34 replies to this topic

[nadog]

Hi Piatan; Dr. Watson is back but only on my main admin account. 50% of the time he gets ionvolved when I open Outlook even after I have done the "end process" thing after opening the account. The one time yesterday was the only time I was able to open that account without seeing him. I have deleted all the HOSTS.MVP files the only things left in my files are a file named simply "HOSTS", a hosts.ics, and another host file related to my lotus software. I have not emptied my recycle bin of the others yet though. Since the removal of the HOSTS.MVPS did not effect Dr. Watson, do you think I should try removing the Spyware Guard and Spyware Blaster and then re-downloading them? Dr. Watson had never appeared before these downloads. Are they possibly related? BTW, I was unable to access the aol hoster.zip page. IE gave me a message that it was not available. There was a download box behind that message but nothing was downloading. Also, MSN Messenger is there again in the taskbar. It was back when I closed out of sending you the message yesterday. It won't start until I have done the "end process" thing with Dr. Watson. Please let me know what you think. nadog

[Piatan]

Hi nadog; Are you able to use the original Administrators account to do about anything, except use Outlook, without Dr. Watson coming up with an error ? Can you use the new Administrators account with Outlook, and if so does Dr. Watson throw up an error ? It seems that every time you use Outlook, that's the only time Dr. Watson comes into play. Is this correct ? If so, the problem may be with Outlook. Just trying to narrow down the possibilities. I don't believe the new programs you mention have anything to do with the problem, but if you wish they can be Uninstalled in Add/Remove Programs. Don't download them again, until this problem has been resolved.

[nadog]

Hi Piatan; There is no problem opening Outlook in any of the other accounts. However, there does seem to be some connection between it and Dr. Watson in my main admin account. Outlook opens very slowly and it seems like Dr. Watson is coming up every time now. Outlook does open, however, after doing the end process function on Dr. Watson. There is also something up with SpywareGuard. I am unable to remove it in Add/Remove programs. I get a message telling me it is runnijng and I need to shut it off. When I go to do that by double clicking on the icon, I can't even open it up. Dr. Watson keeps blocking it and when I do the end process function on DR. Watson the icon will still not open. It just re-initiates Dr. Watson. They seem to be interlocked. Is there another way to shut it down through a back door? Or remove it some other way? The other one removed without a hitch. Thanks, nadog

[Piatan]

Go into Safe Mode, then to Control Panel-->Add/Remove Programs and Uninstall SpywareGuard. Then, reboot into Normal Mode.

Edited by Piatan, 08 February 2006 - 03:20 PM.

[nadog]

Hi Piatan; Safe mode worked. The program uninstalled but gave me a message that some items could not be removed and would have to be done manually. I assume those were the desktop icons? I rebooted and everything (including Outlook) opened normally and quickly. No sign of Dr. Watson. I rebooted a second time with exactly the same results. So obviously the problem was SpywareGuard. Did it load improperly? Or because of the apparent connection to Outlook is there a chance that the ghost email I traced back to the person of questionable character (I'm being nice - that's not how I really feel about him) could have done something to my Outlook to make it react with SpywareGuard in this manner. I have heard from people who used to work with the guy that besides being afraid of him, they all figure he's really smart when it comes to computers. What's your feeling? Should I try reloading the items? If so, in what order? nadog

[Piatan]

You need to go into Safe Mode and do a search for any remaining bits of all those Programs that were removed. Be sure to include hidden files in the searches. Deleting anything found associated with them.

Of course, if he were able to gain remote access to your PC, then anything could have been changed. That is a remote possiblilty. To be on the safe side, it would be a very good idea to change all passwords, for all accounts on your PC. The passwords should be strong, using a mixture of Upper and lower case letters, and non sequential numbers. Be sure to write down all changed passwords and keep them nearby, or you will lock yourself out of your PC, which is the greatest danger when creating strong passwords. There are Programs that Crackers use that can crack a weak password in less than a minuite.

