I'm running Windows ME.

I guess I have two problems:

1) OE will not allow me to display the content of messages. It seems to d/l OK from Hotmail, but when I click on the message to read it, I get an unending hourglass and no content. I updated from M/S site the critical updates I needed and still no go.

2) EVERYTIME I boot up searchxl tries to hijack my search page. Spyguard catches it, but it continues to repeatedly try. I went under regedit and deleted the reference but something keeps trying to re-install it. This just stared repeating itself. Up until today it would just try to hijack once and then stop.


For both of these problems I have run AVG, Spybot and Adaware. I went and googled every running processes that I saw and the only ones I couldn't find were Service, Osd and Vcobyeiv. Any info or links to help me research these problems would be appreciated.

Also if it is best to re-install OE, will that erase messages that I have in my local folders. Thanks.

Here is an update:

Shortly after I posted this I ran Adawar and got 10 problems. I fixed them. Cruised on DVDTalk a bit (Only going to a AOL page and that political flash with Kerry and Bush). I noticed that my machine started to run slow after I watched that Kerry/Bush flash and so I ran Adaware again -- NO PROBLEMS.

So I reboot and run get the searchxl.com message again. I run Adaware and get 9 problems. Had some system problems (too much running) and rebooted again. Adaware brings 15 problems: Logfile below:

No sure where to go from here. ANY SUGGESTIONS. BTW I also have the logfile from the scan with 10 problems (1st one mentioned -- but didn't want to make this TOO long)



Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, July 24, 2004 3:08:19 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R333 18.07.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry


7-24-2004 3:08:19 AM - Scan started. (Smart mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279222427
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294936187
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294862455
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294863947
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294843679
Threads : 2
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:6 [ssdpsrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294892479
Threads : 5
Priority : Normal
FileSize : 55 KB
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
OriginalFilename : ssdpsrv.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 2/19/2004 10:42:10 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 12/13/2001 10:38:12 PM

#:7 [avgserv9.exe]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG6\
ProcessID : 4294874707
Threads : 2
Priority : Normal
FileSize : 20 KB
FileVersion : 6.0.1.374
ProductVersion : 6.0.1.374
Copyright : Copyright (c) GRISOFT, s.r.o. 1998-2002
CompanyName : GRISOFT, s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
OriginalFilename : AvgServ
ProductName : AVG6
Created on : 1/17/2004 6:27:02 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 1/13/2004 11:00:00 AM

#:8 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM\ZONELABS\
ProcessID : 4294878999
Threads : 18
Priority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 6/24/2004 3:53:15 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/16/2004 9:47:36 AM

#:9 [devldr16.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294800883
Threads : 4
Priority : Normal
FileSize : 37 KB
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr16
InternalName : DevLdr
OriginalFilename : DevLdr16.exe
ProductName : Creative Ring3 NT Inteface
Created on : 7/14/2001 4:41:59 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/5/2000 7:32:08 PM

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294816543
Threads : 18
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 6/8/2000 10:00:00 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:11 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294940167
Threads : 4
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:12 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294652511
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:13 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294702823
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:14 [service.exe]
FilePath : C:\PROGRAM FILES\DELL\SOLUTION CENTER\
ProcessID : 4294655003
Threads : 1
Priority : Normal
FileSize : 324 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
FileDescription : Service Button Application
InternalName : Service
OriginalFilename : SERVICE.EXE
ProductName : Service Application
Created on : 11/22/2000 4:20:10 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 11/22/2000 4:20:10 PM

#:15 [mmkeybd.exe]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4294698027
Threads : 1
Priority : Normal
FileSize : 124 KB
FileVersion : 1.00
ProductVersion : 1.00
Copyright : Copyright
CompanyName : Netropa Corp.
FileDescription : Netropa(tm) Hot Key
InternalName : DellTouch Programmable Keys
OriginalFilename : nhk.exe
ProductName : DellTouch Programmable Keys
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 9/21/2000 7:34:12 PM

#:16 [ctmix32.exe]
FilePath : C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\
ProcessID : 4294580115
Threads : 1
Priority : Normal
FileSize : 20 KB
FileVersion : 6.01.1
ProductVersion : 6.01.1
Copyright : Copyright (c) Creative Technology Ltd 1991-1999.
CompanyName : Creative Technology Ltd.
FileDescription : Creative Mixer Loader
InternalName : Creative Mixer Loader
OriginalFilename : CTMXLD32.EXE
ProductName : Creative Mixer Loader
Created on : 7/14/2001 4:41:10 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 11/18/1999 11:01:00 AM

#:17 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294690479
Threads : 4
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:18 [itouch.exe]
FilePath : C:\PROGRAM FILES\LOGITECH\ITOUCH\
ProcessID : 4294588475
Threads : 2
Priority : Normal
FileSize : 872 KB
FileVersion : 2.22.289
ProductVersion : 2.22.289
Copyright : (C) 1998-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
OriginalFilename : iTouch.exe
ProductName : iTouch
Created on : 6/3/2004 3:29:05 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 3/18/2004 2:33:26 PM

