[Resolved] open search web and other spyware and junk

Howdy, sepand, and welcome to A2K. If you're up for doing some attention-to-detail work of your own, have a look HERE.

If you do decide to give that a shot, continue here on this thread, not that one, and I'll see what I can do to help you out. You might find it convenient to click "Turn on email updates" down at the lower right of this page; doing so will cause an email notification to be sent to the email address you registered when joining A2K whenever a reply is posted to this thread.

Re: Report

That's part of the process, which has to be followed as laid out, in order, to completion -"almost everything" isn't everything.


Yeah, it takes a while ... getting rid of yuckware s a lot more involved than getting it.


The link is good; if it did not work from your machine, that likely is due to the infections you have.


1) Do you have Ad-Aware SE configured for Custom Scan, as directed?
2) Have you run in both in safemode and normal mode?
3) Have you run the VX2Cleaner plugin as directed?


With any of the tools, it may take more thanm one pass to get the job done; often getting rid of one item unmaskes other items that will need attention. This is normal.


If you kept a record of those files, I'd like to see it; my job is a lot easier if all the steps are performed as directed and all the requested logs are provided.


I suspect your problems here also stem from the infections on your machine. We'll do something about that in a bit.


If you kept the first EWIDO log, as directed, I'd like to see it.




There are plenty of probblems there, many of which I would expect to already have been addressed by the various steps and tools in the procedure.


Yup; that's because the primary problem, which is related to MessengerPlus, still is there. Ad-Aware SE's VX2 Cleaner plugin should have addressed this, as should Microsoft Antispyware and EWIDO.



Yeah, I ain't fond of it either. That's the reason behind the removal process we use here.

Anyhow, lets see what we can do with what we've got here. First, go Start>Control Panel>Add/Remove programs, and get rid of MessengerPlus and Flashget. Those are where you got most of what afflicts you.

Print out these instructions. Gather the recommended downloads and perform the updates and configurations as necessary, then in safe mode perform the scans recommended below, as directed, and in the order listed.

Create a new folder in your Programs folder or directly on your root drive named Sysclean (e.g. - C:\Program files\Sysclean).

Download Sysclean.com to this folder.

Download the latest Pattern Release zip file (e.g. - lpt$vpn.xxx, where "xxx" is a 3-digit number) and extract its contents to the same folder to which you downloaded Sysclean. This file must be saved to the same folder from which you run Sysclean; the executable "Sysclean.com" and the "lpt$vpn.xxx" file MUST be in the same folder. When you have properly downloaded, extracted, and placed into the same folder both the scanning engine, "Sysclean.com", and the pattern file, "lpt$vpn.xxx", do not run the scan, just close the folder.

If you have not done so yet, download and install Ad-Aware SE's VX2 Cleaner Plugin. Also, update Ad-Aware SE. Do not run the plugin or scan with Ad-Aware SE yet, just close out when the update has completed.

Update EWIDO.

Download, install, update, and configure Microsoft Antispyware as directed in the procedure. When this has been done, don't run it, just close out of it, then reboot into safe mode.

Once booted into safemode, locate ther Sysclean folder, be certain the extracted "lpt$vpn.xxx" file and "Sysclean.com" are present together in the same folder, then, with NO OTHER APPLICATIONS RUNNIG OR WINDOWS OR BROWSERS OPEN, double-click "Sysclean.com" to run the application. It is a very thourough scan and likely will take a while to complete. When it has completed, it will place a log in the Sysclean folder; I would like to see that log when you post back here after following the remaining steps. When Sysclean has completed, perform a full scan-and-clean with CCleaner, then reboot into safe mode.

Perform a full scan-and-clean with EWIDO, saving the log. When the scan has been completed, perform a full scan-and-clean with CCleaner, then reboot into safe mode and repeat the EWIDO scan-and-clean process. When completed, save the log, and reboot into safe mode.

Locate and launch Ad-Aware SE, and execute the VX2 Cleaner plugin. When the plugin has completed, run a full scan-and-clean with Ad-Aware SE, then reboot into safe mode.

Locate and launch Microsoft Antispyware, click its "Advanced Options" icon, then click the "Browser Hijack Restore" icon. At the bottom of the page that will open, click "Select All", then click "Restore", confirm if prompted, and then perform a full scan-and-clean with Microsoft Antispyware, followed by a full scan-and-clean with CCleaner. Reboot into safe made and again run a full scan-and-clean with Microsoft Antispyware, followed by another full scan-and-clean with CCleaner.

