Here's a question from a newbie--sorry if it has been answered before, but I did a search and nothing showed up. I seem to have an application called keqeek32 on my computer--I don't know how it got there, but apparently it was created just a few weeks ago. It seems to be trying to change my homepage from Google to something else, but it only suceeds in changing to "about:blank" (maybe because my firewall is blocking it from further communication??). Anyway, when I try to delete it, I get a message that access is denied, and I should make sure the disk is not full or write protected and that the file is not currently in use. Also, when I shut down my computer, I get a separate message about shutting down keqeek32.exe. I would like to remove it entirely, but I'm not sure how to do that--any ideas? A search of my computer turned up a related file named Keqeek32.EXE-192D8768.pf, to the extent that is helpful. Thanks a lot!

You are doing it the hard way and most likely will have little success.. so do this and follow all the set.


Guidelines for Posting in This Forum, READ THIS FIRST PLEASE

http://forum.gladiator-antivirus.com/index...showtopic=10517

I seem to have an application called keqeek32 on my computer--I don't know how it got there, but apparently it was created just a few weeks ago. I think it is trying to change my homepage from Google to something else, but it only suceeds in changing to "about:blank" (maybe because my firewall is blocking it from further communication??). Anyway, when I try to delete it, I get a message that access is denied, and I should make sure the disk is not full or write protected and that the file is not currently in use. Also, when I shut down my computer, I get a separate message about shutting down keqeek32.exe. My hijackthis log is pasted below. Thanks a lot!

Logfile of HijackThis v1.97.7
Scan saved at 8:55:32 PM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\Support\Alert\bin\AlertView.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmjb.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_director.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKLM\..\Run: [McRegWiz] c:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\yiiohiob.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00003/chm.chm::/files/initial.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,19/mcgdmgr.cab

Although I already had AAW installed, I just ran it again after making some tweaks recommended at wilderssecurity.com. Four things were removed, but I'm still having the same problem. The new log is pasted below. Thanks.

Logfile of HijackThis v1.97.7
Scan saved at 10:50:01 PM, on 4/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\System32\msrexe.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\yiiohiob.exe
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00003/chm.chm::/files/initial.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,19/mcgdmgr.cab

Hi oedearl,

I've merged your posts all into one thread so we can follow it all :)

You have or have had a trojan running in addition to a hijacker problem. Please follow these steps

1. Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an x in the boxes next to these items, then press *fix checked*

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

O4 - Startup: PowerReg Scheduler V3.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML

O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\yiiohiob.exe

O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00003/chm.chm::/files/initial.cab
..................................
Please then restart your computer into SAFE MODE

How to start the computer in Safe mode (all)
http://service1.symantec.com/SUPPORT/tsgen...001052409420406

Delete this file named in bold

C:\WINDOWS\System32\msrexe.exe (file)

Reboot your PC back to normal mode and followup with an online AV scan with one (prefereably two) of the following

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx

Delete any infected files found.

When you are done, please scan once more with HijackThis and post a new log back here please.

Also make sure you have the latest Adaware Reference file (today's latest is: 01R298 20.04.2004 If you do not have that one, please update your Adaware program:

Just open Adaware and click on *Check for Updates Now* and then *Connect*. It will find a new reference-file. Click *ok* and let it download and install the updates by clicking on *Finish* .This will return you to the main screen.

Next, go to Settings (the gear icon at the top) and then *Scanning* and checkmark these items so they will be green:

Scan within archives
Scan my IE Favorites for banned URLS
Scan my hosts file

Then click *proceed* to save settings.

Click on *Tweak* next. And checkmark to make these green also:

Automatically mark all objects in result list

Automatically try to unregister objects prior to deletion

Click on *proceed*

Next, from the main screen, click on *Start* (lower righthand corner) and put a dot in the box next to *use Custom scanning options*, then click *Next* to start your scan.

Checkmark any items found after scanning to remove (this will actually put them in quarantine and can recover from backup if any should not be removed).

Reboot your PC after cleaning with Adaware and scan again. Repeat the process until no further items are found as bad.

Please report back with a fresh HijackThis log so we can make sure we got everything

OK--thanks for all your suggestions. I followed then all (although when I scanned using HijackThis, it didn't show the below file)

O4 - HKLM\..\Run: [System Service] C:\WINDOWS\System32\msrexe.exe

I'm still getting messages that something is trying to change my homepage to "about:blank", so I guess I still need to do something additional. Here is my latest log--please let me know if I need to do anything else. Thanks very much for all of your help!!

Logfile of HijackThis v1.97.7
Scan saved at 12:10:33 AM, on 4/23/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab

Hi again :)

I'm not sure if this is multiple problems or just one, so I want to try several things.

