IE opens a second window automatically with a **** site URL in it

Whenever I open Explorer it opens to my Google homepage and then another window automatically opens. In the Address line it says this "http://www.ad-w-a-r-e.com/callback_ron.php?GUID={21AE619E-3716-4A9C-B4E6-A0CB9A5A587B}&country=CA&type=" and then in the body of the window it says this "sendExternalEvent('EVENT:IEBROWSER:www.ad-w-a-r-e.com/callback_ron.php?GUID={21AE619E-3716-4A9C-B4E6-A0CB9A5A587B}&bidid=34'); " . I have run Ad-aware, Spyware Blaster and Hijack This but nothing seems to get rid of this - am I doing something wrong? After the new window has opened I get an icon on my desktop that says "superporn" and it also puts it into my startup menu - lovely eh ? I'm guessing that one of my sons (or his friends) visited one of these sites and now we have this permanently showing up on our computer. Help !

 

Hello cone,

Post the HijackThis log here, S/B version 182.2.

Also download SpyBot http://www.windowsbbs.com/links.php Run the scan, may or may not find anthing. After you get cleaned up, run SpyBot's resident processes, especially Teatimer, it will block ActiveX downloads which is probably how you got infected.

Regards - Charles

 

I have run Spybot 5 times now and each time it comes up with the following things. I delete them and they just show up again the next time I run it.

DSO Exploit: Data source object exploit (Registry change, nothing done)
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1004!=W=3

TIBS: Executable (File, nothing done)
C:\Program Files\WebSiteViewer\124794.exe

TIBS: Desktop link (File, nothing done)
C:\WINDOWS\Desktop\Super ****.lnk

TIBS: Start menu item (File, nothing done)
C:\WINDOWS\Start Menu\Super ****.lnk

TIBS: Program directory (Directory, nothing done)
C:\Program Files\WebSiteViewer\

TIBS: User settings (Registry key, nothing done)
HKEY_USERS\.DEFAULT\Software\WebSiteViewer


--- Spybot - Search && Destroy version: 1.3 ---
2004-05-12 Includes\Cookies.sbi
2004-05-12 Includes\Dialer.sbi
2004-05-12 Includes\Hijackers.sbi
2004-05-12 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2004-05-12 Includes\Malware.sbi
2004-05-12 Includes\Revision.sbi
2004-05-12 Includes\Security.sbi
2004-05-12 Includes\Spybots.sbi
2004-05-12 Includes\Tracks.uti
2004-05-12 Includes\Trojans.sbi


Here is the log from Hijack This - I have version 1.98
ogfile of HijackThis v1.98.0
Scan saved at 11:25:36 AM, on 14/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL

This problem has progressed now - before that separate page would open and then just the icons would be put on my desktop and startmenu. Now (since yesterday) it still does those two things but also launches the actual website. I really appreciate anything you can tell me on how to get rid of this.
Also, as a note I have my internet setting as the following (in case this helps you )

Download Signed Active X Controls - prompt
Download Unsigned Active X Controls - disable
Initialize and script Active X Controls not marked as safe - disable
Run Active X Controls & Plugins - enable

 

Hi cone,

First, the Spybot DSO entries. Ths is a SSD "glitch" - promised to be fixed next version, safe to ignore.

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL

This is probably the culprit, wait for one of the security experts to confirm and how to handle it.

FYI: Browser Helper Objects are add ons to the browser. If you look under the tools menu > BHO's of SSD, this will be listed.

Download Signed Active X Controls - prompt
Download Unsigned Active X Controls - disable
Initialize and script Active X Controls not marked as safe - disable
Run Active X Controls & Plugins - enable

I disable that the last item as well - if needed I'll enable it. Needed for MS update.

Regards - Charles

 

First, download HijackThis.exe, version 1.98.2 from here. Overwrite your current copy. Scan again and place a check next to the following entries and click fix.

O2 - BHO: (no name) - {7B55BB05-0B4D-44fd-81A6-B136188F5DEB} - C:\WINDOWS\QUESTMOD.DLL
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\MSOPT.DLL

Disable system restore and reboot.
See the following link for more cleanup insructions.
http://www.pestpatrol.com/pestinfo/u/unknown_downloader.asp

Show hidden files and folders.

Empty the contents of C:\Temp if present, as well as C:\Windows\Temp and C:\Documents and Settings\your username\Local Settings\Temp. Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all boxes and click OK. Empty the recycle bin and reboot.