I would wait a few days to install any of those programs that were just removed, to be sure all is right. When you do re-install them, do it one program at a time and test it for a few days before adding the next program. That way if any one of them gives any trouble, you'll know right away which one is causing the problem and can remove it.
I have never known any of these programs to cause any problems and I use them all.
There are Viruses that prevent downloading or using these type programs and Anti-Viruses as well, but I have seen no sign of such Viruses on your PC.

Since a Virus could cause this type problem, lets do some tests and see if anything can be located.

Please use the following links to run two, or more of these online Virus Scanners and let them fix whatever they find.

If you are using any of the browsers listed just below, the following online Virus scanning site is compatable.
http://be.trendmicro...call_launch.php
If you are using any of these browsers:
Microsoft Internet Explorer
Netscape (6+)
Mozilla (1+)
Firefox (all)
Opera (7.5+)

Internet Explorer users can also use the following links.

When using Trend Micro, be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location, so you can delete it yourself.
http://www.kaspersky.com/virusscanner
http://www.kaspersky...ml?id=146100010
Bitdefender and let it delete everything it finds.
TrendMicro HouseCall
eTrust AntiVirus Web Scanner
Panda ActiveScan
Note any thing that can't be fixed.

Reboot when done.

If you have Ewido, a fresh download is not needed. Just be sure to update your copy.

Please download, install, update and scan your system with the free version of Ewido trojan scanner:

• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
• From the main ewido screen, click on update in the left menu, then click the Start update button.
• After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
• If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
• When the scan finishes, click on "Save Report". This will create a text file.
  Please save the Ewido report, to be posted here later.
  
  If you are having problems with the updater, you can use this link to manually update Ewido.
  Ewido manual updates
  
  The trial version of Ewido works like a full featured version for 14 days, after that the only features that will not work are, autoupdate and realtime protection. It will still be able to be updated with the link above and be used to scan and remove undesirables.
  
  
  Then, Please download and install Ad-Aware SE and Spybot S&D according to the following instructions. If you already have these programs, please make sure they are the latest version and have been updated today. Then run full systems scans as described below.
  
  Install and how to use the NEW Ad-aware SE
  http://www.bleepingc...showtutorial=48
  
  Reboot after using Ad-Aware SE.
  Download the VX cleaner plug in for Adaware. Install it, then open Adaware & go to *add-ons* & run the plug-in. If anything is found, select *clean system* & when done, reboot & run Adaware & let it finish the clean-up. Reboot again.
  
  
  Would you please download the Spybot S&D program from here Spybot S&D and install it.[list]
• Select Search for updates.
• Then select all available updates that are displayed in the white box.
• Select a download mirror nearest your location.
• Then select Download updates .
• Shut down and restart Spybot.
• Select the Search and destroy icon and click on Check for Problems.
• Delete/fix anything that spybot lists In RED.

.

Then, please REBOOT, to allow Spybot to finish working.

Please download CCleaner from here to clean temp files from your computer.

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click next to use the default install location. Click Install then finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
• Click Run Cleaner to run the program.
• Caution : It is not recommended to use the 'Issues' tab as it is known to find legitimate items.
• After it has completed it's process, click Exit.

Then in Internet Explorer click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Then please run Hijack This, copy the log and post it here, in this topic, along with the Ewido report.

Please use the [b]Add Reply feature, so I will be notified.

In addition, if you are using Internet Explorer as your browser, a safer browser is recommended for surfing the Internet.
Please use the following link to download the Firefox browser.

http://www.mozilla.org/

[nadog]

Hi Piatan; I have a heavy work schedule between now and next Thursday. It will take me a few days to execute your recommendations. I will keep you posted as I progress and with any developments. Thanks again. nadog

[Piatan]

I understand. Take your time and please advise me of any new developments, so we can get a handle on them before they get out of hand.