I don't see anything on your current log - however, I'm going to ask LoPhatPhuud to take a look here and assess the problem with about blank. He may have some ideas

1. Meanwhile, I have sent you a PM with my email address. If you still have the file keqeek32.exe, I would like to get a copy of it to have it analyzed. Please check your Private messages and follow the instructions before starting the steps below. Thanks :)

2. Please do a search on your PC for a file called Hosts If one is found, please open it up and copy and paste the contents back here.

3. I would also ask for you to now Update your Adaware program and click on check for updates. If one is found (just had one for yesterday, in fact), please click on connect and ok to let it download and then finish and scan once more with Adaware - it may find more stuff to fix

Post your Adaware log back here please, I would like to see all of it. :)

4. Give this one a try too. Download this tool
CWShredder.
Download it here:

http://www.spywareinfo.com/downloads/tools/CWShredder.exe

Then, reboot your PC into SAFE MODE:
How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam


Now run the CWShredder.exe. Just click on it and press the *Fix* button to run it (NOT the scan button - use *fix*). Let it fix what it finds, if anything. When done, press *next* and you will get the results copy those for us please to post back here, and then *exit*

Reboot back into normal mode and let us know what if anything was found by any of the above steps. (also your adaware log and the contents of your hosts file, if one was found)

Alrighty then, more stuff to do, these from LoPhatPhuud. Do this after my steps above.

1. Search for these files and, if found, delete them:

c:\windows\start.chm

c:\windows\start.html

2. Next, download this zip.

http://tools.zerosrealm.com/downloads/pv.zip

Please unzip it to the desktop. It will not work if you run it from inside the zip.

After unzipped go to the desktop. Open the pv folder. Double click on the runme.bat

A dos window will open. Please select option 1 for explorer dll's by typing 1 and then pressing enter.

Notepad will open with a log in it. Please copy and paste the log into this post.

Then, also please repeat the process (click on runme.bat) and select option 2 by typing a 2 and then press enter. Again, please copy and paste that log into this post as well.

oedearl,

Thank you for the email keqeek32.exe is infected :( So we do have multiple problems here. At the moment this trojan concerns me more than the hijacker changing your search pages. It is a backdoor trojan and password stealer. As per my instructions in email to you, please take all appropriate steps to change/protect all acccount and passwords that may have been stored on your PC.

I've replied to you by email and am responding here as well.

Computer Associates identified this trojan as:

Win32.Webber.P
See description
http://www3.ca.com/threatinfo/virusinfo/virus.aspx?ID=35848

Kaspersky calls it:
Backdoor.Padodor.e

AVG detects this as:
Backdoor.Padodor.c

Trojan Remover does not detect it (I will submit to them)

You need to get an online AV scan at one (preferably two) of the following

Panda's Active Scan
http://www.pandasoftware.com/activescan/co...n_principal.htm

Trend Micro (PC-cillin) - Free on-line Scan
http://housecall.antivirus.com

RAV Antivirus Online Scan
http://www.ravantivirus.com/scan/

eTrust AV web scanner (Computer Associates)
http://www3.ca.com/virusinfo/virusscan.aspx
..................
Your verison of McAfee if updated should also detect this. What version do you have and what is your latest update file?

Hi Jane,

I got your three responses (thanks very much), and I'll reply by number below:


1. I sent you the zip, and I have received your response that it is infected :( .

******************

2. I found two files called "hosts" (and what I think are two related files called "lmhosts"). However, I kept getting a message that windows couldn't open them, so I can't paste the contents.

****************

3. I ran the most recent AAW, and it didn't turn up anything. The log is below:


Lavasoft Ad-aware Personal Build 6.181
Logfile created on :Saturday, April 24, 2004 8:22:22 PM
Created with Ad-aware Personal, free for private use.
Using reference-file :01R299 22.04.2004
______________________________________________________

Ad-aware Settings
=========================
Set : Activate in-depth scan (Recommended)
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file


4-24-2004 8:22:22 PM - Scan started. (Custom mode)

Listing running processes
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ThreadCreationTime : 4-24-2004 12:16:47 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:51 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:51 PM
BasePriority : Normal
FileSize : 99 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
OriginalFilename : services.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/29/2002 11:00:00 AM

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:51 PM
BasePriority : Normal
FileSize : 11 KB
FileVersion : 5.1.2600.1106 (xpsp1.020828-1920)
ProductVersion : 5.1.2600.1106
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
OriginalFilename : lsass.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/29/2002 11:00:00 AM

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:52 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:04:27 AM
Last modified : 8/29/2002 11:00:00 AM

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-24-2004 12:16:52 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:04:27 AM
Last modified : 8/29/2002 11:00:00 AM

#:7 [explorer.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 4-24-2004 12:16:53 PM
BasePriority : Normal
FileSize : 980 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
OriginalFilename : EXPLORER.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/29/2002 11:00:00 AM

