55 replies to this topic

[Dodson]

I was having problems getting a scan disk and defrag done and was having problems with a .exe file named ELITEILX32.EXE, I finally got this disabled/removed and then the scan disk and defrag completed as usual. I downloaded the HijackThis program and would like some advice on anything I should delete to optimize my system and hopefully get rid of some annoying popups and bugs in my Internet Explorer.I do have Spybot installed and it comes up clean. Here is the log. My advance thanks to you!!

Logfile of HijackThis v1.99.1
Scan saved at 12:11:49 PM, on 5/30/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?.home=ytie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRAM FILES\YAHOO!\MESSENGER\YHEXBMES0521.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system\winlspak.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab

['KotaGuy]

Hi Dodson. I'm 'KotaGuy. Welcome to TomCoyote! If you still require assistance, could you post a new HijackThis log please. It has been a few days since you've posted and something in it might have changed since then. Thanks!

[Dodson]

Thank you for the reply.....Here is a new log file, I am having alot of new problems with pop up ads that dont seem to get zapped by blockers, please let me know if you see anything wrong in the file....

Logfile of HijackThis v1.99.1
Scan saved at 4:22:29 PM, on 6/5/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O4 - HKLM\..\Run: [PCBG] C:\PROGRAM FILES\INTRIGUE LEARNING\pcbodyguard.exe /start
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab

THANKS!

['KotaGuy]

Thanks for posting the new log.

Download and install CCleaner. Don't run it yet.

Make sure no files are hidden. To do this:

• Open My Computer.
• Select the View menu and click Folder Options.
• Select the View Tab.
• In the Hidden files section select Show all files.
• Click OK.

Copy/paste this into notepad or wordpad for reference during the fix.

Run and scan with HijackThis. With all browsers and windows closed, place a check beside the following and fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 69.50.166.11 google.co.uk
O1 - Hosts: 69.50.166.11 www.google.es
O1 - Hosts: 69.50.166.11 google.es
O1 - Hosts: 69.50.166.11 google.com.au
O1 - Hosts: 69.50.166.14 yahoo.com
O1 - Hosts: 66.218.75.184 mail.yahoo.com
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} - http://cabs.media-mo...bs/joysaver.cab

Boot into Safe Mode. To do this:

• Reboot your computer.
• Tap the F8 button as your computer is booting to bring you to the Advanced Options Menu.
• Select Safe Mode and press Enter.

Search for and delete the following folder:

C:\Program Files\AWS

Search for and delete this file:

C:\WINDOWS\web\related.htm

Empty your Recycle Bin. Run CCleaner.

Reboot Windows normally and post a new HijackThis log please.

[Dodson]

I will give your advice a try later today and repost the results. You said to remove AWS, this is a program I use daily, it's called Weather Bug. I will reply later today!

['KotaGuy]

I know what it is.... suggested removing it as the program has had an extremely shady past when it comes to bundling spyware in with it.

As it is, there is still a lot of speculation about the program.

Visit this link: http://www.searchlor.../weatherbug.htm

Heres a Goolge search for you too:

http://www.google.ca.....n-US:official

As you can see... there is a lot of testimonials of very shady situations with WeatherBug.

A free, spyware/adware free program that has gotten real good praise as an alternative to Weatherbug is Weather Watcher. You can download it from here:

http://www.singerscreations.com/

Your choice though.

[Dodson]

I very much appreciate your advice on Weather Bug and will check out the other alternative, if it serves the same purpose I will uninstall WB. I will also check out the postings about WB and see what you are talking about. OK I think I got all the previous things done correctly. Here is my new log file.
I am new to this Hijack this program and not very skillfull at it yet....Thank you for all your help and advice!



Logfile of HijackThis v1.99.1
Scan saved at 11:05:08 AM, on 6/6/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SLRUNDLL.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/?.home=ytie
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM FILES\YAHOO!\COMPANION\INSTALLS\CPN1\YT.DLL
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRAM FILES\AIM\AIM.EXE
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRAM FILES\YAHOO!\COMMON\YIESRVC.DLL
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .PDF: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {BB21F850-63F4-4EC9-BF9D-565BD30C9AE9} (ASquaredScanForm Element) - http://www.windowsec...scan/axscan.cab

['KotaGuy]

With the exception of WeatherBug... still highly suggest you turf it... but other than that your log is now CLEAN!! Good Work!

How is your computer behaving? Any of the previous symptoms?

[Dodson]

Well I did install Weather Watcher and remove Weather Bug, WW seems to work ok and is much faster and more simple to operate, but one thing I dont like is the inability to view a local radar. The only thing I can find is a regional radar of 1,800 mile coverage. Anyhow WB is gone and we will see if there is any improvement. I have been online for just a few minutes and still getting the annoying popups, so I still need to do more tweeking I suppose.......Thanks again Julia

['KotaGuy]

What sites are the popups from Julia? And how frequent are they? The popups may just be normal ads from the sites you are visiting and not neccessarily bad. And About the Weather Program... I'm not sure about how you would get more of a local coverage... I don't use weather programs at all.