#:19 [mmusbkb2.exe]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4294590743
Threads : 1
Priority : Normal
FileSize : 48 KB
FileVersion : 1.70
ProductVersion : 1.70
Copyright : Copyright
CompanyName : Netropa Corporation
FileDescription : USB Multimedia Keyboard Driver 2
InternalName : mmusbkb2
OriginalFilename : mmusbkb2.exe
ProductName : USB Multimedia Keyboard Driver 2
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 9/21/2000 7:15:26 PM

#:20 [avgcc32.exe]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG6\
ProcessID : 4294608375
Threads : 1
Priority : Normal
FileSize : 337 KB
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 1/17/2004 6:27:02 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 1/13/2004 11:00:00 AM

#:21 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294616471
Threads : 2
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 6/1/2004 8:01:26 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/1/2004 8:01:28 AM

#:22 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294527367
Threads : 6
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:23 [qttask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294540699
Threads : 2
Priority : Normal
FileSize : 96 KB
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
CompanyName : Apple Computer, Inc.
FileDescription : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 6/3/2004 6:38:01 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/3/2004 6:38:02 PM

#:24 [vcobyeiv.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294511239
Threads : 1
Priority : Normal
FileSize : 32 KB
Copyright : tNa
Created on : 6/10/2004 11:25:35 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/10/2004 11:25:36 PM

#:25 [zlclient.exe]
FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\
ProcessID : 4294523939
Threads : 6
Priority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 6/24/2004 3:53:17 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/16/2004 9:48:24 AM

#:26 [taskpanl.exe]
FilePath : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\
ProcessID : 4294647815
Threads : 2
Priority : Normal
FileSize : 892 KB
FileVersion : 2005.1.47.0
ProductVersion : 2005.1.47.0
CompanyName : EarthLink, Inc.
ProductName : EarthLink TotalAccess
Created on : 6/19/2004 3:04:06 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/19/2004 3:04:06 AM

#:27 [traymon.exe]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4294500087
Threads : 1
Priority : Normal
FileSize : 72 KB
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/19/2000 2:29:52 PM

#:28 [em_exec.exe]
FilePath : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\
ProcessID : 4294485519
Threads : 1
Priority : Normal
FileSize : 37 KB
FileVersion : 9.75.302
ProductVersion : 9.75.302
Copyright : (C) 1987-2002 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 12/30/2003 4:41:50 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 11/21/2002 2:50:00 PM

#:29 [wkcalrem.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
ProcessID : 4294400975
Threads : 2
Priority : Normal
FileSize : 24 KB
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkCalRem
OriginalFilename : WKCALREM.EXE
ProductName : Microsoft
Created on : 8/10/2000 5:00:00 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 8/10/2000 5:00:00 PM

#:30 [sgmain.exe]
FilePath : C:\PROGRAM FILES\SPYWAREGUARD\
ProcessID : 4294511499
Threads : 1
Priority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
CompanyName : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 8/30/2003 12:05:36 AM

#:31 [osd.exe]
FilePath : C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\
ProcessID : 4294545035
Threads : 1
Priority : Normal
FileSize : 84 KB
FileVersion : 2.01
ProductVersion : 2.01
Copyright : Copyright
CompanyName : Netropa Corp.
FileDescription : Netropa(tm) Onscreen Display
InternalName : OSD
OriginalFilename : osd.exe
ProductName : Onscreen Display
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 9/21/2000 11:26:24 PM

#:32 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294421123
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 1/26/2004 6:07:28 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 7/13/2003 3:00:20 AM

#:33 [sgbhp.exe]
FilePath : C:\PROGRAM FILES\SPYWAREGUARD\
ProcessID : 4294360335
Threads : 2
Priority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
CompanyName : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 8/29/2003 4:14:58 PM

#:34 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294290231
Threads : 4
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : RegData
Data : http://www.searchxl.com/ie/
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : SearchURL
Data : http://www.searchxl.com/ie/


Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 1


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Bar.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Search_URL.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistant.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet ExplorerSearchURL.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer
Value : SearchURL
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainSearch Page.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Search Page
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\MainDefault_Search_URL.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchSearchAssistant.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_LOCAL_MACHINE
Object : Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainSearch Bar.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Search Bar
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\MainDefault_Search_URL.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Main
Value : Default_Search_URL
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchSearchAssistant.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Search
Value : SearchAssistant
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet ExplorerSearchURL.searchxl.com

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "http://www.searchxl.com/ie/"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer
Value : SearchURL
Data : "http://www.searchxl.com/ie/"

Possible browser hijack attempt : Software\Microsoft\Internet Explorer\SearchCustomizeSearchabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "about:blank"

Possible browser hijack attempt : .Default\Software\Microsoft\Internet Explorer\SearchCustomizeSearchabout:blank

Possible Browser Hijack attempt Object recognized!
Type : RegData
Data : "about:blank"
Rootkey : HKEY_USERS
Object : .Default\Software\Microsoft\Internet Explorer\Search
Value : CustomizeSearch
Data : "about:blank"


Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 13
Objects found so far: 14


ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

CoolWebSearch Object recognized!
Type : RegValue
Data :
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
Value : ITBarLayout


Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 1
Objects found so far: 15


3:13:35 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:05:16:40
Objects scanned :45539
Objects identified :15
Objects ignored :0
New objects :15

Don;t know if this is helpful, but it is a log form Hijack this.