#:8 [lexbces.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:54 PM
BasePriority : Normal
FileSize : 296 KB
FileVersion : 8.16
ProductVersion : 8.16
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LexBce Service
InternalName : LexBce Service
OriginalFilename : LexBceS.exe
ProductName : MarkVision for Windows (32 bit)
Created on : 6/2/2003 4:01:26 PM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 6/2/2003 4:01:26 PM

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:54 PM
BasePriority : Normal
FileSize : 50 KB
FileVersion : 5.1.2600.0 (XPClient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
OriginalFilename : spoolsv.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/29/2002 11:00:00 AM

#:10 [lexpps.exe]
FilePath : C:\WINDOWS\system32\
ThreadCreationTime : 4-24-2004 12:16:54 PM
BasePriority : Normal
FileSize : 170 KB
FileVersion : 8.16
ProductVersion : 8.16
Copyright : © 1993 - 2003 Lexmark International, Inc.
CompanyName : Lexmark International, Inc.
FileDescription : LEXPPS.EXE
InternalName : LEXPPS
OriginalFilename : LEXPPS.EXE
ProductName : MarkVision for Windows (32 bit)
Created on : 6/2/2003 3:56:02 PM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 6/2/2003 3:56:02 PM

#:11 [hkcmd.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-24-2004 12:16:55 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 3,0,0,2104
ProductVersion : 7,0,0,2104
Copyright : Copyright 1999-2003, Intel Corporation
CompanyName : Intel Corporation
FileDescription : hkcmd Module
InternalName : HKCMD
OriginalFilename : HKCMD.EXE
ProductName : Intel® Common User Interface
Created on : 1/1/1980 6:00:00 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 4/7/2003 6:07:38 AM

#:12 [tfswctrl.exe]
FilePath : C:\WINDOWS\system32\dla\
ThreadCreationTime : 4-24-2004 12:16:55 PM
BasePriority : Normal
FileSize : 112 KB
FileVersion : 1.04.05b
Copyright : Copyright
CompanyName : Sonic Solutions
FileDescription : Drive Letter Access Component
Created on : 1/6/2004 1:26:18 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/6/2003 7:04:00 AM

#:13 [dsentry.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-24-2004 12:16:55 PM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 1, 0, 5, 0
ProductVersion : 1, 0, 5, 0
Copyright : Copyright
CompanyName : Dell - Advanced Desktop Engineering
FileDescription : DVDSentry
InternalName : DVDSentry
OriginalFilename : DSentry.exe
ProductName : Dell - DVDSentry
Created on : 8/13/2003 4:27:40 PM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/13/2003 4:27:40 PM

#:14 [pcmservice.exe]
FilePath : C:\Program Files\Dell\Media Experience\
ThreadCreationTime : 4-24-2004 12:16:56 PM
BasePriority : Normal
FileSize : 200 KB
FileVersion : 1.0.0826
ProductVersion : 1.0.0826
Copyright : Copyright c 2003 CyberLink Corp.
CompanyName : CyberLink Corp.
FileDescription : PowerCinema Resident Program for Dell
InternalName : PowerCinema Resident Program for Dell
OriginalFilename : PCM2Launcher.EXE
ProductName : PCM2Launcher Application
Created on : 1/6/2004 1:29:18 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 8/27/2003 1:47:34 AM

#:15 [mmtask.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 4-24-2004 12:16:57 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 1.0.0.1
ProductVersion : 1.0.0.1
Copyright : TODO: © <Company name>. All rights reserved.
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
InternalName : mmtask.exe
OriginalFilename : mmtask.exe
ProductName : TODO: <Product name>
Created on : 3/4/2004 3:01:49 AM
Last accessed : 4/25/2004 12:22:22 AM
Last modified : 1/26/2004 3:46:48 PM

#:16 [support.exe]
FilePath : C:\Program Files\Common Files\Dell\EUSW\
ThreadCreationTime : 4-24-2004 12:16:57 PM
BasePriority : Normal
FileSize : 288 KB
FileVersion : 2, 0, 0, 34
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : Dell
FileDescription : Support
InternalName : Support
OriginalFilename : Support.exe
ProductName : Dell Support
Created on : 10/7/2003 10:21:10 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 10/7/2003 10:21:10 PM

#:17 [ipodmanager.exe]
FilePath : C:\Program Files\iPod\bin\
ThreadCreationTime : 4-24-2004 12:16:57 PM
BasePriority : Normal
FileSize : 240 KB
FileVersion : 1.0.30.0
ProductVersion : 2.0.1?0
Copyright : Copyright
FileDescription : iPodManager Module
InternalName : iPodManager
OriginalFilename : iPodManager.EXE
ProductName : iPodManager Module
Created on : 6/15/2003 12:54:46 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 6/15/2003 12:54:46 PM