When the above all has been completed, reboot normally, not into safe mode, BUT DO NOT CONNECT TO THE INTERNET - if necessary, physically disconnect your machine from your internet connection interface (phoneline/modem, broadband adapter, router, whatever - the machine should not be able to access the internet when it boots, period), immediately run scan-and-cleans with Ad-Aware SE, EWIDO (saving the log), Microsoft Antispyware, and CCleaner. Do not reboot following the CCleaner scan-and-clean; run HJT, fixing nothing, just saving the log.

When that all has been completed, reboot normally, be certain your resident antivirus is enabled, connect to the internet, navigate back here, and post the requested logs, along with any error messages -VERBATIM - you may have received (along with a description of what you were doing when the error message came up), and any other information or questions you might have.

*
I couldn't download microsoft's antispyware program cuz it didn't recognize my windows as original, which can be actually true since i bought this computer in China Town! I did everything else though, except for that 1 program which kept giving me an error (Trend Micro?).

*
1) Yes, Custom scan.
2) yes, in both modes.
3) Yes, VX2Cleaner was executed.


* Results for Online Symmantec scan
Virus Status: Infected!
Your computer is infected with at least one known threat.



83189 files scanned, 56 file(s) infected on your disk drives.
No viruses were detected in memory.
Your computer is free of known threats. Virus Detection does not check compressed files.
Your computer appears safe for now. For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.
No viruses were detected in memory.
The scan was cancelled before finishing. To restart the scan, click here.
Your computer is free of known threats. Virus Detection does not check compressed files.
Your computer appears safe for now. For real-time protection from viruses, hackers and privacy threats, upgrade to Norton Internet Security™.
Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

Warning! The scan detected a virus that is active in your computer's memory.
The scan ended to prevent further infection.
You should shut down your computer immediately and restart it with an antivirus rescue disk or similar tool.
No viruses were detected in memory.
Your computer is infected with at least one known virus or Trojan horse.
Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

No viruses were detected in memory.
Your computer is infected with at least one known virus or Trojan horse.

Note: The scan was cancelled before finishing. There may be more infected files on this computer.
Search for the name of the threat(s) listed below on the Symantec Security Response site for removal information.

C:\Documents and Settings\Sep\Local Settings\Temporary Internet Files\Content.IE5\IDCZYX2P\toolbar2[1].htm is infected with Adware.Istbar
C:\Documents and Settings\Sep\Local Settings\Temporary Internet Files\Content.IE5\BN6NG4IY\toolbar1[1].htm is infected with Adware.Windupdates
C:\Documents and Settings\Sep\Local Settings\Temporary Internet Files\Content.IE5\BN6NG4IY\upAYB[1].int is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temporary Internet Files\Content.IE5\09YZC96F\install[1].htm is infected with Adware.Windupdates
C:\Documents and Settings\Sep\Local Settings\Temp\180sainstallernusalm.exe is infected with Adware.180Search
C:\Documents and Settings\Sep\Local Settings\Temp\70819689.exe is infected with Download.Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\709247ca.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\709596cc.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\70993083.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\70b9e734.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\71463d31.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\7149c147.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\71736438.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\728241de.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\7296c542.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\Inside Program.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Local Settings\Temp\kshgbzxw.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\bmoecvqu.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\cbayhjla.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\cdwcvhcg.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\cfvfopen.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\cqfsmjum.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\fwrzrcdy.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\jzvnspjn.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\lzqvzyif.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\mipierjs.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\owns bind ref 01.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\pbflmgng.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\qiamgjwi.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\shqafkqm.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\tttrgajt.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\tvpjkrzc.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\VIEW TRANS MEAL.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\wikidoyk.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\wsungprc.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\ymishtsj.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\Thiscakeamok\ynosvezf.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\face copy\Way type.exe is infected with Adware.Lop
C:\Documents and Settings\Sep\Application Data\face copy\__delete_on_reboot__Does Online.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\32 burn.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Bags Safe.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\BendThunk.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\burnjunk.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Clock Trans.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Coal Intra.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Cool sixth.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\CURB BAT.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Does warn.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\five site.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\InfoDraw.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\keeplite.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Name Log.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Name Safe.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Pure log.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\rdr window.exe is infected with Adware.Lop
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\Shim Bait.exe is infected with Adware.Lop

These files were deleted manually.