Do an online virus scan with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

I downloaded the new version of Hijack This - did a scan and the 02 file at first didn't show up. I deleted the second one (018) and made a copy of the log. I followed all the steps you recommended and went to the other sight and followed their steps for further cleaning. Here's where it got interesting. When I was in Regedit I could find none of the files that they indicated to clean up but as I was scrolling down throught the HKEY Classes Root looking for the file they indicated that webpage popped up and the **** site was once again on my desktop ! I ran Hijack This again and lo and behold the 02 file show ups. Now it is even worse, the **** site pop up thing has happened 4 times, while I've been typing this. Am I just going to have to scrap my machine and reformat the harddrive ? This is getting worse every day ! I've included the log from my last Hijack run - I really do appreciate the help.

Logfile of HijackThis v1.98.2
Scan saved at 9:00:42 AM, on 15/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab

 

Open msconfig, recheck everything that is uncehecked and reboot. Open an IE window, get it to go to the redirected site, then open HJT and do a scan. Post the new log.

 

I've done as you said and here's the new log. Interesting thing happening now though - I tried to open IE probably 6 or 7 times and kept getting the same error message that IE had a problem with intlmain.dll and that it would now close. Then my "restore active desktop" screen would come up. I was just about to go to my other computer to send you this log when it opened. The porno site is now again on my desktop and in my startup menu. One quick note, just before that original IE window opens I get a very small black screen in a minimized format that says " ldr ", it flashes very quickly and then it downloads this **** site and shows you a task bar that denotes the progress. There is no "X" button or any way to stop the download. I didn't mention that in my first post because I never really noticed it - it flashes in less than a second.

Logfile of HijackThis v1.98.2
Scan saved at 11:43:12 AM, on 15/10/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\MESSENGER PLUS! 3\MSGPLUS.EXE
C:\WINDOWS\IELD32.EXE
C:\WINDOWS\SYSTEM\ATLTA32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\TYPE32.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRAM FILES\MCAFEE\MCAFEE VIRUSSCAN\ALOGSERV.EXE
C:\PROGRAM FILES\BENQ\QMUSIC2\QMAGENT.EXE
C:\WINDOWS\SYSTEM\NCCAME.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\AVCONSOL.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\VSSTAT.EXE
C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WEBSCANX.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\SHTMLERM.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: Class - {2CC46FCA-A652-510E-DBD2-9F0677C0092C} - C:\WINDOWS\SYSTEM\ATLTA32.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe "
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Mount Safe & Sound] C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\SAFE & SOUND\FBMOUNT.EXE
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [QMusic] "C:\Program Files\BenQ\QMusic2\QMAgent.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [jmqqwyttgosas] C:\WINDOWS\SYSTEM\nccame.exe
O4 - HKLM\..\Run: [AvconsoleEXE] C:\Program Files\Network Associates\McAfee VirusScan\avconsol.exe /minimize
O4 - HKLM\..\Run: [VsStatEXE] C:\Program Files\Network Associates\McAfee VirusScan\VSSTAT.EXE
O4 - HKLM\..\Run: [McAfeeWebScanX] C:\Program Files\Network Associates\McAfee VirusScan\WEBSCANX.EXE
O4 - HKLM\..\Run: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKLM\..\Run: [ATLTA32.EXE] C:\WINDOWS\SYSTEM\ATLTA32.EXE
O4 - HKLM\..\Run: [SHTMLERM] C:\WINDOWS\SYSTEM\SHTMLERM.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IELD32.EXE] C:\WINDOWS\IELD32.EXE
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - HKLM\..\RunServices: [McAfeeVirusScanService] C:\Program Files\McAfee\McAfee VirusScan\AVSYNMGR.EXE
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Vshwin32EXE] C:\Program Files\Network Associates\McAfee VirusScan\VSHWIN32.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - Startup: Corel Family & Friends Reminders.LNK = C:\Program Files\Corel\Print House Magic 4 Premium\cffrem.exe
O4 - Startup: PowerReg Scheduler V3.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab

 

One more quick message here - now IE won't open at all and when I try to open anything else I get a message that my system is dangerously low on resources and that I need to shut some things down.

 

Hi cone,

get a message that my system is dangerously low on resources and that I need to shut some things down.

O4 - HKLM\..\Run: [LoadQM] loadqm.exe

LoadQM is the "resource" hog and has nothing to do with the malware problem; unless Dave tells you otherwise, I think you can disable it.

You also have sratup items running that need not start at boot which you can take care of afterwards.

Regards - Charles

 

You may want to print this out, or save it to text where you can access it in safe mode.

