[Resolved] Problems with “PS Guard" “Coolweb Search”

See This Topic. IMPORTANT: unless you update your Wiindows to SP1, there is not much point trying to help you with your yuckware problem. However, with the infestation your system shows, you should not install SP2 at this point; apply SP1 and the critical Internet Explorer updates, and we can proceed with beginning to clean things up and rendering your system stable and useable again. Once we've dealt with the worst of the stuff you've got, which cannot be done untill you have installed SP1, we can move on to detailed cleanup and current updates.

It seemed that your message changed after I had already downloaded SP2. I hope this isn't too much of a problem. I followed the instructions you linked to and everything ran without any problems. Here are both EWIDO reports and the hijack-this log. Thank you very much for your help.

EWIDO 1st report
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:02:32 AM, 8/19/2005
+ Report-Checksum: C3276676

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A66D0FF-9707-2E41-A80D-7DE113BDAC8B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6BAF0C72-19B4-46E7-A9B0-C272C79442C0} -> Spyware.SafeSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{82B382FD-F0CB-444F-9C9C-1ED4AB39E5C0} -> Spyware.SafeSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{193FC180-7E97-467E-8CDD-B4385F6D20C4} -> Spyware.SafeSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{10000000-1000-0000-1000-000000000000} -> Spyware.ISTBar : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce caporal@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce caporal@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce caporal@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce caporal@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce caporal@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce [email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Bruce Caporal\Cookies\bruce caporal@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\eied_s7.cab/eied_s7_c_84.exe -> TrojanDownloader.Mediket.aa : Error during cleaning
C:\ex.cab/epl.exe -> TrojanDownloader.Small.agi : Error during cleaning
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22483699.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22484170.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22485061.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22485692.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22485893.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22486183.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22486413.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\22486804.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44803825.asw -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44817046.asw -> TrojanDownloader.TSUpdate.g : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44818546.asw -> TrojanDownloader.TSUpdate.g : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44821146.asw -> Adware.eZula : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44824956.asw -> TrojanDownloader.TSUpdate.f : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44828056.asw -> Adware.eZula : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\44829566.asw -> Adware.eZula : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\50815161.asw -> TrojanDownloader.IstBar.fz : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\50817375.asw -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\80669991.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\80670291.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\80671091.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\80672901.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\AOL\AOL Spyware Protection\Backup\80673401.asw -> Adware.Gator : Cleaned with backup
C:\Program Files\PSGuard -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Core.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\database.pkg -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Localization.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Logfile.txt -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\msvcp71.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\msvcr71.dll -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\PSGuard.exe -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\PSGuard.exe.local -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Quarantine -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\Uninstall.exe -> Spyware.PSGuard : Cleaned with backup
C:\Program Files\PSGuard\WndSystem.dll -> Spyware.PSGuard : Cleaned with backup
C:\q747863.exe -> TrojanDownloader.Agent.kg : Cleaned with backup
C:\WINNT\addnv.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\addpu32.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\addyh.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\addze32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\apikg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\apilg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\atid.ini:uecbri -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\atlai.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\atlbo32.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\atldq32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\atlga32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\Blue Lace 16.bmp:xejcjw -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\Capture:qfbpeh -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\Capture:wggpl -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\crqp.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\crww.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\desktop.ini:xtgjr -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\dlyij.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\epgkm.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINNT\Greenstone.bmp:qiyqnx -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\iejz32.dll:ijrvhh -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\iejz32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\ieyg.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\ijcps.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\internt.exe -> TrojanDownloader.Small.agi : Cleaned with backup
C:\WINNT\ipgc32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\ipva32.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\javaab.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\javazi32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\mdjyc.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\mfcei.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\mfckg.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\mssa32.exe:pmsowl -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\mssa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\msvx32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\netfq.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\netgr32.dll:inltyv -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\netgr32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\netls32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\netpq32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\netqn.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\ntbd32.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\ntcr.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\ntuq32.dll -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINNT\ntyt.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\n_iowttk.dat -> TrojanDownloader.Agent.db : Cleaned with backup
C:\WINNT\n_ptsppk.txt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\n_rwfqti.txt:wrfixg -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\n_tksbwu.txt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\n_ubduts.dat -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\ODBCINST.INI:eeawuv -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\pcconfig.dat:cyytq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\qfmwo.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\sdkeg32.dll:vsssrw -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\sdkeg32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\setupapi.old:gtvknr -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\Soap Bubbles.bmp:oileaq -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\SoftwareDistribution\Download\S-1-5-18\8b5e9cdb91dddbb342695fbdc36fe0e4\backup\winhlp32.exe:otbhgj -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\switchagreement.txt:gbdkcs -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\sysdq.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\system32\addbs.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\addda32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\system32\addly.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\addtm32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\appbw32.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\appcl32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\appkr.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\appss32.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\system32\craj.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\d3nh.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\system32\d3ym.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\edecj.dll -> Spyware.OneMoreSearch : Cleaned with backup
C:\WINNT\system32\hhk.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\hp28CB.tmp -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\ied.exe -> TrojanDownloader.Mediket.q : Cleaned with backup
C:\WINNT\system32\iknvr.dll -> Spyware.SearchPage : Cleaned with backup
C:\WINNT\system32\intell32.exe -> Spyware.PSGuard : Cleaned with backup
C:\WINNT\system32\intmon.exe -> Trojan.Puper.an : Cleaned with backup
C:\WINNT\system32\intmonp.exe -> Trojan.Puper.ai : Cleaned with backup
C:\WINNT\system32\ipfa.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\javavi.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINNT\system32\kernel32.exe -> TrojanDownloader.Small.yo : Cleaned with backup
C:\WINNT\system32\mfcll.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\system32\mskm32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\neten.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\netij.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\system32\netqm.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\ntcd.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\nteo.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\nthe32.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\ntjj.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\ntlh32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\ntus32.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\system32\oleext.dll -> Trojan.Small.ev : Cleaned with backup
C:\WINNT\system32\sdkgv32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\sdkhb32.dll -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\system32\shnlog.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINNT\system32\syscm32.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\syszs.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\winrs.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\system32\winsd32.dll -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\system32\winsl.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\sysvv.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\uninst.exe:uqirse -> TrojanDownloader.Agent.ap : Cleaned with backup
C:\WINNT\UNWISE.EXE:hrfms -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\vb.ini:rtxow -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\WINNT\WIN$$.VIZ:cncrsi -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\winhm.dll -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINNT\WMSysPrf.PRX:sfzeod -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\Zapotec.bmp:vygvdf -> Trojan.Agent.bi : Cleaned with backup
C:\WINNT\_ISREG32.DLL:tekzv -> TrojanDownloader.Agent.jb : Cleaned with backup
C:\x.cab/explorer.exe -> TrojanDownloader.Small.afa : Error during cleaning