#:18 [mm_tray.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 4-24-2004 12:16:58 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 8.20.0107
ProductVersion : 8.20.0107
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_tray
InternalName : mm_tray
OriginalFilename : mm_tray.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 1/10/2004 6:02:28 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 1/26/2004 3:46:48 PM

#:19 [dlbkbmgr.exe]
FilePath : C:\Program Files\Dell AIO Printer A920\
ThreadCreationTime : 4-24-2004 12:16:58 PM
BasePriority : Normal
FileSize : 264 KB
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
CompanyName : Dell Computer Corporation
FileDescription : Dell AIO Printer A920Button Manager
InternalName : dlbkbmgr.exe
OriginalFilename : dlbkbmgr.exe
ProductName : Button Manager Executable
Created on : 6/2/2003 6:25:24 PM
Last accessed : 4/25/2004 12:17:03 AM
Last modified : 6/2/2003 6:25:24 PM

#:20 [notifyalert.exe]
FilePath : C:\Program Files\Dell\Support\Alert\bin\
ThreadCreationTime : 4-24-2004 12:16:58 PM
BasePriority : Normal
FileSize : 344 KB
FileVersion : 2.1.0.72
ProductVersion : 2.1.0.72
InternalName : NotifyAlert.exe
OriginalFilename : NotifyAlert.exe
Created on : 10/7/2003 10:20:18 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 10/7/2003 10:20:18 PM

#:21 [mscifapp.exe]
FilePath : C:\Program Files\McAfee.com\MPS\
ThreadCreationTime : 4-24-2004 12:16:58 PM
BasePriority : Normal
FileSize : 220 KB
FileVersion : 4, 0, 1, 24
ProductVersion : 4, 0, 0, 0
Copyright : Copyright
CompanyName : Networks Associates Technology, Inc
FileDescription : McAfee Privacy Service
InternalName : mscifapp
OriginalFilename : mscifapp.exe
ProductName : McAfee Privacy Service
Created on : 2/5/2004 2:35:44 AM
Last accessed : 4/24/2004 11:31:44 PM
Last modified : 7/25/2003 8:56:18 PM

#:22 [dlbkbmon.exe]
FilePath : C:\Program Files\Dell AIO Printer A920\
ThreadCreationTime : 4-24-2004 12:16:58 PM
BasePriority : Normal
FileSize : 52 KB
FileVersion : 0.1.1.1
ProductVersion : 0.1.1.1
CompanyName : Dell Computer Corporation
FileDescription : Dell AIO Printer A920Button Monitor
InternalName : dlbkbmon.exe
OriginalFilename : dlbkbmon.exe
ProductName : Button Monitor Executable
Created on : 6/2/2003 6:50:58 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 6/2/2003 6:50:58 PM

#:23 [mpftray.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 4-24-2004 12:16:59 PM
BasePriority : Normal
FileSize : 1348 KB
FileVersion : 5.0.1.5
ProductVersion : 5.0.1.5
Copyright : Copyright
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Tray Monitor
InternalName : MpfTray
OriginalFilename : MPFTRAY.EXE
ProductName : McAfee Personal Firewall (MPF)
Created on : 1/31/2004 3:25:48 AM
Last accessed : 4/25/2004 12:17:46 AM
Last modified : 9/2/2003 7:00:00 PM

#:24 [wkufind.exe]
FilePath : C:\Program Files\Common Files\Microsoft Shared\Works Shared\
ThreadCreationTime : 4-24-2004 12:16:59 PM
BasePriority : Normal
FileSize : 28 KB
FileVersion : 7.00.0716.0
ProductVersion : 7.00.0716.0
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : WkUFind
OriginalFilename : WkUFind.exe
ProductName : Update Detection Module
Created on : 7/16/2002 1:21:48 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 7/16/2002 1:21:48 PM

#:25 [mnyexpr.exe]
FilePath : C:\Program Files\Microsoft Money\System\
ThreadCreationTime : 4-24-2004 12:16:59 PM
BasePriority : Normal
FileSize : 196 KB
FileVersion : 11.00.0716
ProductVersion : 11.00.0716
Copyright : Copyright © Microsoft Corp. 1990-2001. All rights reserved.
CompanyName : Microsoft Corporation
FileDescription : Microsoft Money Express
InternalName : mnyexpr
OriginalFilename : mnyexpr.exe
ProductName : Microsoft Money
Created on : 7/17/2002 5:00:00 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 7/17/2002 5:00:00 PM

#:26 [histkill.exe]
FilePath : C:\Program Files\HistoryKill\
ThreadCreationTime : 4-24-2004 12:16:59 PM
BasePriority : Normal
FileSize : 251 KB
FileVersion : 2003.01.0003
ProductVersion : 2003.01.0003
Copyright : © Copyright SwankSoft Technologies, Inc. 1998-2003
CompanyName : SwankSoft Technologies, Inc.
FileDescription : HistoryKill privacy utility
InternalName : histkill
OriginalFilename : histkill.exe
ProductName : HistoryKill
Created on : 1/18/2003 8:49:14 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 10/10/2003 7:27:20 AM