Open Ad-aware and check for updates.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R3 - Default URLSearchHook is missing
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O2 - BHO: Class - {2CC46FCA-A652-510E-DBD2-9F0677C0092C} - C:\WINDOWS\SYSTEM\ATLTA32.DLL
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [jmqqwyttgosas] C:\WINDOWS\SYSTEM\nccame.exe
O4 - HKLM\..\Run: [ATLTA32.EXE] C:\WINDOWS\SYSTEM\ATLTA32.EXE
O4 - HKLM\..\Run: [SHTMLERM] C:\WINDOWS\SYSTEM\SHTMLERM.exe
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [IELD32.EXE] C:\WINDOWS\IELD32.EXE
O4 - HKLM\..\RunServices: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe "
O4 - Startup: PowerReg Scheduler V3.exe


With system restore still disabled, go to start>run and type msconfig, hit enter. On the General tab click the advanced button. Check the box to 'enable start menu' and OK out. Restart and choose safe mode.

You will need to show hidden files and folders.

Open C:\Program Files and delete the folders WebSiteViewer and Messenger Plus! 3.
Open C:\WINDOWS and delete the file IELD32.EXE
Open C:\WINDOWS\Desktop and delete the file Super ****.lnk
Open C:\WINDOWS\Start Menu and delete the file Super ****.lnk
Open C:\WINDOWS\SYSTEM and delete the files nccame.exe, ATLTA32.EXE and SHTMLERM.exe

Search the drive for and delete all instances of the following files and folder.

SOUNDMAN.EXE
powerreg scheduler.exe
powerreg schedulerv2.exe
powerregschedulerv3.exe
powerreg<<<<<Program Files folder

Open C:\Temp (if present), select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and Settings\your username\Local Settings\Temp, select all and delete.
Open Ad-aware and run a full scan. Delete all it finds.
Open My Computer and right click Local Disk C:, then choose disk cleanup. Check all boxes and OK.
Uncheck the box to 'enable start menu' in msconfig and OK out. Reboot.

All of this cleanout is going to leave the registry cluttered with invalid keys and entries. My further advice is to download RegSeeker, open the program, maximize the window and click clean the registry. When scan is complete,verify the backup box in lower left corner is checked and click the select all button. Then right click within the search results and select delete. Now do a quick check of your installed programs for functionality. I've never had RegSeeker remove anything vital that it wasn't supposed to, but you never know. If all is well, run it again and again until it comes up clean, again checking programs between runs. Should something go wrong, click the backup button and restore last run, then rerun and exclude entries associated with whatever it broke. Click the histories button and there are choices to clean up the start menu, typed URLs, TIFs you thought were gone, stream MRU keys, etc. Use them too, and do another clean registry. It probably wouldn't even be a bad idea to reboot between cleanings. Alot of work, but it does run relatively quickly so you're not looking at hours to do this, and believe me, the computer will respond with improved performance, not to mention removing those nastie's leftover registry entries.

Is there a reason you have not visited Windows Update, installed IE6 and all the latest service packs and security updates? I also recommend you do so. Will most likely take several visits and reboots.

I say again, when done with everything else, scan your PC with RAV. Check the box to autoclean. If any files are infected and uncleanable, click the report button then copy and paste it here, along with a new HijackThis log.

 

Hi all. I have been trying now all day to complete the steps you have given me. I downloaded a newer version of Ad-Aware as you said. Then I ran Hijack This and deleted all those files you indicated except
04-HKLM\..Run: (ATLTA32.exe) etc etc
04-HKLM\..Run: (SHTMLERM) etc etc
Those two files did not show up and yet when I do a task scheduler they show they are running. I have hidden files showing and tried to delete all the files you indicated except
IELD32.exe in C:Windows
ATLTA32.exe in C\Windows\System
SHTMLERM.exe in C\Windows\System
Those three files do not show up anywhere in those folders. I searched the drive and deleted the other files you indicated.
I deleted all the temp files from all the folders (I do that on a regular basis - at least once a day) .
Now comes the part that I can't do. I cannot get my system to run in Safe Mode - it starts up fine, until I get to the safe mode screen - then I have no mouse. I changed the driver on my mouse to be a microsoft one and then I get a mouse but as soon as I try to click on anything the screen freezes and I'm hooped.
I can run Ad-Aware under a regular boot and it finds another 280 or so files to delete but as soon as I say delete them it runs through the quarantine process and then when it comes to the delete screen - it freezes.
All the time I'm trying to do these things Internet Explorer keeps trying to open on its own and then gives me an error message that there is a problem and to click X to cancel. When I do I get the "restore my active desktop" screen and whatever I was working on is gone.
I am seriously frustrated with this thing - as you can probably tell. I'm thinking my only recourse now is to grab whatever files I need off it and then reformat and install a new operating system. (or take it to the lake and use it as a boat anchor !) Have I come to that or do you see something wrong in what I have told you I have done so far. Again, I really appreciate all the help.