::Report End

EWIDO 2st report
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:41:07 PM, 8/19/2005
+ Report-Checksum: 5E98ABC7

+ Scan result:

C:\eied_s7.cab/eied_s7_c_84.exe -> TrojanDownloader.Mediket.aa : Cleaned with backup
C:\ex.cab/epl.exe -> TrojanDownloader.Small.agi : Cleaned with backup
C:\x.cab/explorer.exe -> TrojanDownloader.Small.afa : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 3:41:08 PM, on 8/19/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\spyware software\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\msole32.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\VISION~2\ONETOU~2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Visioneer\PaperPort\Config\Ereg\REMIND32.EXE
C:\PROGRA~1\COMMON~1\AOL\111112~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\111112~1\EE\AOLServiceHost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\spyware software\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111122927\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Visioneer\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2446e66de59352e02c20/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124445307461
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124445263287
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spyware software\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: PictureTaker - Unknown owner - c:\fixit\pt\PCTKRNT.SYS (file missing)
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Yeah, I did change that, adding the SP2 bit - sorry if I confused or concerned you - the part about SP2 was an afterthought - it appears it worked for you, so apparently no harm done. Again, sorry if I caused you any worry.

I note that while XP2 has been updated, your Internet Explorer is still outdated. You should Bring it Current as soon as you're able to do so. You can put that off untill we're done here, but you really should get it handled soon.

Anyhow, now back to work on what brought you here in the first place - and there's still some work to do.

Review and familiarize yourself with these instructions, then print them out for reference. Much of what will follow will be done while in safe mode. Follow the steps in order. It is best to do them in an unbroken chain, or at least without any browsing, email checking, chatting, or messaging between steps.

Create a folder on your desktop (right-click anywhere on blank area of the desktop - that is any area not occupied by web item, a toolbar or an icon, select "New", select "Folder", when the new folder appears, name it appropriately in the highlighted dialog box, in this case, the folder name shoud be HSFix), then click again anywhere on a blank area of the desktop.) Download into that newly created and named folder HSFix. When it has downloaded, open the folder, right-click on the folder named HSFix,zip, select "Extract all", and follow the prompts. Once the files have extracted, don't do anything with them, just close out of the folder, We'll use that tool in a bit.