#:27 [aoltray.exe]
FilePath : C:\Program Files\America Online 9.0\
ThreadCreationTime : 4-24-2004 12:17:00 PM
BasePriority : Normal
FileSize : 36 KB
FileVersion : 9.00.000
ProductVersion : 9.00.000
Copyright : Copyright © America Online, Inc. 1999 - 2003
CompanyName : America Online, Inc.
FileDescription : AOL Tray Icon
InternalName : AolTray
ProductName : America Online
Created on : 1/6/2004 1:30:20 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 8/9/2003 11:36:04 PM

#:28 [hkpopupkiller.exe]
FilePath : C:\Program Files\HistoryKill\
ThreadCreationTime : 4-24-2004 12:17:02 PM
BasePriority : Normal
FileSize : 152 KB
FileVersion : 2003.01.0003
ProductVersion : 2003.01.0003
Copyright : SwankSoft Technologies, Inc.
CompanyName : SwankSoft Technologies, Inc.
FileDescription : HK PopUp Killer
InternalName : hkPopupKiller
OriginalFilename : hkPopupKiller.exe
ProductName : HK PopUp Killer
Created on : 1/18/2003 8:50:43 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 10/10/2003 7:13:44 AM

#:29 [dlg.exe]
FilePath : C:\Program Files\Digital Line Detect\
ThreadCreationTime : 4-24-2004 12:17:02 PM
BasePriority : Normal
FileSize : 24 KB
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
Copyright : Copyright
CompanyName : BVRP Software
FileDescription : Digital Line Detection
InternalName : TestLine
OriginalFilename : TestLine.exe
ProductName : BVRP Software TestLine
Created on : 1/6/2004 1:25:05 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 6/20/2003 9:43:00 AM

#:30 [mpfagent.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 4-24-2004 12:17:02 PM
BasePriority : Normal
FileSize : 500 KB
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
Copyright : Copyright
CompanyName : McAfee Security
FileDescription : McAfee Personal Firewall Agent Interface
InternalName : MpfAgent
OriginalFilename : MPFAGENT.EXE
ProductName : McAfee Personal Firewall (MPF)
Created on : 1/31/2004 3:25:48 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 9/2/2003 7:00:00 PM

#:31 [sgmain.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 4-24-2004 12:17:02 PM
BasePriority : Normal
FileSize : 352 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC
FileDescription : SpywareGuard
InternalName : sgmain
OriginalFilename : sgmain.exe
ProductName : SpywareGuard
Created on : 8/29/2003 11:05:35 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 8/29/2003 11:05:35 PM

#:32 [sgbhp.exe]
FilePath : C:\Program Files\SpywareGuard\
ThreadCreationTime : 4-24-2004 12:17:03 PM
BasePriority : Normal
FileSize : 228 KB
FileVersion : 2.02.0001
ProductVersion : 2.02.0001
Copyright : Copyright © 2002-2003 Javacool Software LLC.
FileDescription : SG Browser Hijacking Protection
InternalName : sgbhp
OriginalFilename : sgbhp.exe
ProductName : SG Browser Hijacking Protection
Created on : 8/29/2003 3:14:56 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 8/29/2003 3:14:56 PM

#:33 [acsd.exe]
FilePath : C:\PROGRA~1\COMMON~1\AOL\ACS\
ThreadCreationTime : 4-24-2004 12:17:05 PM
BasePriority : Normal
FileSize : 1344 KB
FileVersion : 1,0,17,5
ProductVersion : 1,0,17,5
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : AOL Connectivity Service
InternalName : acsd
OriginalFilename : acsd.exe
ProductName : AOL Connectivity Service
Created on : 1/6/2004 1:30:02 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 8/6/2003 10:58:26 PM

#:34 [mpfservice.exe]
FilePath : C:\PROGRA~1\McAfee.com\PERSON~1\
ThreadCreationTime : 4-24-2004 12:17:05 PM
BasePriority : Normal
FileSize : 492 KB
FileVersion : 4.1.0.1
ProductVersion : 4.1.0.1
Copyright : Copyright
CompanyName : McAfee Corporation
FileDescription : McAfee Personal Firewall Service
InternalName : MPFService
OriginalFilename : MpfService.exe
ProductName : McAfee Personal Firewall
Created on : 1/31/2004 3:25:48 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 9/2/2003 7:00:00 PM

#:35 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-24-2004 12:17:08 PM
BasePriority : Normal
FileSize : 12 KB
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
OriginalFilename : svchost.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:04:27 AM
Last modified : 8/29/2002 11:00:00 AM

