/Dnl/T_40/QDow_AS2.cab
-
Delete the following files and directories:
C:\Program Files\Toolbar
C:\Program Files\Common Files\Wintools
C:\Program Files\aniquro
C:\Program Files\WildTangent
C:\Program Files\NaviSearch
C:\Program Files\CashBack
C:\WINNT\medload.exe -
Reboot in Normal Mode. Reset your Internet Explorer Security settings to their defaults (under Tools|Internet Options|Security).
-
Install SpywareBlaster. Update it and hit Enable All Protection periodically.
Oh, I missed a step. Run HouseCall again after restarting in Normal Mode and see if it will let you do a scan of your entire C: drive.
Number
Successful !!!
That was a lot of work you put into that solution, but it was worth it.
Thanks very much.
And of course thanks to everyone who participated in this thread.
Wow things are getting ridiculous. Now anti-virus sofware isn’t enough. Now you need firewalls, Spybot, AdAware, Spyblaster and lord knows what else.
I have a feeling there is nothing that can be done about this through the legal system. Let’s suppose someone writes some spyware or virus in the USA. He could E-Mail it or upload it to a site. A confederate in another country then could let it loose on the 'Net. It could start spreading 12,000 miles from the place where it was authored. Heck (in another thread) I learned that terrorists have no problem getting access to the Internet.
Well I guess the only thing to do is keep up with the latest anti-virus, anti-spyware, firewalls, etc. :rolleyes:
And thanks again everyone !!!