LOP - How do I get rid of it!?

Hi Sarge ands welcome to A2K
Run this please lop uninstaller
Reboot

Next,
Please go Here and unzip the newest version of HJT into a new dedicated folder,
Create a folder on the C: drive called C:\HJT.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it hjt. Unzip HijackThis into this folder. Launch Hijack This, then press Scan, and press Save Log
This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.
Most things are harmless and needed so don't make any changes.
post a log here please.

Next,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please

Logfile of HijackThis v1.98.2
Scan saved at 12:37:01, on 25/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\NetLimiter\NetLimiter.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Geoffrey\LOCALS~1\Temp\Rar$EX00.236\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.pandora.be:8080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0F408836-5364-44C6-6C4A-E227D05911B4} - (no file)
O2 - BHO: (no name) - {54837D90-CEBA-409E-3A73-F9C1148C8978} - C:\DOCUME~1\Matthieu\APPLIC~1\CLOCKU~1\Store memo.exe (file missing)
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [StartEnc] C:\DOCUME~1\Geoffrey\APPLIC~1\LIESTH~1\setupsupportpeak.exe
O4 - HKCU\..\Run: [SponsoredAdBlocker] C:\Program Files\SuperAdBlocker.com\Sponsored Ad Blocker\SCHBlock.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office XP\Office10\OSA.EXE
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021126/qtinstall.info.apple.com/sikes/nl/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://sc.communities.msn.com/controls/chat/msnchat42.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab


I also have the same problem, I've been trying to get rid of it for a while now so I hope that it works
Is there anything else I should take care of?

Greetz

Hi Geoffke and welcome to A2K
Assuming you have run the lopuninstaller,

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"
O2 - BHO: (no name) - {54837D90-CEBA-409E-3A73-F9C1148C8978} - C:\DOCUME~1\Matthieu\APPLIC~1\CLOCKU~1\Store memo.exe (file missing)
O4 - HKCU\..\Run: [StartEnc] C:\DOCUME~1\Geoffrey\APPLIC~1\LIESTH~1\setupsupportpeak.exe

Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\DOCUME~1\Matthieu\APPLIC~1\CLOCKU~1\Store memo.exe
C:\DOCUME~1\Geoffrey\APPLIC~1\LIESTH~1\setupsupportpeak.exe

Delete any associated folders found with the above filesRestart your computer,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to a new thread started by you please
Along with a fresh HJT log

Post back a fresh log please
It gets too confusing working with 2 people within the same thread

Don77, sorry about the lateness of this reply.

Before I get to my "Hijack This" log, I'd just like to point out that I've managed to remove the annoying LOP toolbar from my IE, and it hasn't bothered me for awhile. However, the other accounts on my computer still have it. Just thought you might want to know that.

Here's my HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 7:08:00 PM, on 29/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Adam\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: HyperSearchHook - {058E1FE2-EB98-4945-836A-B42BAD906457} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\DOCUME~1\Adam\Desktop\freshdow\FRESHD~1\fdcatch.dll (file missing)
O2 - BHO: (no name) - {3CF86B53-E360-2AEE-D504-17557FF27369} - C:\WINDOWS\system32\zpgf.dll (file missing)
O2 - BHO: (no name) - {9B25154C-89D6-DA56-D13A-FB4D85A673B6} - C:\WINDOWS\system32\yjrvcnl.dll
O2 - BHO: Joy amok - {A75D05D8-9E07-6463-A19E-38A8D1567CDD} - C:\PROGRA~1\GREATT~1\debugdefy.dll (file missing)
O2 - BHO: Search Help - {E8EAEB34-F7B5-4C55-87FF-720FAF53D841} - C:\Documents and Settings\James\Local Settings\Temp\ZB5MmD.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bqt2JCh] C:\documents and settings\james\local settings\temp\Bqt2JCh.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [t6osoW] C:\documents and settings\james\local settings\temp\t6osoW.exe
O4 - HKLM\..\Run: [3m] C:\documents and settings\james\local settings\temp\3m.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Adam\Desktop\SPN\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Adam\Desktop\SBSD\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Adam\Desktop\Warez\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Proxomitron.lnk = C:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: .NET Framework Service - Unknown - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Parental Controls - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)




About that "Silent Runners" one you wanted to post as well, heres what I got:

"Silent Runners.vbs", revision 30
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


This script requires WMI, which can be downloaded at: http://tinyurl.com/7wd7


Should I download this "WMI"? And, what exactly is it?

Thanks

No problem Sarge

Have a run through the steps outlined in this Post
Post back a log from HJT please

You have a lot of crap in your Temp folders make sure you get them cleaned out
C:\documents and settings\james\local settings\temp << needs a good cleaning,

You can run the lopuninstaller under the other users on the machine, Log on under Admin and run Silent runners from there,

post back a fresh log from this user after you have run through the steps please

Thanks, Don77.