#:36 [wanmpsvc.exe]
FilePath : C:\WINDOWS\
ThreadCreationTime : 4-24-2004 12:17:08 PM
BasePriority : Normal
FileSize : 64 KB
FileVersion : 7, 0, 0, 2
ProductVersion : 7, 0, 0, 2
Copyright : Copyright
CompanyName : America Online, Inc.
FileDescription : Wan Miniport (ATW) Service
InternalName : WanMPSvc
OriginalFilename : WanMPSvc.exe
ProductName : America Online
Created on : 1/6/2004 1:30:12 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 1/10/2003 11:13:04 PM

#:37 [ipodservice.exe]
FilePath : C:\Program Files\iPod\bin\
ThreadCreationTime : 4-24-2004 12:17:12 PM
BasePriority : Normal
FileSize : 396 KB
FileVersion : 1.0.0.85
ProductVersion : 2.0.1?0
Copyright : Copyright 2002 Apple Computer, Inc
CompanyName : Apple Computer, Inc
FileDescription : iPodService Module
InternalName : iPodService
OriginalFilename : iPodService.EXE
ProductName : iPodService Module
Created on : 6/15/2003 12:54:46 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 6/15/2003 12:54:46 PM

#:38 [wuauclt.exe]
FilePath : C:\WINDOWS\System32\
ThreadCreationTime : 4-24-2004 12:18:19 PM
BasePriority : Normal
FileSize : 145 KB
FileVersion : 5.4.3790.20 built by: lab04_n
ProductVersion : 5.4.3790.20
CompanyName : Microsoft Corporation
FileDescription : Windows Update AutoUpdate Client
InternalName : wuauclt.exe
OriginalFilename : wuauclt.exe
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 1/31/2004 5:40:14 AM

#:39 [winword.exe]
FilePath : C:\Program Files\Microsoft Office\Office10\
ThreadCreationTime : 4-24-2004 12:22:14 PM
BasePriority : Normal
FileSize : 10338 KB
FileVersion : 10.0.4030
ProductVersion : 10.0.4030
Copyright : Copyright
CompanyName : Microsoft Corporation
FileDescription : Microsoft Word
InternalName : WinWord
OriginalFilename : WinWord.exe
ProductName : Microsoft Office XP
Created on : 5/3/2002 9:07:40 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 5/3/2002 9:07:40 PM

#:40 [msworks.exe]
FilePath : C:\Program Files\Microsoft Works\
ThreadCreationTime : 4-24-2004 12:22:17 PM
BasePriority : Normal
FileSize : 92 KB
FileVersion : 7.02.0710.1
ProductVersion : 7.02.0710.1
Copyright : Copyright
CompanyName : Microsoft
FileDescription : Microsoft
InternalName : MSWORKS
OriginalFilename : MSWorks.exe
ProductName : Microsoft
Created on : 7/10/2002 4:04:26 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 7/10/2002 4:04:26 PM

#:41 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 4-24-2004 12:27:10 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:17:14 AM
Last modified : 8/29/2002 11:00:00 AM

#:42 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ThreadCreationTime : 4-24-2004 12:28:34 PM
BasePriority : Normal
FileSize : 89 KB
FileVersion : 6.00.2800.1106 (xpsp1.020828-1920)
ProductVersion : 6.00.2800.1106
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
OriginalFilename : IEXPLORE.EXE
ProductName : Microsoft
Created on : 8/29/2002 11:00:00 AM
Last accessed : 4/25/2004 12:17:14 AM
Last modified : 8/29/2002 11:00:00 AM

#:43 [mmjb.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 4-24-2004 12:32:32 PM
BasePriority : Normal
FileSize : 2564 KB
FileVersion : 8.20.0107
ProductVersion : 8.20.0107
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : MUSICMATCH Jukebox
InternalName : mmjb
OriginalFilename : mmjb.EXE
ProductName : MUSICMATCH Jukebox
Created on : 1/10/2004 6:02:28 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 1/26/2004 3:46:48 PM

#:44 [mmdiag.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 4-24-2004 12:32:33 PM
BasePriority : Normal
FileSize : 84 KB
FileVersion : 8.20.0107
ProductVersion : 8.20.0107
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : Logging and tracing manager
InternalName : MMTraceExe
OriginalFilename : MMTraceExe.EXE
ProductName : MUSICMATCH JUKEBOX
Created on : 1/10/2004 6:02:29 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 1/26/2004 3:46:50 PM

#:45 [mm_director.exe]
FilePath : C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\
ThreadCreationTime : 4-24-2004 12:32:35 PM
BasePriority : Normal
FileSize : 204 KB
FileVersion : 8.20.0107
ProductVersion : 8.20.0107
Copyright : Copyright
CompanyName : MUSICMATCH, Inc.
FileDescription : mm_director exe
InternalName : mm_director
OriginalFilename : mm_director.exe
ProductName : MUSICMATCH JUKEBOX
Created on : 1/6/2004 1:33:30 AM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 2/27/2004 12:20:17 AM