*
Sorry, forgot!

*
Well, I ran both ad-aware SE's VX2 and EWIDO, and the problem remains.

*
DId you mean the latest Virus Pattern Release file or the latest Spyware Pattern Release file? They seem to be two separate things in the link you provided.

* I'll do everything you asked once I know what you meant by the lastest Pattern Release file. But I don't think I can get around Microsoft's antispyware.

Thanks again, cheers.

I mean the latest virus Pattern Release file.

Now, on to other things here that may present a major problem;


If your version of Windows will not validate for Microsoft downloads and actually is an illegitimate copy of Windows, you have a pretty big problem which needs to be addressed by legitimizing your Windows. Perhaps a phonecall to Microsoft may sort it out for you; it is possible yours is a legitimate copy and simply does not verify for any of a number of reasons. Details and support options may be found HERE.

Done.

* Sysclean log file: it was too long, so I posted it HERE.

* MS Antispyware found a couple of files the first time, and nothing on the 2nd and 3rd run.

* Ad-aware found nothing at all.

* The 3 EWIDO scans:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:06:04 PM, 9/15/2005
+ Report-Checksum: D85E89B

+ Scan result:

:mozilla.19:C:\Documents and Settings\Sep\Application Data\Mozilla\Firefox\Profiles\annxe6j3.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Sep\Application Data\Mozilla\Firefox\Profiles\annxe6j3.default\cookies.txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Sep\Application Data\Mozilla\Firefox\Profiles\annxe6j3.default\cookies.txt -> Spyware.Cookie.Googleadservices : Cleaned with backup


::Report End


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 1:00:41 AM, 9/16/2005
+ Report-Checksum: E2ACC2FB

+ Scan result:

No infected objects found.


::Report End


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 04:26:29, 2005/09/16
+ Report-Checksum: B4CFC7D9

+ Scan result:

No infected objects found.


::Report End


* My HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 12:56:49, on 2005/09/16
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\Drivers\SAP\FD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.ca
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {E817F8C6-8E2A-ED4B-0FAF-4AB370918B95} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [FD_SAP] C:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [pile browse team user] C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\rdr window.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/HTML/interactive/zt3000/model.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4576/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

IE still has a search bar on top of it, which i think is called Search Web or something like that. My homepage links are fine now, but that's because MS Antispyware is BLOCKING it from being changed, so the problem still persists.

So what now?

Thanks.

K one more problem: it seems that after running Microsoft Antispyware, or maybe some other program, I can't get hotmail to work anymore. The login page loads veeeery slow, and inbox just never comes. I haven't checked my mail in more than 24 hours now. Any clues?

Sorry if it seems I've left you hanging here - been pretty busy. I doubt MS Antispyware had anything at all to do with the problems you report accessing Hotmail; it mostly just doesn't work that way. Something else is going on there. BTW - the Sysclean log came out clean - it reported no infection found.

Tell ya what - I'd like to know the exact name of that toolbar you mention - that'll be of use to me. I'd also like to know whatever you can tell me about this:
C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\rdr window.exe


What I'd like you to do is update Microsoft Antispyware, then just close it without running it. Next, go to your browser''s toolbar, select "Manage Add-ons", make sure the dropdown is set to "Add-ons currently loaded in internet Explorer", and disable any and all non-Microsoft add-ons.

Next, using Windows Explorer, navigate to C:\WINDOWS\SYSTEM32\DRIVERS\ETC and locate the file named just "hosts". Right-click on that file, select "Open with", select "Notepad", and open the file. When it has opened, in Notepad, go up to Notepad's toolbar, select "Save as", name the file something like "sepands hosts file", and post that here, too.

Next, run HJT , and place a check next to each of ONLY the following entries, if reported:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {E817F8C6-8E2A-ED4B-0FAF-4AB370918B95} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

Click "Fix checked", and when the process has completed, boot into safe mode, launch Microsoft Antispyware, select "Advanced Tools", select "Browser Restore", then click "Check all" and click "Restore" (essentially, this will reset your browser and search preferences to Microsoft defaults; you can change back to whatever you prefer when things are cleaned up and sorted out). When that has been completed, select "Spyware Scan and run a full system scan-and-clean routine. Follow that with a full system scan-and-clean with CCleaner.