I followed the steps in the other post, and here's the fresh HJT log: (I also ran the lop uninstaller on the other accounts, which seems to have removed the toolbar and restored their requested homepages.)

HJT Log:


Logfile of HijackThis v1.99.0
Scan saved at 2:18:42 PM, on 30/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Proxomitron\Proxomitron.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Adam\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: HyperSearchHook - {058E1FE2-EB98-4945-836A-B42BAD906457} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\DOCUME~1\Adam\Desktop\freshdow\FRESHD~1\fdcatch.dll (file missing)
O2 - BHO: (no name) - {3CF86B53-E360-2AEE-D504-17557FF27369} - C:\WINDOWS\system32\zpgf.dll (file missing)
O2 - BHO: (no name) - {9B25154C-89D6-DA56-D13A-FB4D85A673B6} - C:\WINDOWS\system32\yjrvcnl.dll
O2 - BHO: Joy amok - {A75D05D8-9E07-6463-A19E-38A8D1567CDD} - C:\PROGRA~1\GREATT~1\debugdefy.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bqt2JCh] C:\documents and settings\james\local settings\temp\Bqt2JCh.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [t6osoW] C:\documents and settings\james\local settings\temp\t6osoW.exe
O4 - HKLM\..\Run: [3m] C:\documents and settings\james\local settings\temp\3m.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Adam\Desktop\SPN\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Adam\Desktop\SBSD\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Adam\Desktop\Warez\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Proxomitron.lnk = C:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: .NET Framework Service - Unknown - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Parental Controls - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)



Also, about the "Silent Runners", how do I log on under the "Administrator" account? I was only able to while I was in Safe Mode, so should I use "Silent Runners" while in Safe Mode? Also, should I download this "WMI" that it said I needed last time tried it?



Thanks


P.S. - One more thing, while I was using the "BitDefender" service from the other post, it told me that the lop uninstaller you gave was infected with LOP itself. I didn't delete it, incase I might need it again. Just thought I'd point this out.

Hi again Sarge, Sorry was away for a bit,

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://minisearch.startnow.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: HyperSearchHook - {058E1FE2-EB98-4945-836A-B42BAD906457} - C:\Program Files\Common Files\Hyperbar\HyperbarSS3.dll (file missing)
O2 - BHO: (no name) - {3CF86B53-E360-2AEE-D504-17557FF27369} - C:\WINDOWS\system32\zpgf.dll (file missing)
O2 - BHO: (no name) - {9B25154C-89D6-DA56-D13A-FB4D85A673B6} - C:\WINDOWS\system32\yjrvcnl.dll
O2 - BHO: Joy amok - {A75D05D8-9E07-6463-A19E-38A8D1567CDD} - C:\PROGRA~1\GREATT~1\debugdefy.dll (file missing)
O4 - HKLM\..\Run: [Bqt2JCh] C:\documents and settings\james\local settings\temp\Bqt2JCh.exe
O4 - HKLM\..\Run: [DeskMateAutoUpdate] C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe
O4 - HKLM\..\Run: [t6osoW] C:\documents and settings\james\local settings\temp\t6osoW.exe
O4 - HKLM\..\Run: [3m] C:\documents and settings\james\local settings\temp\3m.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) - Unknown - %ProgramFiles%\WinPcap\rpcapd.exe (file missing)


Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\WINDOWS\system32\zpgf.dll
C:\WINDOWS\system32\yjrvcnl.dll
C:\PROGRA~1\GREATT~1\debugdefy.dll
C:\documents and settings\james\local settings\temp\Bqt2JCh.exe
C:\PROGRA~1\DESKMA~1\DeskMateAutoUpdate.exe <Delete Folder
C:\documents and settings\james\local settings\temp\t6osoW.exe
C:\documents and settings\james\local settings\temp\3m.exe
rpcapd.exe< Delete the folder that is found with this
Restart your computer, Post back a fresh log please



Download the WMI and run silent runners and post backa log from that as well please

Thanks Don.

Before I get to my newly updated HJT log, I just want to point out a few things while I was deleting those files/folders in SafeMode.

File "zpgf.dll " did not appear to exist
Folders "C:\PROGRA~1\DESKMA~1\" and "C:\PROGRA~1\GREATT~1\" did not appear to exist.
I did not see the specified files under the "James" temp folder, however I emptied the rest of the files out of there, with the exceptions of "DFE6FC.tmp" and "DFE28B.tmp" because I was denied access of them (while in SafeMode).


HJT Log: Feb 07

Logfile of HijackThis v1.99.0
Scan saved at 11:45:55 PM, on 04/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe
C:\Documents and Settings\Adam\Desktop\Warez\Warez P2P Client\warez.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Proxomitron\Proxomitron.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Adam\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {9B25154C-89D6-DA56-D13A-FB4D85A673B6} - C:\WINDOWS\system32\yjrvcnl.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Adam\Desktop\SPN\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Adam\Desktop\SBSD\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Adam\Desktop\Warez\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Proxomitron.lnk = C:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: .NET Framework Service - Unknown - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Parental Controls - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

NOTE: There may be some additional running processes in this log, because on the other logs I believe I had closed some unneeded programs from the system tray. This log all the usual programs that start up and run (for my account, anyway) were running.