#:46 [wzqkpick.exe]
FilePath : C:\PROGRA~1\WINZIP\
ThreadCreationTime : 4-24-2004 12:45:18 PM
BasePriority : Normal
FileSize : 116 KB
FileVersion : 1.0 (32-bit)
ProductVersion : 9.0 (6028)
Copyright : Copyright © WinZip Computing, Inc. 1991-2004 - All Rights Reserved
CompanyName : WinZip Computing, Inc.
FileDescription : WinZip Executable
InternalName : WZQKPICK.EXE
OriginalFilename : WZQKPICK.EXE
ProductName : WinZip
Created on : 4/24/2004 12:43:52 PM
Last accessed : 4/25/2004 12:22:23 AM
Last modified : 2/11/2004 1:00:00 PM

#:47 [ad-aware.exe]
FilePath : C:\Program Files\Lavasoft\Ad-aware 6\
ThreadCreationTime : 4-25-2004 12:21:33 AM
BasePriority : Normal
FileSize : 668 KB
FileVersion : 6.0.1.181
ProductVersion : 6.0.0.0
Copyright : Copyright
CompanyName : Lavasoft Sweden
FileDescription : Ad-aware 6 core application
InternalName : Ad-aware.exe
OriginalFilename : Ad-aware.exe
ProductName : Lavasoft Ad-aware Plus
Created on : 3/20/2004 4:56:39 PM
Last accessed : 4/25/2004 12:21:33 AM
Last modified : 7/13/2003 3:00:20 AM

Memory scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Started deep registry scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Deep registry scan result :
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Deep scanning and examining files (C:)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Disk scan result for C:\
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
New objects : 0
Objects found so far: 0


Scanning Hosts file(C:\WINDOWS\System32\drivers\etc\hosts)
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯

Hosts file scan result:
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
1 entries scanned.
New objects :0
Objects found so far: 0



8:35:14 PM Scan complete

Summary of this scan
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
Total scanning time :00:12:51:734
Objects scanned :178323
Objects identified :0
Objects ignored :0
New objects :0

******************

4. I already had CWShredder, and I ran it per your instructions :thumb: . The log is below:

Done!
Removed from your system:
- CWS.Msconfig

Windows XP (5.01.2600 SP1)
CWShredder v1.56.2
Written by Merijn - merijn@spywareinfo.com

For any additional help with this program or removing CWS, visit:
http://forums.spywareinfo.com/

For information and documentation on the Coolwebsearch
trojan and its variants, visit:
http://www.spywareinfo.com/~merijn/cwschronicles.html

For donations to help support CWShredder, visit:
http://www.spywareinfo.com/~merijn/donate.html

*****************

5. My search for "c:\windows\start.chm" and "c:\windows\start.html" didn't turn anything up.

*****************

6. I couldn't access the page you told me to (http://http://tools.zerosrealm.com/downloads/pv.zip). I kept getting a message that the page couldn't be displayed.

*****************

7. I'll change my passwords and run the online AV scans your suggested. McAfee VirusScan started giving me problems a while ago, and their support people told me to uninstall and then reinstall. I was able to uninstall, but I kept crashing on reinstall, so it is not up and running as of now (as an aside, everyone on this board is 100 times more helpful than anyone I talked to at McAfee ). My problems with the McAfee programs started (shortly) after the keqeek32 problems arose, so VirusScan was operating at the time of infection.

However, my McAfee firewall tells me that "keqeek32.exe has been blocked from access to the internet and cannot exchange date with any computer." Maybe this means that the trojan is not able to transmit any passwords back to the hacker?

******************

8. One last thing--I ran a search and found that that "msrexe" is still in some of my folders. Should this be the case?

Thanks again for all of your help for what has turned into a much bigger problem than I initially thought!!

As a follow-up, the online AV scans found 6 viruses. The log from the CA scan is below:

1. cqqa.exe Win32.Webber.P infected C:\Program Files\Internet Explorer\

2. ulxcrhkf.exe Win32.Jeem.C infected C:\Program Files\Internet Explorer\

3. Dc1.exe Win32.Jeem.C infected C:\RECYCLER\S-1-5-21-2540056692-1482795745-1487413671-500\

4. A0014437.exe Win32.Jeem.C infected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP85\

5. Keqeek32.exe Win32.Webber.P infected C:\WINDOWS\SYSTEM32\

6. Kgloaa32.dll Win32.Webber.P infected C:\WINDOWS\SYSTEM32\


The first 4 were deleted. CA said the last 2 cannot be deleted.

I hope this helps--thanks again!

Ok, good job.

Since we have multiple problems, I'm going to try to go slower and help you solve each one at a time.