Update Ad-Aware SE, EWIDO, Microsoft Antispyware, and Spybot S&D - don't run any of them yet; just have each check for updates and apply them if available, then exit the app once the update process has been completed.

Locate and launch AboutBuster, and have it check for updates, apply them if available, then exit the application.

Locate and launch CWShredder, and have it cherck for updates, apply them if available, then exit the application.

Disable/deactivate any resident security/privacy software you may have, such as antivirus, antispyware, adblocker, and/or popupblocker. Run the free antivirus scan-and-remove proceedure Panda Activescan and save the log when it has completed.

I don't suggest breaking the chain of proceedures here, but if you must, remember to re-enable/reactivate your resident security/privacy software before doing any email checking, messaging, chatting, or general web browsing.

Go to HOUSECALL and, with your resident privacy/security software deactivated or disabled, run the Antispyware scan-and-remove tool per the instructions provided there. I would suggest you also run the HOUSECALL online virus scan-and-remove proceedure as well, per its instructions, but thats up to you. In any event, note the full filename and path of any file either app reports it was unable to deal with, if any such are reported at the end of the relevant scan-and-remove proceedure. Please note the exact, verbatim, full filename and path.

When you have finished with those steps, boot into safe mode, locate and launch HJT, with no other windows or browsers open or other applications running, and place a checkmark next to ONLY the following entiries, if found:

C:\WINNT\System32\msole32.exe
R3 - Default URLSearchHook is missing
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\ied_s7m.cab
O16 - DPF: {11111111-1111-1111-1111-111191113457} - file://c:\ied_s7.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111193458} - file://c:\x.cab
O16 - DPF: {23232323-2323-2323-2323-232323291122} - file://c:\x.cab
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {36C66BBD-E667-4DAD-9682-58050E7C9FDC} (CDKey Class) - http://www.cdkeybonus.com/cdkey/ITCDKey.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - (no file)
O23 - Service: PictureTaker owner - c:\fixit\pt\PCTKRNT.SYS (file missing)

Click "Fix Checked". When the process has completed, do not reboot.

Locate and launch CWShredder, select "Fix", and let the process complete. Do not reboot. Immediately run CWShredder a second time, again selecting "Fix", and again do not reboot.

Locate and launch AboutBuster, and click "Start" to begin its process. It may ask to end the explorer.exe process; if so, let it do so. Your desktop may disappear; this is normal. When AboutBuster has completed, immediately run it a second time. When the second scan has completed, click "Save Log"; this will put a file named "AB Logfile.txt" in the same folder AboutBuster occupies. Note the location so you can find it easily when called for, we'll want that log in a bit.

Locate the HSFix folder on your desktop, open it, then open the unzipped folder inside it, and double-click "HSFix.bat" to run the application, confirming that is what you wish to do each time prompted. When HSFix has completed, reboot into safe mode once again.

When your machine has booted into safe mode, locate Ad-Aware SE and run a custom scan, as detailed in the UPDATED YUCKWARE REMOVAL/HiJackThis TIPS. Fix anything found. Do not reboot unless Ad-Aware SE requests permission to run again at next boot to complete removal. If it does ask, let it do so, reboot normally, let it complete its process, then reboot back into safe mode.

Locate and launch Microsoft Antispyware, make sure it is set to scan all drives, run a full scan and allow it to repair anything it finds. When it has completed, do not reboot.

Locate and launch Spybot S&D, run a full scan, and allow Spybot S&D to repair anything if lists in RED. Do not reboot unless Spybot S&D requests permission to run again at next boot to complete removal. If it does ask, let it do so, reboot normally, let it complete its process, then reboot back into safe mode.


Locate and launch EWIDO, run a full scan-and-clean, and save the log. Do not reboot.

Locate and l;aunch CCleaner, select "Cleaner", and run a full scan-and-clean. When CCleaner has completed, reboot normally.

When your machine has rebooted, immediately run another HJT scan, fixing nothing, just saving the log. Locate and launch EWIDO, again run a full scan-and-clean, and save the log.

Be sure your resident security/privacy software is active and functioning, then connect to the internet, navigate back here, and post the requested logs and any other pertinent info.

If you wish, you may find it convenient to click "Turn on email updates" at the lower right of the page; this will cause an email to be sent to the address you've registered when this topic recieves a reply.