When that has completed, boot normally, immediately run an HJT scan, fixing nothing, save the log, and post it here too, along with whatever other info you have for me.

K I'll do the above after posting the specs of my new problem. I'm pasting it from another forum:

* The sign-in page usually loads, but very very slow and after clicking on the REFRESH button a couple of times in anger. But when I sign in, hotmail doesn't load. It simply stops on a blank page and the status says done.

* This happens on all computers on my network. There are 3 comps in the house, 2 desktops and a laptop, all connected to a D-Link router, which itself is connected to a cable modem. NONE OF THE COMPUTERS CAN LOAD HOTMAIL.

* The problem seems to have started 36 hours ago, and if I'm not wrong, it started after I scanned my computer with Microsoft Antispyware. Well actually, I scanned my comp with a lot of things: Sysclean, CCleaner, Ad-aware, Ewido, and Spybot, but I had used these programs before without any problems. It was the first time though that I was using MS Antispyware. However, I only ran the antispyware program on ONE COMPUTER ONLY, but somehow all computers have the same problem now. I'm not sure if this is related to the antispyware program.

* I know there's nothing wrong with my hotmail account or with their server because my friend logged in for me several times from her computer in a different location and it worked fine.

* I've tried to get in through internet explorer (I use Mozilla Firefox) and Microsoft Outlook. Obviously it didn't work

* Router and Modem have been reseted several times. No change.

* Other msn websites, like www.msn.com and messenger.msn.com, work fine.

* I've checked the HOSTS file, and there are no redirects. I'll post the file later.

K that's it. I thought it might be a problem with my router, but someone told me it's probably my ip and I should change my DNS. I have no clue how to do that.

Thanks man. You've been so helpful.

K hotmail is working now, after almost 48 hours. Phew! I figured how to change my DDNS, whatever that is. Just changed it to another link, and hotmail is back. Now if only I can stop the 5-10 junk mails that I get everyday...

* The toolbar/search bar is directed to searchweb2.com, and I think it's called "Open Search Web.

* The file you mentioned: C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\rdr window.exe I don't know anything about it. What is this DRAW REGS PILE BROWSE folder anyways? It seems to contain some files which sounds fishy. To name a few: 32 burn, BendThunk, Clock Trans, Cool sixth, Does warn, Shim Bait, burnjunk, keeplite, and a couple more.

* I don't have the Manage add-ons option, and I don't have SP2. If you remember, I had a problem with validating my Microsoft. I contacted them, and they told me to talk to the store from which I bought my computer, or buy the actual product. The problem is though, that unlike the other 2 computers in this house, this one was custom-made, meaning that almost each part of the PC was bought in a different store (all in China town), and then put together by me and my friend. Even though the guy said it comes with WIdnows XP, I guess he gave me a pirated version. The problem is, that was 4 years ago exactly, and I don't even remember what I bought from which store. But since this baby is getting too old, it's going to be put to rest soon, in like 6 months. So I didn't actually go back to the Microsoft website and buy XP: I downloaded it from my other computer, and used the file. Anyways, the moral of the story: I don't have add-ons.

* The HOSTS file:
# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

I'm guessing it's clean?

* Fixed those 3 entries on HJT.

* Ran MS Antispyware. Found nothing. Ran CCleaner also. Here's HJT:
Logfile of HijackThis v1.99.1
Scan saved at 03:38:00, on 2005/09/18
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\Drivers\SAP\FD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\winhlp32.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [FD_SAP] C:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [pile browse team user] C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE\rdr window.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/HTML/interactive/zt3000/model.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4576/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Thanks again.

K problems with hotmail again. Here's the timeline/history/whatever you wanna call it

* The problem first started after I ran several scans on my old desktop (spybot, ad-aware, CCleaner, Sysclean, Microsoft Antispyware, etc.). All three computers could no longer load hotmail (2 desktops and a laptop).

* Then I changed my DDNS, and everything seemed fine for a night.

* Then in the morning, only my laptop would load hotmail. The other 2 desktops on the network couldn't load it.

* And finally, last night, I ran spybot, ad-aware, ccleaner, and microsoft antispyware on the laptop, and now, the laptop doesn't load hotmail either.

What the hell is going on???? Me confooooooozd. :blink: Me irritated. :angry2:

I appreciate all the help.

We'll get to that Hotmail thing in a bit - lets get things cleaned up some first.