Please try this

Restart your computer into safe mode (you can copy these directions to have handy to follow)

How to start the computer in Safe mode
http://service1.symantec.com/SUPPORT/tsgen...src=sec_doc_nam

Then, search for and delete these two infected files in your System32 folder.

5. Keqeek32.exe Win32.Webber.P infected C:\WINDOWS\SYSTEM32\

6. Kgloaa32.dll Win32.Webber.P infected C:\WINDOWS\SYSTEM32\

Next, please download this program - it is a free for 30 days fully working program to remove trojans. I know that it will detect this Webber.p trojan since I did send them your infected file yesterday and received confirmation (then they had an update to deal with it).

Download Trojan Remover::
http://www.simplysup.com/tremover/download.html

After downloading and installing, get the most current updates (just open the program and press the *update* button. The program will ask if you want to restart Trojan Remover. Click yes and then find the scan button to run it.

This is to ensure we've gotten all the infected files.

Jane,

Thanks for the instructions. I deleted the two infected files, and I downloaded, updated and ran Trojan Remover. It told me that no active malicious files were found, and no changes were made. Could it be that we are near the end?? :thumb:

I posted my most recent HijackThis log below. Please let me know if I need to do anything else. Thanks a million for all your work on this.



Logfile of HijackThis v1.97.7
Scan saved at 8:53:54 PM, on 4/25/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

Jane,

After following your most recent set of instructions, I was able to reinstall McAfee VirusScan with no problems :w00t:

I just ran it, and it found a few infected files, which were deleted:

BackDoor-AXJ.dll

BackDoor-AXJ

BackDoor-AML

Now that everything is up and running, should I remove any of the programs I have recently installed (HijackThis, Trojan Remover, CW Shredder, Spyware Guard, Spyware Blaster, Ad-Aware)? I have heard that running multiple protection programs can cause problems (although that sounds like something that AV companies might say to keep you using their product exclusively).

Thanks.

Great news that the McAfee is working again (be sure you get the latest updates too). :victory: It is a very good product but this particular nasty must have disabled it or prevented it from functioning properly.

As for uninstalling stuff we just added, Nope - those programs should not interfere with each other. The only one that runs resident (meaning it is running when you startup windows is SpywareGuard - and that is a different function than your McAfee is doing).

These 3 you should definitely keep and use (and they update often too, so check for updates periodically) ---->Spyware Guard, Spyware Blaster, Ad-Aware. You should always update Adaware before scanning and do that about weekly to make sure you are clean of spyware. The others were diagnostic tools for helping you now and you can get rid of them when we are done if you want (but not yet). You can always download fresh copies of them should you be asked to run them and post for a problem.

Both SpywareGuard and SpywareBlaster need to be updated regularly, but they are prevention type programs. They don't scan - they just keep the most common spyware from installing in the first place .

Whew - I've not fully checked your log yet, but I will and I'll be back with a response on that (may be tomorrow - I'm incredibly tired for today). On a quick glance-over it looks good, but I will check it more deeply tomorrow.

Now that your PC is clean, make sure all programs are running properly and then you'll need to reset your restore point in Windows XP.......why?

One of the best features of Windows ME or XP is the System Restore option, however if a virus infects a computer with this operating system the virus can be backed up in the System Restore folder. Therefore, clearing the restore points is necessary after a virus removal.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?...kb;en-us;310405

Next, we highly recommend you get some extra protection to prevent future infections. Here are some things you can do and some free programs to help :).

How to Stop Hijackers & Spyware Infections, And other malware too!
http://forum.gladiator-antivirus.com/index...?showtopic=9857

And please be sure to visit Windows Update - get ALL the critical security updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.

http://v4.windowsupdate.microsoft.com/en/default.asp

OK--I have been away for a while, but I have now read your last post. I reset my restore point, and I got the latest Windows updates. Would you mind taking one last look at my HijackThis log? Thanks so much for everything--I continue to be amazed at how helpful everyone here is!! :thumb:

Logfile of HijackThis v1.97.7
Scan saved at 7:35:55 PM, on 5/4/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\iPod\bin\iPodManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\McAfee.com\MPS\mscifapp.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\HistoryKill\histkill.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\HistoryKill\hkPopupKiller.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.insightbb.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Insightbb.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MP-- The nicest hobby on Earth ;) --e] C:\Program Files\McAfee.com\MPS\mscifapp.exe /embedding
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [HistoryKill] C:\Program Files\HistoryKill\histkill.exe /startup
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: MoneySide (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/m...81/mcinsctl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004033...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/threatinfo/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/m...,19/mcgdmgr.cab

Oedearl,

Your log looks good :)

How is your PC acting now?

It's running great, thanks to all your advice

I guess we can consider this closed--I'll be sure to be back if I have any more problems!!

Thaks again!!

You're welcome! It was a pleasure to be a help to you