THANKS.



Logfile of HijackThis v1.98.0
Scan saved at 4:36:51 AM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\VCOBYEIV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.search/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ienpwtub - {57165EE0-89C5-8E0D-CBE1-394693153C2B} - C:\WINDOWS\SYSTEM\IENPWTUB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [jbcoosn] C:\WINDOWS\vcobyeiv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Winsock32driver] ZoneLockup.exe
O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/24cd025a993e23b1aa03/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25c2af0e74e05420c706/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol hijack: mhtml -
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL

Hi Tha'tsAllFolks.


Instructions on how to configure are at the bottom of the post
1)Configure AdAware forFullScan mode,
2)Update you defintions for AVG or try another virus/trojan scanner
3)Disable System Restore, then
3)Boot to safe mode

Once in Safe Mode
1)Run AVG (set to scan ALL files including compressed(zipped Files) on your hard drives
2)Run AdAware in FullScan mode
3)RunHiJackThis Again and let it fix/delete these Items
4) Run CWShredder

C:\WINDOWS\VCOBYEIV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.search/sp.php
O4 - HKLM\..\Run: [WinSP] REGEDIT.EXE -s c:/sysreg.reg
O4 - HKLM\..\RunServices: [IPConfig] ipconfigs.exe (Trojan. see below for remedy)
O4 - HKLM\..\Run: [IPConfig] ipconfigs.exe (Trojan. see below for remedy)
(http://securityresponse.symantec.com/avcenter/venc/data/backdoor.hacarmy.c.html)

O18 - Protocol hijack: mhtml -
O21 - SSODL: AUHook - {BCBCD383-3E06-11D3-91A9-00C04F68105C} - C:\WINDOWS\SYSTEM\AUHOOK.DLL



Make sure sure uncheck the safemode option in "msconfig" upon completion of this exersise to enter Xp Normally

Boot into Windows XP Normally
Run Adaware, and HiJackThis, scan with AVG and run CWShredder(post the new log here)
When Clean,you can re-enable system Restore


NOTE:
You may want to consider to try FireFox, Mozilla or anything not IE or a shell of IE

related.
Essential Spyware, Hijacking prevention/monitoring tools:
SpywareGuard
SpywareBlaster
Adaware
HiJackThis http://www.majorgeeks.com/download3155.html
Run a scan, when the scan is finshed then button will change to "save Log". Save the log to the hard drive. Open the log with notepad or any editor(make sure always open with is
unchecked), copy and paste the contents here and I will look for anything suspicious.


SpyBot
BHO Demon 2.0
Use a HostFile (I think SW Guard includes this in the program)
A registry/startup Monitor like regprot
CWShredder http://www.majorgeeks.com/download4086.html



1) ADAWARE 6.181
In Ad-aware click the Gear to go to the Settings area.

The following items should be on a green check, not on a red X.

Under the Scanning button:

Scan within archives

Under Memory & Registry, Check EVERYTHING

In Check Drives & Folders, make sure all of your hard drives are selected

Under the Advanced button, check ALL under Log detail level (this makes it easier for

visitors to the Lavasoft Support Forums to see what options you have selected should you

require assistance.)

Under the Tweak button...

Some of these may not be an available option, depending on your version of Ad-aware and your

version of Windows. Do not be concerned if you cannot select a certain item.

In Scanning Engine:

Unload recognized processes during scanning

Include info about ignored objects in logfile, if detected in scan

Include basic Ad-aware settings in logfile

Include additional Ad-aware settings in logfile

Include used command line parameters in logfile


In Cleaning Engine:

XP/2000: Allow unloading explorer to unload shell extensions prior to deletion

Let Windows remove files in use at next reboot

UNCHECK: Automatically try to unregister objects prior to deletion


Click Proceed to save these settings. When you would like to perform a "Full Scan," switch

the scan mode from SmartScan to Custom.



2)SYSTEM RESTORE IN XP:
To turn off Windows XP System Restore

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check

box.
5.Click Apply. The a confirmation message appears.
6. This will delete all existing restore points. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do. For example, removing viruses. Restart the computer and

follow the instructions in the next section to turn on System Restore.


3)Entering Safemode the Easy way (or you can use F8 at startup)
Click on Start,
then Run.
In the Run dialog box type "msconfig" and press enter to start the MSCONFIG utility
click on the Boot.ini tab you will see some checkboxes at the bottom under Boot Options.

Click the checkbox next to /SAFEBOOT and select Minimal.

Thank you so much for taking the time to give me this detail explanation in taking care of these problems. I think for the most part they are fixed. My OS is WinME and so a couple of differences occurred. I've explained below. OE seems to be OK now and the attempts to hijack the search occurred after my first book, but not after my second. Actually I tthink that ZoneAlarm just detetected a setting back the way it SHOULD have been and asked my permission because they were all going FROM searchxl.com to something else.

I will post the logfiles for hijack and Adaware in the next two posts.