 

Maybe you should try deleting from pure dos. Boot the computer with a ME boot floppy, and do these commands at the prompt.
smartdrv
deltree c:\windows\ield32.exe
deltree c:\windows\system\atlta32.exe
deltree c:\windows\system\shtmlerm.exe
deltree c:\windows\temp
deltree c:\windows\tempor~1
Type a Y that you want to delete, check for typos at this time. When done, remove floppy and reboot. The last two commands cleans out those temp folders in a way not possible in windows, and are optional.
Bootdisk, download the file for ME OEM, double click it with a floppy in the drive and one will be created for you.
Unless you have a compelling reason for Active Desktop, you should disable it. If you are doing it because you have a JPG file for the desktop, use IrfanView (free and is a great program) to convert to a BMP file, and you will be able to have it on the desktop without Active Desktop. It is a resource hog.
http://www.irfanview.com/

 

Hi Guys

This
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch

and redirects to >www.ad-w-a-r-e.com[/url] is a sign of look2me

download this tool to your desktop .
http://downloads.subratam.org/VX2Finder9x(126).exe
To use it: VX2Finder9x
Run it by double clicking VX2Finder9x(126).exe
click find VX2abetterinternet
then up near the top right click make log copy paste that back here please
exit notepad and VX2Finder9x also

What version of Ad-Aware is it you have ad-Aware se 1.05 with the vx2plugin should also be able to fix this.

 

I have tried running the computer from a boot disk and no where does it enable me to type smartdrv so I can't run those deltree commands from there. I can run them from DOS but of course it says there is no ield32.exe, atlta32.exe or shtmlerm.exe so it can't delete them ! My version of Ad Aware is the lastest SE 1.8 and when I try to download newer versions it tells me there isn't any. I have the VX2 add one and I run it and it says it's clean. Then when I run the Ad Aware it comes up with about 200 files to be deleted but it goe through the quarantine fine and then when it comes to actually deleting them Ad Aware freezes and doesn't delete them. I cannot get my computer to run in safe mode so I can try running Ad aware from there. Everytime I try to run in safemode it gets to the help screen and then the mouse freezes. I am seriously frustrated with this hunk of metal and have taken up swearing as a pass time ! Do you have any ideas on why I can't run in safemode so I could at least try the ad aware from there or any ideas on why ad aware won't delete these viruses and freezes up ? I do appreciate the help.

 

Hello Lonny. Here's the log from the VX2 Finder that you told me to download.

Files Found---


User Agent String---
{21AE619E-3716-4A9C-B4E6-A0CB9A5A587B}

Hope that helps explain something !

 

Hello

since there are no files found you might have an old varient
Use this fnder and make a log same as the other one
http://www.downloads.subratam.org/VX2Finder9x.exe

 

Sorry I've taken so long to get back to you - I was away. I used the program you indicated and got the exact same log as I posted earlier. I have to say I'm at my wits end here. I run Hijack This and get the very same files that I deleted before (the ones you guys told me to delete) They just keep coming back everytime I start the computer up. I run Spybot Search and Destroy and again get the same ones that showed up before that I had already deleted. AdAware will bring a list of spyware to delete but freezes every single time when it comes to the delete faze. I have tried deleting just some at a time but that doesn't work. I can't run Adaware in Safe Mode as suggested because I cannot get my computer to run in safe mode. Am I at the point where I need to reformat this harddrive and reinstall everything ? I don't want to do that but I am extremely frustrated about this and just want to get it solved. Thanks again for your help and advice - I'll await your recommendations !

 

Hi

Afraid there's no such animal
What version of ad-aware is it you have again "
if its not SE 1.05 go get and install it, and the last update was 10/28/2004, then install the vx2plugin
found here
http://www.lavasoft.de/software/addons/vx2cleaner.shtml
run it as described on that page from inside ad-aware

Also I see from you spybot log you never checked for updates. you should.

After that and a reboot please post a new hijackthis log.

 

Okay, I've installed the latest version of Ad-Aware and the latest version of Spybot. I ran them both. One note here, whenever I run Ad-Aware immediately a notice pops up that "Explorer has caused an error in Unknown ". If I run a smart system scan in Ad-Aware I can delete anything it finds. But if I run the Full system scan (which finds another 200 + items) I cannot delete them. It runs through the quarantine and then freezes on the delete. I've tried it probably 20 times. Also, I keep getting a window now popping up that says " Winoldap has caused an error in IPHLPAPI.DLL" Below, as you requested is the log from HijackThis.

Logfile of HijackThis v1.98.2
Scan saved at 9:16:51 AM, on 04/11/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\HJT\HIJACKTHIS.EXE

O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab


Thanks again !