[Dodson]

These popups are very frequent!! One that pops up alot and often is called: hxxp://www.loadingwebsite.com, then when it loads it is something else like hxxp://www.adopthpmediapro.com. I also get one called hxxp://www.partypoker.com. These load up on their own and are not related to anything I am doing at the time. I can just be in my Yahoo email and they pop up and load. I did get rid of them for awhile but recently came back. GGRRRRRRRRR sooooo frustrating! I'll keep trying to zap the annoying suckers.Thanks again for your help. Julia

Edited by 'KotaGuy, 07 June 2005 - 04:16 PM.

[Dodson]

Another thing I just got 2 icons installed on my desktop, one is a red stop sign that says Remove Spyware, the other is a red stop sign that says Casino On Net.....Do you have a program suggestion that will zap these things for good???? I run Spybot and Yahoo Anti-Spy they do from time to time find things, I delete them but they do seem to stay alive and return for more annoying fun.............I also have installed a program called a-squared, it seems to work good at finding Malware but they keep returning.

['KotaGuy]

Download Scan.bat. Extract(unzip) the files to a folder. Browse to the folder they were extracted to and double click on scan.bat. Post the complete contents of the text file that opens up.

Thanks.

[Dodson]

Ok I downloaded and ran the Scan.bat and I think i've done it right. Here are the results: »»»»»»»»»»»»»»»»»»***LOG!***»»»»»»»»»»»»»»»» HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tsvcin SZ C:\\N20050308.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\picsvr SZ C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ NONE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\ NONE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ NONE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\ NONE HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce\ NONE HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\ NONE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-\LoadPowerProfile SZ Rundll32.exe powrprof.dll,LoadCurrentPwrScheme HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-\SchedulingAgent SZ C:\\WINDOWS\\SYSTEM\\mstask.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices-\KB891711 SZ C:\\WINDOWS\\SYSTEM\\KB891711\\KB891711.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\TaskMonitor SZ C:\\WINDOWS\\taskmon.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\LoadPowerProfile SZ Rundll32.exe powrprof.dll,LoadCurrentPwrScheme HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\LoadQM SZ loadqm.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\HPDJ Taskbar Utility SZ C:\\WINDOWS\\SYSTEM\\hpztsb10.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\HP Component Manager SZ "C:\\PROGRAM FILES\\HP\\HPCORETECH\\HPCMPMGR.EXE" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\HP Software Update SZ "C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\Desktop Search SZ C:\\WINDOWS\\isrvs\\desktop.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\gouhzd SZ c:\\windows\\system\\gouhzd.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\picsvr SZ C:\\WINDOWS\\SYSTEM\\PICSVR\\PICSVR.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\xhrmy SZ C:\\WINDOWS\\Xhrmy.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\checkrun SZ C:\\WINDOWS\\SYSTEM\\ELITEILX32.EXE HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\ScanRegistry SZ C:\\WINDOWS\\scanregw.exe /autorun HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\SystemTray SZ SysTray.Exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\WhenUSave SZ "C:\\Program Files\\Save\\Save.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\WhenUSearch SZ "C:\\Program Files\\WhenUSearch\\Search.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\WhenUSearchWHSE SZ "C:\\Program Files\\WhenUSearch\\whse.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-\seeve SZ C:\\WINDOWS\\SEEVE.exe HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-\Sero SZ C:\\WINDOWS\\Application Data\\ldcs.exe Does this shed any light on my problem?? Julia

['KotaGuy]

Thanks for posting the log. And yes, it helps

Donwnload KillBox. Extract(unzip) it to its own folder. Don't run it yet.

Copy/Paste the following quotebox into a new notepad document.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"tsvcin"=-
"picsvr"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"Desktop Search"=-
"gouhzd"=-
"picsvr"=-
"xhrmy"=-
"checkrun"=-
"WhenUSave"=-
"WhenUSearch"=-
"WhenUSearchWHSE"=-
"seeve"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run-]
"Sero"=-

Save it to your desktop. Name it fixme.reg. Save it as File Type "All Files"(not as a plain text document or it won't work!). Double click fixme.reg, answer yes to merge it into the registry.

Copy/Paste the rest of the fix into a new notepad document for reference as you will need to be offline.

Disconnect from the internet... unplug the cable to your modem if need be.

Close all open windows and programs, then start Killbox. Put a check next to "Delete on Reboot", then copy this line in the "Full Path of File to Delete" box:

C:\N20050308.EXE

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "No" at the second.

Repeat those same steps for each of these entries one at a time:

C:\WINDOWS\SYSTEM\PICSVR
C:\WINDOWS\isrvs
C:\windows\system\gouhzd.exe
C:\WINDOWS\Xhrmy.exe
C:\WINDOWS\SYSTEM\ELITEILX32.EXE
C:\Program Files\Save
C:\Program Files\WhenUSearch
C:\WINDOWS\SEEVE.exe
C:\WINDOWS\Application Data\ldcs.exe

When you've finished, exit Killbox and reboot. Run scan.bat again, post the log along with a new HijackThis log please. Let me know about the popup situation too... less frequent? The same amount?