QUESTION: Should I contine to run Adaware customized or should I switch back to automatic mode?

Originally posted by 68ShelbyGT500KR
3)Disable System Restore, then
ce in Safe Mode

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore" or "Turn off System Restore on all drives" check

box.
5.Click Apply. The a confirmation message appears.
6. This will delete all existing restore points. Click Yes to do this.
7. Click OK.
8. Proceed with what you need to do. For example, removing viruses. Restart the computer and

follow the instructions in the next section to turn on System Restore.


Click the checkbox next to /SAFEBOOT and select Minimal.

I am not sure what the equivalent to these two steps is in Win ME. I tried to look around and could not find ANYTHING that look similar to disabling system restrore. I booted up in SAFE mode using F8, so I guess that's all the checkbox near /SAFEBOOT means in XP???

Originally posted by 68ShelbyGT500KR
3)RunHiJackThis Again and let it fix/delete these Items

C:\WINDOWS\VCOBYEIV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
...
C:\WINDOWS\SYSTEM\AUHOOK.DLL

I'm not sure what this means. There were no options to check these. In fact they were not even listed.

Logfile of HijackThis v1.98.0
Scan saved at 8:05:24 PM, on 7/24/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\DELL\SOLUTION CENTER\SERVICE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\CTMIX32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMUSBKB2.EXE
C:\PROGRAM FILES\LOGITECH\ITOUCH\ITOUCH.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\VCOBYEIV.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\OSD.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\001\PROGRAMS\VIRUS PROTECTION\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.search/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ienpwtub - {57165EE0-89C5-8E0D-CBE1-394693153C2B} - C:\WINDOWS\SYSTEM\IENPWTUB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [jbcoosn] C:\WINDOWS\vcobyeiv.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Winsock32driver] ZoneLockup.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [devldr16.exe] C:\WINDOWS\SYSTEM\devldr16.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/24cd025a993e23b1aa03/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25c2af0e74e05420c706/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, July 24, 2004 7:48:35 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R333 18.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R333 18.07.2004
Internal build : 265
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1314436 Bytes
Signature data size : 1293449 Bytes
Reference data size : 20923 Bytes
Signatures total : 28676
Target categories : 10
Target families : 526

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:4 %
Total physical memory:130088 kb
Available physical memory:6616 kb
Total page file size:1967060 kb
Available on page file:1816896 kb
Total virtual memory:2093056 kb
Available virtual memory:2040960 kb
OS:Windows (ME)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-24-2004 7:48:35 PM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279224797
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294938429
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:3 [mmtask.tsk]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294864689
Threads : 1
Priority : Normal
FileSize : 1 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Multimedia background task support module
InternalName : mmtask.tsk
OriginalFilename : mmtask.tsk
ProductName : Microsoft Windows
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:4 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294862093
Threads : 2
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:5 [mstask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294841477
Threads : 2
Priority : Normal
FileSize : 124 KB
FileVersion : 4.71.2721.1
ProductVersion : 4.71.2721.1
Copyright : Copyright (C) Microsoft Corp. 2000
CompanyName : Microsoft Corporation
FileDescription : Task Scheduler Engine
InternalName : TaskScheduler
OriginalFilename : mstask.exe
ProductName : Microsoft
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:6 [ssdpsrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294845357
Threads : 6
Priority : Normal
FileSize : 55 KB
FileVersion : 4.90.3003.0
ProductVersion : 4.90.3003.0
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : SSDP Service on Windows Millennium
InternalName : ssdpsrv.exe
OriginalFilename : ssdpsrv.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 2/19/2004 10:42:10 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 12/13/2001 10:38:12 PM

#:7 [avgserv9.exe]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG6\
ProcessID : 4294885833
Threads : 2
Priority : Normal
FileSize : 20 KB
FileVersion : 6.0.1.374
ProductVersion : 6.0.1.374
Copyright : Copyright (c) GRISOFT, s.r.o. 1998-2002
CompanyName : GRISOFT, s.r.o
FileDescription : AvgServ - displays notification message
InternalName : AvgServ
OriginalFilename : AvgServ
ProductName : AVG6
Created on : 1/17/2004 6:27:02 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 1/13/2004 11:00:00 AM

#:8 [vsmon.exe]
FilePath : C:\WINDOWS\SYSTEM\ZONELABS\
ProcessID : 4294872961
Threads : 16
Priority : Normal
FileSize : 893 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : TrueVector Service
InternalName : vsmon
OriginalFilename : vsmon.exe
ProductName : TrueVector Service
Created on : 6/24/2004 3:53:15 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/16/2004 9:47:36 AM

#:9 [devldr16.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294901417
Threads : 3
Priority : Normal
FileSize : 37 KB
FileVersion : 1, 0, 0, 15
ProductVersion : 1, 0, 0, 15
Copyright : Copyright
CompanyName : Creative Technology Ltd.
FileDescription : DevLdr16
InternalName : DevLdr
OriginalFilename : DevLdr16.exe
ProductName : Creative Ring3 NT Inteface
Created on : 7/14/2001 4:41:59 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/5/2000 7:32:08 PM