[nadog]

Hi Piatan;

I have followed all of your recommendations in the order you stated them except that I have yet to change my browser or try reloading the Spyware Guard or Spyware Blaster programs. I will do that next. Here is a copy of my latest HijackThis log and the Ewido report. Please let me know what you think.

Nadog

Logfile of HijackThis v1.99.1
Scan saved at 1:36:11 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\lotus\wordpro\ltsstart.exe
C:\lotus\register\remind32.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\lotus\smartctr\suitest.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] c:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Lotus QuickStart.lnk = C:\lotus\wordpro\ltsstart.exe
O4 - Startup: Lotus SmartSuite 97 Registration.lnk = C:\lotus\register\remind32.exe
O4 - Startup: Lotus SuiteStart 97.lnk = C:\lotus\smartctr\suitest.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...84/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://autos.msn.com...id/MSSurVid.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://autos.msn.com...ior/Outside.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,21/mcgdmgr.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - c:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe




Incident Status Location

Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@atdmt[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@banner[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@doubleclick[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@kount[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@mediaplex[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@statcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@yadro[1].txt
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@2o7[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@atdmt[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@banner[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@com[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@doubleclick[1].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@kount[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@mediaplex[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@statcounter[2].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\MDG User\Cookies\mdg user@yadro[1].txt

[Piatan]

Hi nadog; Your Hijack This logfile looks to be clean. Boot into SAFE MODE: To restart in Safe Mode: Restart your computer. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter. Next: Double-click My Computer. Click the Tools menu, and then click Folder Options. Click the View tab. Clear "Hide file extensions for known file types." Under the "Hidden files" folder, select "Show hidden files and folders." Clear "Hide protected operating system files." Click Apply, and then click OK. (When finished, remember to return and place a check on "Hide protected operating system files" Click Apply and then OK.) Then, in safe mode navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Next navigate to the C:\Documents and Settings\(EVERY Listed USER)\Local Settings\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder. Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Also delete all "COOKIES". Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK. This is where Ewido says those undesirable cookies are being kept. So, be sure to delete all cookies from here: C:\Documents and Settings\MDG User\Cookies\ Then reboot into NORMAL MODE. How is your PC doing now, any problems ? The Ewido report looks as if there may be more to it. Please run Ewido again and lets see if it will take care of some of those items left unresolved. Please include the new Ewido report in your next post.

[nadog]

Hi Piatan; I followed all your recommendations. The temporary files were empty. When I went to the C:\Documents and Settings\MDG User\Cookies the only thing in there was something called "index.dat DAT File 32kb". Should I go back in there and delete that?. I also re-downloaded Spyware Blaster and changed my browser to Firefox and everything seems to be working normally. If you let me know about the dat file I will take care of it and run ewido again. nadog

[Piatan]

Hi nadog;

No, lets not delete that "index.dat DAT File 32kb", since I can't be positive what may be in it.

Please do run Ewido and post the report. Perhaps we will have a clearer idea with what we are dealing.
Possibly, the problem will be resolved by Ewido.

[nadog]

Hi Piatan; Here is the report for the latest Ewido scan. --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 5:44:58 PM, 2/19/2006 + Report-Checksum: 702ED762 + Scan result: :mozilla.23:C:\Documents and Settings\MDG User\Application Data\Mozilla\Firefox\Profiles\pe2e3glr.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup :mozilla.24:C:\Documents and Settings\MDG User\Application Data\Mozilla\Firefox\Profiles\pe2e3glr.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup ::Report End Please let me know what you think. nadog

[Piatan]

Hi nadog; Looks like everything cleaned up nicely. If your PC is operating normally now, it looks like we are finished.

[nadog]

Hi Piatan; Okay, I'll let you know in a few days if anything goes wrong when I download the Spyware Guard. I also have been unable to get the host file from the aol site you had as a link. It downloaded but the mozilla message said the file was corrupted. When I tried it before IE wouldn't let me download it. I'll have a look for it and delete it if I can locate it. nadog