Thanks Timber. Followed your instructions. No problems executing them, except that the Housecall scan found some Microsoft security risks but did not fix them. I have posted what is said in the url from the scan. Also posted below are the Ewido report and the Hijack-this log.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:26:55 PM, 8/20/2005
+ Report-Checksum: F3E3ED23

+ Scan result:

No infected objects found.


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 8:57:37 PM, on 8/20/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\spyware software\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINNT\GWHotKey.exe
C:\PROGRA~1\VISION~2\ONETOU~2.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVSCHED32.EXE
C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
C:\Program Files\Visioneer\PaperPort\Config\Ereg\REMIND32.EXE
C:\PROGRA~1\AMERIC~1.0A\waol.exe
C:\WINNT\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\AOL\111112~1\EE\AOLHOS~1.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\COMMON~1\AOL\111112~1\EE\AOLServiceHost.exe
C:\PROGRA~1\AMERIC~1.0A\shellmon.exe
C:\WINNT\Explorer.EXE
C:\Program Files\spyware software\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~2\ONETOU~2.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1111122927\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [AVSCHED32] C:\Program Files\AVPersonal\AVSCHED32.EXE /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\VISION~1\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [AOLCC] "C:\Program Files\AOL Computer Check-Up\ACCAgnt.exe" /startup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0A\AOL.EXE" -b
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\Visioneer\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Instant Wireless Configuration Utility.lnk = C:\Program Files\Linksys\WPC11 Config Utility\WPC11Cfg.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\WINNT\System32\shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} (AOL Content Update) - http://esupport.aol.com/help/acp2/engine/aolcoach_core_1.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/2446e66de59352e02c20/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124445307461
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124445263287
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\spyware software\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe

Housecall MS security Risks
Critical This vulnerability enables a remote attacker to execute arbitrary code through the use of a malformed Advanced Streaming Format (ASF) file. It is caused by a buffer overflow in Microsoft Windows Media Player 6.4. MS01-056

Critical This vulnerability allows a remote attacker to execute arbitrary code via a NOTIFY directive with a long Location URL when the buffer overflow in Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP is triggered.;The Universal Plug and Play (UPnP) on Windows 98, 98SE, ME, and XP could allow a remote attacker to cause a denial of service via a spoofed SSDP advertisement or a spoofed SSDP announcement to broadcast or multicast addresses. The former could cause the client to connect to a service on another machine that generates a large amount of traffic, while the latter could cause all UPnP clients to send traffic to a single target system. MS01-059

Critical This vulnerability allows an attacker to cause a denial of service attack to a target server machine. This is caused by a buffer overflow in SMB protocol in Microsoft Windows NT, Windows 2000, and Windows XP. MS02-045

Highly Critical This vulnerability enables a remote attacker to execute arbitrary code through a WebDAV request to IIS 5.0. This is caused by a buffer overflow in NTDLL.DLL on Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP. MS03-007

Highly Critical This vulnerability enables a remote attacker to execute any file that can be rendered as text, and be opened as part of a page in Internet Explorer. MS03-014

Critical This vulnerability enables a remote attacker to execute arbitrary code through a specially crafted MIDI file. This is caused by multiple buffer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL). MS03-030

Critical This vulnerability allows a remote attacker to execute arbitrary code without user approval. This is caused by the authenticode capability in Microsoft Windows NT through Server 2003 not prompting the user to download and install ActiveX controls when system is low on memory. MS03-041

Critical This vulnerability allows a remote attacker to execute arbitrary code on the affected system. This is caused of a buffer overflow in the Messenger Service for Windows NT through Server 2003. MS03-043

Important This vulnerability is due to a buffer overrun in the ListBox and ComboBox controls found in User32.dll. Any program that implements the ListBox control or the ComboBox control could allow arbitrary code to be executed at the same privilege level. This vulnerability cannot be exploited remotely. MS03-045

Critical The MHTML URL Processing Vulnerability allows remote attackers to bypass domain restrictions and execute arbitrary code via script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers.This could allow an attacker to take complete control of an affected system. MS04-013

Critical This vulnerability exists in the Help and Support Center (HCP) and is due to the way it handles HCP URL validation. This vulnerability could allow an attacker to remotely execute arbitrary code with Local System privileges. MS04-015

Moderate This is a denial of service (DoS) vulnerability. It affects applications that implement the IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay. Applications that use this API are typically network-based multiplayer games.;An attacker who successfully exploits this vulnerability could cause the DirectX application to fail while a user is playing a game. The affected user would then have to restart the application. MS04-016