#:10 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294896405
Threads : 19
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 6/8/2000 10:00:00 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:11 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294771189
Threads : 4
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:12 [taskmon.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294650117
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1998
CompanyName : Microsoft Corporation
FileDescription : Task Monitor
InternalName : TaskMon
OriginalFilename : TASKMON.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:13 [systray.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294697829
Threads : 2
Priority : Normal
FileSize : 36 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : System Tray Applet
InternalName : SYSTRAY
OriginalFilename : SYSTRAY.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:14 [service.exe]
FilePath : C:\PROGRAM FILES\DELL\SOLUTION CENTER\
ProcessID : 4294599457
Threads : 1
Priority : Normal
FileSize : 324 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
FileDescription : Service Button Application
InternalName : Service
OriginalFilename : SERVICE.EXE
ProductName : Service Application
Created on : 11/22/2000 4:20:10 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 11/22/2000 4:20:10 PM

#:15 [mmkeybd.exe]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4294580809
Threads : 1
Priority : Normal
FileSize : 124 KB
FileVersion : 1.00
ProductVersion : 1.00
Copyright : Copyright
CompanyName : Netropa Corp.
FileDescription : Netropa(tm) Hot Key
InternalName : DellTouch Programmable Keys
OriginalFilename : nhk.exe
ProductName : DellTouch Programmable Keys
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 9/21/2000 7:34:12 PM

#:16 [ctmix32.exe]
FilePath : C:\PROGRAM FILES\CREATIVE\SHAREDLL\AHQ\
ProcessID : 4294597705
Threads : 1
Priority : Normal
FileSize : 20 KB
FileVersion : 6.01.1
ProductVersion : 6.01.1
Copyright : Copyright (c) Creative Technology Ltd 1991-1999.
CompanyName : Creative Technology Ltd.
FileDescription : Creative Mixer Loader
InternalName : Creative Mixer Loader
OriginalFilename : CTMXLD32.EXE
ProductName : Creative Mixer Loader
Created on : 7/14/2001 4:41:10 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 11/18/1999 11:01:00 AM

#:17 [wmiexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294692933
Threads : 4
Priority : Normal
FileSize : 16 KB
FileVersion : 4.90.2452.1
ProductVersion : 4.90.2452.1
Copyright : Copyright (C) Microsoft Corp. 1981-1999
CompanyName : Microsoft Corporation
FileDescription : WMI service exe housing
InternalName : wmiexe
OriginalFilename : wmiexe.exe
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:18 [mmusbkb2.exe]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4294625653
Threads : 1
Priority : Normal
FileSize : 48 KB
FileVersion : 1.70
ProductVersion : 1.70
Copyright : Copyright
CompanyName : Netropa Corporation
FileDescription : USB Multimedia Keyboard Driver 2
InternalName : mmusbkb2
OriginalFilename : mmusbkb2.exe
ProductName : USB Multimedia Keyboard Driver 2
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 9/21/2000 7:15:26 PM

#:19 [itouch.exe]
FilePath : C:\PROGRAM FILES\LOGITECH\ITOUCH\
ProcessID : 4294887437
Threads : 2
Priority : Normal
FileSize : 872 KB
FileVersion : 2.22.289
ProductVersion : 2.22.289
Copyright : (C) 1998-2003 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : iTouch Application
InternalName : iTouch
OriginalFilename : iTouch.exe
ProductName : iTouch
Created on : 6/3/2004 3:29:05 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 3/18/2004 2:33:26 PM

#:20 [avgcc32.exe]
FilePath : C:\PROGRAM FILES\GRISOFT\AVG6\
ProcessID : 4294639077
Threads : 1
Priority : Normal
FileSize : 337 KB
FileVersion : 6, 0, 0, 515
ProductVersion : 6, 0, 0, 0
Copyright : Copyright
CompanyName : GRISOFT s.r.o.
FileDescription : AVG Control Center
InternalName : AvgCC32
OriginalFilename : AvgCC32.EXE
ProductName : AVG Anti-Virus System
Created on : 1/17/2004 6:27:02 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 1/13/2004 11:00:00 AM

#:21 [realsched.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\
ProcessID : 4294619065
Threads : 2
Priority : Normal
FileSize : 176 KB
FileVersion : 0.1.0.3034
ProductVersion : 0.1.0.3034
Copyright : Copyright
CompanyName : RealNetworks, Inc.
FileDescription : RealNetworks Scheduler
InternalName : schedapp
OriginalFilename : realsched.exe
ProductName : RealPlayer (32-bit)
Created on : 6/1/2004 8:01:26 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/1/2004 8:01:28 AM

#:22 [qttask.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294525521
Threads : 2
Priority : Normal
FileSize : 96 KB
FileVersion : 6.5.1
ProductVersion : QuickTime 6.5.1
CompanyName : Apple Computer, Inc.
FileDescription : Apple Computer, Inc.
InternalName : QuickTime Task
OriginalFilename : QTTask.exe
ProductName : QuickTime
Created on : 6/3/2004 6:38:01 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/3/2004 6:38:02 PM