Your hosts file shows nothing out of the ordinary; its the default, "empty" hosts file.

I take it that toolbar is still there?

Please download fl.zip.
Extract the contents to a new folder on your Desktop. In that folder, locate & double-click "fl.bat. ". It should produce and save a .txt report directly on your "C:" drive, at c:\findlop.txt. Include the report in your next reply.

Launch HJT, select "Misc Tools", select "Open Process Manager", and from the Process list page which opens (actually, its a version of Itty Bitty Process Manager), select either the 1st icon on the right hand side above the detail box which lists the processes to copy the list to your clipboard then paste the list into Notepad and save it to post here, or click the second icon, which will save the file - give it a name you'll recognize, check to be sure it will be saved as a .txt file, note where it has been saved (by default it should save to the same folder from which HJT is run), so you can post it here. When you've saved the process list, click "Back", run a scan, and have HJT fix this entry:

O4 - HKLM\..\Run: [pile browse team user] C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE

Then, boot to safe mode, locate that folder - "C:\Documents and Settings\All Users\Application Data\DRAW REGS PILE BROWSE" and delete it. If it puts up a fight, launch HJT again, select "Misc Tools", select "Delete a file on reboot", point the navigation box to that file (From the "Look in" dropdown, select "Local Disk (C, then select "Documents and Settings", then select "All Users", then select "Application Data", then locate and select the file DRAW REGS PILE BROWSE"), click "Open", confirm, and reboot when prompted.


When you've rebooted, immediately run another HJT scan, fixing nothing, just saving the log. Navigate back here and post that HJT log, the process list from HJT you saved earlier, and the findlop.txt report.

Now, for that Hotmail deal - try this: From Internet Explorer's toolbar, select "Tools">"Internet Options". Under the "General" tab, the second pane should be "Temporary Internet Files". Select "Delete Cookies" and confirm, then select "Delete Files", put a checkmark next to "Delete all offline content", click "OK" and confirm. Close all instances of Internet Explorer, reboot normally, and see if Hotmail loads correctly.

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 02:50:04, on 2005/09/20
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\Drivers\SAP\FD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.ca
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = news.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.ca
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.ca
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [FD_SAP] C:\WINDOWS\System32\Drivers\SAP\FD.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [WeatherEye] C:\program files\TheWeatherNetwork\WeatherEye\WeatherEye
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ICQ 4 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.viewpoint.com/cgi-bin/compaq.v2/vet_install_popup.pl?1&4&04.00.08.43-hp&http://h71016.www7.hp.com/HTML/interactive/zt3000/model.html
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4576/mcfscan.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IMDownloader Class) - http://www2.incredimail.com/contents/setup/downloader/imloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Findlop:
Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\Administrator\Application Data

09/09/2005 05:15 AM <DIR> Lavasoft
09/09/2005 03:02 AM <DIR> Mozilla
09/09/2005 03:02 AM <DIR> Talkback
0 File(s) 0 bytes
3 Dir(s) 7,260,574,720 bytes free
Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\All Users\Application Data

02/03/2004 03:28 AM <DIR> Adobe
02/09/2004 06:28 AM <DIR> Aquarius Soft
12/28/2004 04:28 AM <DIR> Creative
08/31/2005 12:56 PM <DIR> DRAW REGS PILE BROWSE
04/06/2004 04:49 PM <DIR> QuickTime
01/11/2005 02:22 AM <DIR> Skype
09/09/2005 07:58 PM <DIR> Spybot - Search & Destroy
02/03/2004 04:25 AM <DIR> Symantec
12/18/2004 04:14 PM <DIR> Viewpoint
09/08/2005 02:10 AM <DIR> Windows Genuine Advantage
09/12/2005 12:20 AM <DIR> yahoo!
09/16/2005 01:16 PM <DIR> Yahoo! Companion
0 File(s) 0 bytes
12 Dir(s) 7,260,573,184 bytes free
Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\Sep\Application Data