About the Silent Runners, it appears to once again have slipped my fingers. I tried to download the "WMI" from the Microsoft website to which it directed me, however my computer failed the "Validation Process" and I was therefore unable to download the needed "WMI" and was unable to run Silent Runners. It also said it was for Windows NT only, and I'm running XP (SP2).

Thanks again.

Hi again Sarge,
Lets get this log cleaned up, Then I want to run through the logs for the rest of the users on this machine.

Please restart HJT put a check next to the following, close all open windows and click "Fix Checked"

O2 - BHO: (no name) - {9B25154C-89D6-DA56-D13A-FB4D85A673B6} - C:\WINDOWS\system32\yjrvcnl.dll (file missing)
O23 - Service: .NET Framework Service - Unknown - C:\WINDOWS\svchost.exe (file missing)


Next reboot to safe mode ( By tapping the F8 key on start up) Make sure you can view all Hidden Files/Folders search for and delete the above files highlighted in BOLD

C:\WINDOWS\system32\yjrvcnl.dll
C:\WINDOWS\svchost.exe << --- Notice this is NOT in system32, Please be carful as to not delete this file from that folder, Make sure it is from the WINDOWS folder

Restart your computer,
Post back a fresh log please

Hey Don,

I regret to inform you that I couldn't find either of those files while I was in Safe Mode (yes, I did enable the option to view hidden files and folders). I found no trace of "C:\WINDOWS\system32\yjrvcnl.dll," even after performing a search. I did a search of the other one, and I found some files similar to the one you asked me to delete, however none that were in the correct spot, so I didn't delete them.





Here's the last updated HJT log:

Logfile of HijackThis v1.99.0
Scan saved at 12:31:49 PM, on 13/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Documents and Settings\Adam\Desktop\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Adam\Desktop\Warez\Warez P2P Client\warez.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Proxomitron\Proxomitron.exe
C:\Documents and Settings\Adam\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://freewebs.com/chaosplague
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Spyware Nuker] C:\Documents and Settings\Adam\Desktop\SPN\Spyware Nuker 2004\swn2.exe /h
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] C:\Documents and Settings\Adam\Desktop\iTunes\iTunesHelper.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [Gadwin PrintScreen 2.6] C:\Documents and Settings\Adam\Desktop\prnt scrn\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Documents and Settings\Adam\Desktop\SBSD\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [warez] "C:\Documents and Settings\Adam\Desktop\Warez\Warez P2P Client\warez.exe" -h
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Proxomitron.lnk = C:\Program Files\Proxomitron\Proxomitron.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - https://www.gamespyid.com/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} - http://download.redswoosh.net/Installer/104/rsinstaller.cab
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: McAfee Parental Controls - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Parental Controls\GUARDDOG.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

No worry sarge they appear to be gone now,,
How is the computer running ?

Thanks again, Don.

The computer seems to be running fine, all the lop.com toolbars etc. are gone and internet explorer doesn't have anything nasty or annoying in it. Microsoft AntiSpyware catches things that are trying to install themseleves every now and again but it always manages to remove them.

I'd just like to thank you for all your generosity and patience while helping me. Judging by your post count, it looks like you do this a lot!

Your very welcome Sarge



Pleasure is all mine I enjoy doing it

Thanks, Don.

But before we part ways, I was just wondering if I could ask you one thing about my computer, since you seem to be a pretty computer-savvy kind of guy.

I know that sometimes viruses and spyware like this can sometimes hide in the System Registry, and I also know that wrongly editing the registry can cause serious problems with Windows. How can I be able to identify registry entries that are... "crucial" to my system? For example, would deleting the registry key(s) for say, some shareware program that was downloaded, possibly hurt my computer? I know that before using "regedit" one should always create a backup of the system state (with the Windows XP backup utility), incase something goes wrong. But, just to extra careful, if you have any knowledge on the subject it might be useful in potential future situations where editing the registry is necessary in order to remove a virus or whatnot.

I know that was kind of off topic, (okay, really off topic) but starting a new thread seemed kind of wasteful hahaha.

Thanks again Don, and if registry isn't your particular cup of tea then don't worry about it.

Hi Sarge,
Not off topic at all and a very good question,,

More times than not in the event you have avirus there will typically some regediting to do, Most Anti Virus sites will tell you exactly which registry entries to remove. After cleaning up malware/spyware /adware usually a running of an updated Ad-aware will find orphaned registry keys and clean them up for you,
Backing up prior to making any changes is very important..



I thought you would hang around a while
Plenty to do and see here at A2K

Hope that helps

Thanks Don! Good info to have.

I know where to come for any future problems!