#:23 [winmgmt.exe]
FilePath : C:\WINDOWS\SYSTEM\WBEM\
ProcessID : 4294532837
Threads : 5
Priority : Normal
FileSize : 192 KB
FileVersion : 1.50.1164.0000
ProductVersion : 1.50.1164.0000
Copyright : Copyright (C) Microsoft Corp. 1995-1999
CompanyName : Microsoft Corporation
FileDescription : Windows Management Instrumentation
InternalName : WINMGMT
ProductName : Windows Management Instrumentation
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:24 [vcobyeiv.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294530593
Threads : 1
Priority : Normal
FileSize : 32 KB
Copyright :

Created on : 6/10/2004 11:25:35 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/10/2004 11:25:36 PM

#:25 [zlclient.exe]
FilePath : C:\PROGRAM FILES\ZONE LABS\ZONEALARM\
ProcessID : 4294511925
Threads : 6
Priority : Normal
FileSize : 681 KB
FileVersion : 5.0.590.043
ProductVersion : 5.0.590.043
Copyright : Copyright
CompanyName : Zone Labs Inc.
FileDescription : Zone Labs Client
InternalName : zlclient
OriginalFilename : zlclient.exe
ProductName : Zone Labs Client
Created on : 6/24/2004 3:53:17 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/16/2004 9:48:24 AM

#:26 [em_exec.exe]
FilePath : C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\
ProcessID : 4294543981
Threads : 1
Priority : Normal
FileSize : 37 KB
FileVersion : 9.75.302
ProductVersion : 9.75.302
Copyright : (C) 1987-2002 Logitech. All rights reserved.
CompanyName : Logitech Inc.
FileDescription : Logitech Events Handler Application
InternalName : Em_Exec
OriginalFilename : Em_Exec.exe
ProductName : MouseWare
Created on : 12/30/2003 4:41:50 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 11/21/2002 2:50:00 PM

#:27 [taskpanl.exe]
FilePath : C:\PROGRAM FILES\EARTHLINK TOTALACCESS\
ProcessID : 4294463673
Threads : 2
Priority : Normal
FileSize : 892 KB
FileVersion : 2005.1.47.0
ProductVersion : 2005.1.47.0
CompanyName : EarthLink, Inc.
ProductName : EarthLink TotalAccess
Created on : 6/19/2004 3:04:06 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/19/2004 3:04:06 AM

#:28 [wkcalrem.exe]
FilePath : C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\
ProcessID : 4294507449
Threads : 2
Priority : Normal
FileSize : 24 KB
FileVersion : 6.00.1828.1
ProductVersion : 6.00.1828.1
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkCalRem
OriginalFilename : WKCALREM.EXE
ProductName : Microsoft
Created on : 8/10/2000 5:00:00 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 8/10/2000 5:00:00 PM

#:29 [traymon.exe]
FilePath : C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\
ProcessID : 4294480545
Threads : 1
Priority : Normal
FileSize : 72 KB
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/19/2000 2:29:52 PM

#:30 [sgmain.exe]
FilePath : C:\PROGRAM FILES\SPYWAREGUARD\
ProcessID : 4294490781
Threads : 1
Priority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC
CompanyName : Copyright (C) 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/30/2003 12:05:35 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 8/30/2003 12:05:36 AM

#:31 [osd.exe]
FilePath : C:\PROGRAM FILES\NETROPA\ONSCREEN DISPLAY\
ProcessID : 4294392541
Threads : 1
Priority : Normal
FileSize : 84 KB
FileVersion : 2.01
ProductVersion : 2.01
Copyright : Copyright
CompanyName : Netropa Corp.
FileDescription : Netropa(tm) Onscreen Display
InternalName : OSD
OriginalFilename : osd.exe
ProductName : Onscreen Display
Created on : 7/14/2001 4:40:30 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 9/21/2000 11:26:24 PM

#:32 [sgbhp.exe]
FilePath : C:\PROGRAM FILES\SPYWAREGUARD\
ProcessID : 4294311965
Threads : 2
Priority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright (C) 2002-2003 Javacool Software LLC.
CompanyName : Copyright (C) 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 4:14:56 PM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 8/29/2003 4:14:58 PM

#:33 [tapisrv.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294241953
Threads : 4
Priority : Normal
FileSize : 120 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1994-1998
CompanyName : Microsoft Corporation
FileDescription : Microsoft
InternalName : Telephony Service
OriginalFilename : TAPISRV.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:34 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294502257
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 1/26/2004 6:07:28 AM
Last accessed : 7/24/2004 5:00:00 AM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Roings Object recognized!
Type : File
Data : a0660865.cpy
Category : Malware
Comment :
Object : C:\_RESTORE\TEMP\
FileSize : 44 KB
Copyright :

Tha'tsAllFolks. Part 2

Sorry about the OS, I didn't see that you were using Win ME.I was assuning XP.


To Disable system restore Windows ME
1) Click Start > Settings > Control Panel.
2) Double-click the System icon.

Note: If the System icon is not visible, click "View all Control Panel options" to display it.
3) On the Performance tab click File System.
4) Click the Troubleshooting tab, and then check Disable System Restore
5) Click OK. Click Yes, when you are prompted to restart Windows.