Moderate A denial of service (DoS) vulnerability exists in Outlook Express that could cause the said program to fail. The malformed email should be removed before restarting Outlook Express in order to regain its normal operation. MS04-018

Critical This vulnerability lies in an unchecked buffer within the Task Scheduler component. When exploited, it allows the attacker to execute arbitrary code on the affected machine with the same privileges as the currently logged on user. MS04-022

Critical An attacker who successfully exploits this vulnerability could gain the same privileges as that of the currently logged on user. If the user is logged in with administrative privileges, the attacker could take complete control of the system. User accounts with fewer privileges are at less risk than users with administrative privileges. MS04-023

Critical This vulnerability lies in the way the affected components process JPEG image files. An unchecked buffer within this process is the cause of the vulnerability.;This remote code execution vulnerability could allow a malicious user or a malware to take complete control of the affected system if the affected user is currently logged on with administrative privileges. The malicious user or malware can execute arbitrary code on the system giving them the ability to install or run programs and view or edit data with full privileges. Thus, this vulnerability can conceivably be used by a malware for replication purposes. MS04-028

Important An unchecked buffer exists in the NetDDE services that could allow remote code execution. An attacker who is able to successfully exploit this vulnerability is capable of gaining complete control over an affected system. However, the NetDDe services are not automatically executed, and so would then have to be manually started for an attacker to exploit this vulnerability. This vulnerability also allows attackers to perform a local elevation of privilege, or a remote denial of service (DoS) attack. MS04-031

Critical This cumulative release from Microsoft covers four newly discovered vulnerabilities: Windows Management Vulnerability, Virtual DOS Machine Vulnerability, Graphics Rendering Engine Vulnerability, and Windows Kernel Vulnerability. MS04-032

Critical This is another privately reported vulnerability about Windows Compressed Folders. There is vulnerability on the way that Windows processes Compressed (Zipped) Folders that could lead to remote code execution. Windows can not properly handle the extraction of the ZIP folder with a very long file name. Opening a specially crafted compressed file, a stack-based overflow occurs, enabling the remote user to execute arbitrary code. MS04-034

Critical This security bulletin focuses on the following vulnerabilities: Shell Vulnerability (CAN-2004-0214), and Program Group Converter Vulnerability (CAN-2004-0572). Shell vulnerability exists on the way Windows Shell launches applications that could enable remote malicious user or malware to execute arbitrary code. Windows Shell function does not properly check the length of the message before copying to the allocated buffer. Program Group Converter is an application used to convert Program Manager Group files that were produced in Windows 3.1, Windows 3.11, Windows for Workgroups 3.1, and Windows for Workgroups 3.11 so that they can still be used by later operating systems. The vulnerability lies in an unchecked buffer within the Group Converter Utility.

Your latest logs look pretty good - no readily identifiable yuckware signatures. Yuckware-wise, at the moment, anyhow, I think we can mark this one resolved. However, what Housecall was telling you is that your Windows and/or IE are seriously out of date, and thus extremely vulnerable. I'd say now would be a good time to get busy and start getting your system caught up - hammer Windows Update until it tells you there are no more updates available. Do as little web surfing as you can manage untill you're caugght up, and don't open any email attachments or click on any links received via email, chat, or messaging untill you're fully caught up (and then, use your head - don't be foolish about unexpected/univited attachments and links; if you don't know for certain what they are, who they're from, and what they're for, delete them or ignore them)

You oughtta have HJT fix these 2 items:

O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)

They're not malicious, they're just references to non-existent files.


So - get Windows Update out of the way, completely, and you should be good to go. Once you've done that, test things for a while - and of course stay absolutely current on all of your updates and make sure your security/privacy software is active and functioning properly. If after a brief period of normal use things seem to stay normal and you're satisfied all is as it should be, you can delete the tools you won't be using any more (they won't hurt anything, but they do take up some disk space) - though I strongly recommend keeping, using, and maintaining updates for Ad-Aware SE, CCleaner, and/or Cleanup, Microsoft Antispyware, Spybot S&D and SpywareBlaster.

When you're ready, run Cleanup one more time while in safe mode, then defrag your machine, re-enable System Restore, boot back into safe mode, and when the system has fully booted, set a fresh restore point. Reboot normally, Stay Safe Out There, and enjoy.

Will do. Thanks for all your help.

Yer weccum - glad we could help. Hope you stick around and enjoy the website - there's stuff here of interest to just about anyone. Enjoy.