02/07/2004 05:28 PM <DIR> Adobe
06/17/2005 02:11 AM <DIR> AdobeUM
02/08/2004 02:24 PM <DIR> Ahead
02/09/2004 06:28 AM <DIR> Aquarius Soft
12/28/2004 04:28 AM <DIR> Creative
09/08/2005 08:38 PM <DIR> face copy
10/06/2004 07:35 PM <DIR> FotoWire
02/03/2004 04:03 AM <DIR> Help
09/20/2004 02:30 AM <DIR> ICQ
09/20/2004 02:33 AM <DIR> ICQLite
10/15/2004 01:15 PM <DIR> Identities
05/27/2005 07:39 PM <DIR> Lavasoft
05/05/2004 03:53 PM <DIR> Leadertech
02/08/2004 05:20 PM <DIR> Macromedia
06/24/2004 02:00 PM <DIR> Microsoft Games
11/09/2004 11:14 AM <DIR> Mozilla
03/15/2004 12:27 AM <DIR> PSXLData
04/04/2004 05:53 PM <DIR> Real
01/11/2005 02:15 AM <DIR> Skype
02/03/2004 03:04 AM <DIR> Sun
11/09/2004 11:14 AM <DIR> Talkback
03/26/2004 12:28 AM <DIR> Yahoo! Messenger
0 File(s) 0 bytes
22 Dir(s) 7,260,571,648 bytes free
Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\Sepand\Application Data

08/23/2005 11:01 AM <DIR> Help
08/23/2005 11:00 AM <DIR> Identities
08/23/2005 11:01 AM <DIR> Real
0 File(s) 0 bytes
3 Dir(s) 7,260,571,648 bytes free
Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\Default User\Application Data

02/02/2004 06:35 PM <DIR> .
02/02/2004 06:35 PM <DIR> ..
02/02/2004 06:35 PM 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 7,260,571,136 bytes free
Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is B4F2-F95D

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AEB5B13D918621B1.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\sep\applic~1\thisca~1\VIEW TRANS MEAL.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Sep'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 09/20/2005 2:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/14/1995
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job 'Wake Up 1.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\Music\Wake Ups\Wake Up 1.m3u'
Parameters: ''
WorkingDirectory: 'C:\Music\Wake Ups'
Comment: ''
Creator: 'Sep'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 00/00/0000 0:00:00
StartError: 0x8007052f
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 1
KillIfGoingOnBatteries = 1
RunOnlyIfLoggedOn = 0
SystemRequired = 1
Hidden = 0
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Once
StartDate: 02/09/2004
EndDate: 00/00/0000
StartTime: 05:14
MinutesDuration: 0
MinutesInterval: 0
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Just right now, hotmail started working!!!! I didn't do anything... although I just ended scanning my brother's computer (which is on the same network) following the original procedure. Maybe the problem's fixed now, i don't know. Let's wait and see.

So, anything wrong with the logs? Let me check my IE and see if the toolbar is still there.... OMG, IT'S GONE!!!! WOOOW! Finally!! Yaaaaay, after days and days and months! Thanks

The logs look OK; the lop.com infection signature, and the lop.com/search2web/SearchWeb2/Open Search Web toolbar which were driving you nuts apparently are gone - however, without being able to install SP2, you're going to remain vulnerable to the sort of exploit that brought about your problems, as well as to some more recent, even nastier irritations.

A final sort-things out step here would be to launch CCleaner, select "Issues", select "Scan for Issues", then when the scan has completed, select "Fix selected issues", confirm the registry backup it offers (it will place the backup in your "My Documents" folder by default - its a good idea to create a "CCleaner Backups" folder there in which to keep the backups), then select-and-confirm "Fix All Selected Issues". When that has been done, select "Cleaner" and run a full system scan-and-clean, then reboot normally.

As a "2cnd best" workaround for lack of SP2, I would suggest you keep Spybot S&D regularly updated, employ its "Immunize" feature, install its HOSTS list, and employ its "Teatimer" feature - Teatimer is a little buggy, but it does actively monitor and will prevent the nasties it knows about from installing. Consult Spybot S&D's documentation (available via the application's "Help" feature) for details of configuration. You also should augment Spybot S&D with JavaCool Software's SpywareBlaster, keeping it regularly updated, and being certain it is configured for "All Protection" per its own instructions. You probably also will benefit from use of Steve Gould's Cleanup! (see the "How to use Cleanup!" tutorial available at the author's download page for configuration and deployment instructions).

Test your system for a while to make sure things are as they should be, then run a full system scan-and-clean with CCleaner, followed by a "Standard Cleanup" with Cleaner!, then reboot into safe mode, defrag your machine, and go ahead and reenable System Restore. One last tip; Stay Safe Out There