Boot into Safemode in Windows 98 and ME (without the F8 key at startup)
1) Close all open programs.
2) Click Start > Run. The Run dialog box appears.
3) Type msconfig and then click OK
4) In the Advanced Troubleshooting Settings dialog box, check Enable Startup Menu.Click OK. Click OK again when the System Configuration Utility reappears.
5) You will be prompted to restart the computer. Click Yes. The computer will restart in Safe mode. (This can take several minutes.)


When you have disabled System Restore and are in SafeMode do the following:
Enable the task manager via CTRL ALT Del ( it should have a list of apps running/processes)

Highlight and stop these 2 processes: VCOBYEIV.EXE and DDHELP.EXE
Once stopped, go to Windows Explorer and navigate to these locations and delete the files. If it gives an error message and won't delete, try to right click on the file and select "properties" and un-check "read only: and change to "archive".Click OK. Try to delete again

C:\WINDOWS\VCOBYEIV.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE


Run Adaware is customized (detailed), like before and remove anything it finds.

Run HijackThis and let it Fix these items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.earthlink.net/partner/mo...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.search/sp.php
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKLM\..\Run: [jbcoosn] C:\WINDOWS\vcobyeiv.exe


Save log, reboot into Windows Normally and re-post your log.

Did you run a full AVG virus scan?
I keep my Adaware set for the full scan(though it takes longer to run) but you can do waht you want at your discretion. Let's make sure your system is totally clean first!


Sorry about the OS Problem.

Thanks for taking the time to update this for ME. I have been really busy the last couple of days and have not had the time to try this until now.

First I could not delete VCOBYEIV.EXE and DDHELP.EXE in Safe Mode. They were not there in the task mamanger. So, I re-booted back into Normal and deleted them as explained. I then went back into Safe Mode and ran Adaware. I then ran HiJackThis twice. Once deleting the processes listed and then an "after" image. The log posted is the "after" image log.

Also I assume I should back out of "Disablie System Restore" now that I'm finished. I still have it checked and was planning on unchecking it when I finished running AVG. BTW, I think I am running a full scan. All the boxes are checked in the email scanner tab and the check virus part of Resident Shield. Anyway I will be running that as soon as I finish posting the logs here.

Thanks again for your detailed explanation. I am archiving this info in case this happens again.

Logfile of HijackThis v1.98.0
Scan saved at 10:27:26 AM, on 7/29/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\001\PROGRAMS\VIRUS PROTECTION\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: ienpwtub - {57165EE0-89C5-8E0D-CBE1-394693153C2B} - C:\WINDOWS\SYSTEM\IENPWTUB.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [DellSC] C:\Program Files\Dell\Solution Center\service.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Speed racer] C:\Program Files\Creative\PlayCenter\CTSRReg.exe
O4 - HKLM\..\Run: [CreativeMixer] C:\Program Files\Creative\Sharedll\AHQ\CTMIX32.EXE /t
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Winsock32driver] ZoneLockup.exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [E6TaskPanel] "C:\PROGRAM FILES\EARTHLINK TOTALACCESS\TASKPANL.EXE" -winstart
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O14 - IERESET.INF: START_PAGE_URL=http://www.dellnet.com
O16 - DPF: {34805D32-AD89-469E-8503-A5666AEE4333} (RdxIE Class) - http://207.188.7.150/24cd025a993e23b1aa03/netzip/RdxIE.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20020323/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://i.a.cnn.net/cnn/resources/cult3d/cult.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/25c2af0e74e05420c706/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.dell.com/us/en/systemprofiler/SysProfLCD.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Thursday, July 29, 2004 9:57:10 AM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R334 24.07.2004
______________________________________________________

Reffile status:
=========================
Reference file loaded:
Reference Number : 01R334 24.07.2004
Internal build : 268
File location : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\reflist.ref
Total size : 1316091 Bytes
Signature data size : 1295051 Bytes
Reference data size : 20976 Bytes
Signatures total : 28648
Target categories : 10
Target families : 528

Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:63 %
Total physical memory:130108 kb
Available physical memory:54336 kb
Total page file size:1967040 kb
Available on page file:1967040 kb
Total virtual memory:2093056 kb
Available virtual memory:2043328 kb
OS:Windows (ME)

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-aware Settings
=========================
Set : Unload recognized processes during scanning
Set : Include basic Ad-aware settings in logfile
Set : Include additional Ad-aware settings in logfile
Set : Let windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Always back up reference file, before updating
Set : Play sound if scan produced a result


7-29-2004 9:57:10 AM - Scan started. (Custom mode)

Listing running processes
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

#:1 [kernel32.dll]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4279205789
Threads : 4
Priority : High
FileSize : 524 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1991-2000
CompanyName : Microsoft Corporation
FileDescription : Win32 Kernel core component
InternalName : KERNEL32
OriginalFilename : KERNEL32.DLL
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:2 [msgsrv32.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294949245
Threads : 1
Priority : Normal
FileSize : 11 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1992-1998
CompanyName : Microsoft Corporation
FileDescription : Windows 32-bit VxD Message Server
InternalName : MSGSRV32
OriginalFilename : MSGSRV32.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:3 [mprexe.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294944017
Threads : 1
Priority : Normal
FileSize : 28 KB
FileVersion : 4.90.3000
ProductVersion : 4.90.3000
Copyright : Copyright (C) Microsoft Corp. 1993-2000
CompanyName : Microsoft Corporation
FileDescription : WIN32 Network Interface Service Process
InternalName : MPREXE
OriginalFilename : MPREXE.EXE
ProductName : Microsoft(R) Windows(R) Millennium Operating System
Created on : 1/1/1601
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:4 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 4294847349
Threads : 9
Priority : Normal
FileSize : 220 KB
FileVersion : 5.50.4134.100
ProductVersion : 5.50.4134.100
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft(R) Windows (R) 2000 Operating System
Created on : 6/8/2000 10:00:00 PM
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:5 [stmgr.exe]
FilePath : C:\WINDOWS\SYSTEM\RESTORE\
ProcessID : 4294791517
Threads : 5
Priority : Normal
FileSize : 60 KB
FileVersion : 4.90.0.2533
ProductVersion : 4.90.0.2533
Copyright : Copyright (C) Microsoft Corp. 1981-2000
CompanyName : Microsoft Corporation
FileDescription : Microsoft (R) PC State Manager
InternalName : StateMgr.exe
OriginalFilename : StateMgr.exe
ProductName : Microsoft (r) PCHealth
Created on : 1/1/1601
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 6/8/2000 10:00:00 PM

#:6 [ddhelp.exe]
FilePath : C:\WINDOWS\SYSTEM\
ProcessID : 4294705873
Threads : 2
Priority : Realtime
FileSize : 32 KB
FileVersion : 4.09.00.0900
ProductVersion : 4.09.00.0900
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft DirectX Helper
InternalName : DDHelp.exe
OriginalFilename : DDHelp.exe
ProductName : Microsoft
Created on : 7/29/2004 2:48:16 PM
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 12/12/2002 5:14:32 AM

#:7 [ad-aware.exe]
FilePath : C:\PROGRAM FILES\LAVASOFT\AD-AWARE 6\
ProcessID : 4294774517
Threads : 2
Priority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 1/26/2004 6:07:28 AM
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Started deep registry scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Deep registry scan result :
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Tracking Cookie Object recognized!
Type : File
Data : anyuser@www4.yesadvertising[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/29/2004 4:53:27 AM
Last accessed : 7/28/2004 5:00:00 AM
Last modified : 7/29/2004 4:53:28 AM



Tracking Cookie Object recognized!
Type : File
Data : default@revenue[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/27/2004 4:59:07 AM
Last accessed : 7/26/2004 5:00:00 AM
Last modified : 7/27/2004 4:59:08 AM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@casalemedia[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/29/2004 6:32:51 AM
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 7/29/2004 6:32:52 AM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@maxserving[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/27/2004 4:45:54 PM
Last accessed : 7/27/2004 5:00:00 AM
Last modified : 7/27/2004 4:45:56 PM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@www2.yesadvertising[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/28/2004 6:22:35 PM
Last accessed : 7/28/2004 5:00:00 AM
Last modified : 7/28/2004 6:22:36 PM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@www.stopzilla[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/28/2004 5:03:25 AM
Last accessed : 7/28/2004 5:00:00 AM
Last modified : 7/28/2004 5:03:26 AM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@server.iad.liveperson[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/29/2004 4:53:31 AM
Last accessed : 7/28/2004 5:00:00 AM
Last modified : 7/29/2004 4:53:32 AM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@zedo[1].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/29/2004 6:32:55 AM
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 7/29/2004 6:32:56 AM



Tracking Cookie Object recognized!
Type : File
Data : anyuser@revenue[2].txt
Category : Data Miner
Comment :
Object : C:\WINDOWS\Cookies\

Created on : 7/29/2004 6:32:52 AM
Last accessed : 7/29/2004 5:00:00 AM
Last modified : 7/29/2004 6:32:54 AM



Disk scan result for C:\
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 9


Performing conditional scans..
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ

Conditional scan result:
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
New objects : 0
Objects found so far: 9


10:07:55 AM Scan complete

Summary of this scan
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
Total scanning time :00:10:45:100
Objects scanned :158923
Objects identified :9
Objects ignored :0
New objects :9

Run HijkackThis and let it fix this line.
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\REAL\TOOLBAR\REALBAR.DLL

The Purpose of disabling System Restore is to "flush" viruses, trojans and any other parasites from your system.
Once you let HijackThis Fix the 1 "03" item above, Re-Run HijackThis to make sure it is gone.
After is is Confirmed gone, go ahead and enable System Restore.

Your system should be running normal. Keep Everything updated and scan weekly.

To 68ShelbyGT500KR:

A THOUSAND THANKS!!!!!!

:wave: :wave: :wave: :wave: :wave: :wave:

Originally posted by That'sAllFolks
To 68ShelbyGT500KR:

A THOUSAND THANKS!!!!!!

:wave: :wave: :wave: :wave: :wave: :wave:


So, Is everything is back to normal??

Post your latest HijackThis Log to confirm!