iexplore.exe [Always running]

I was trying to remove my internet files using internet cleanup as usual. Now an error appears saying that one ore more browsers are running at my system, please shut these downs. In taks manager in processes i tried to close iexplore.exe but it automaticly reappears everytime. Seems to be a virus, i searched my pc with e-trust antivirus, with housecall antivirus online, with spybot and adaware, but nothing seems to help. I searched in google and it is possible to be a virus, other users had had this problem also. Can anyone help me by getting rid of this? Thanks

 

Hello davyh1,

Download and install HijackThis:

Download from here http://radiosplace.com/ latest version 1.99

Download it to it's own folder for example C:\HijackThis - unzip (double click on zipped folder) - click on the executable - click scan button - click save log and save to the folder you just created *DO NOT FIX ANYTHING* - copy resultant .txt file and paste into your next post.

Regards - Charles

 

logfile

Logfile of HijackThis v1.99.0
Scan saved at 23:18:23, on 12/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\smss32.exe
C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\x\LOCALS~1\Temp\Rar$EX00.375\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wvqdzoghzyxxbnflbfxfydx.com/pEMUJzuY4DpHb1X_LJ/6t5TcJgJn7GD_knSO2W4gAUw.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://gtbiaxamdviwzzpovh.us/pEMUJzuY4DpHb1X_LJ/6t39VWuasxGEfknSO2W4gAUw.jpg "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\system32\winhot32.dll (file missing)
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SearchRelevancy\SearchRelevancy1.dll
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A22F25ED-67D5-AF05-3CA4-EAB7F2BBD184} - C:\PROGRA~1\OWNSST~1\Load Bat.exe (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf1.dll
O2 - BHO: (no name) - {F9ECD04B-FA0B-AB5D-6A9D-F151366E4948} - C:\DOCUME~1\kelleke\APPLIC~1\OwnsStartIdol\Load Bat.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NewDotNet\newdotnet6_38.dll,NewDotNetStartup -s
O4 - HKLM\..\Run: [atov] C:\WINDOWS\atov.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\version.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O4 - HKLM\..\Run: [Bone Mp3 Mfcd Bat] C:\Documents and Settings\All Users\Application Data\Rdr once bone mp3\FirstAudio.exe
O4 - HKCU\..\Run: [BowsFlaw] C:\DOCUME~1\x\APPLIC~1\Frag book sixth\Openbags.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\system32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

davyh1, when I gave you those directions, this is what I meant:
Bring up the drive and create a new folder. Label it anything you want that's meaningfull and put the HijackThis zipped folder into that, and then un-zip and go thru the procedure to scan and save.

C:\DOCUME~1\x\LOCALS~1\Temp\Rar$EX00.375\HijackThi s.exe

HijackThis won't work correctly in a Temp folder.

Regards - Charles

 

sorry hope it is right now

Logfile of HijackThis v1.99.0
Scan saved at 0:06:59, on 13/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\smss32.exe
C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.popupsearches.com/sidesearch.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://inxygscbwmok.com/pEMUJzuY4DrE5fAh5dEUIv/kdiYcnXLD5IQVriLtw8R5PtLaZqty6_fQxCpCgMKH.jsp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.popupsearches.com/sidesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wvqdzoghzyxxbnflbfxfydx.com/pEMUJzuY4DpHb1X_LJ/6t5TcJgJn7GD_knSO2W4gAUw.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://gtbiaxamdviwzzpovh.us/pEMUJzuY4DpHb1X_LJ/6t39VWuasxGEfknSO2W4gAUw.jpg "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ohb - {086CEFD5-A88D-4981-8915-D51F04360ED1} - C:\WINDOWS\system32\winhot32.dll (file missing)
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SearchRelevancy\SearchRelevancy1.dll
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet6_38.dll
O2 - BHO: MEGASEAR - {4E7BD74F-2B8D-469E-C0FF-FA7FB592BF30} - C:\WINDOWS\DOWNLO~1\megasear.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A22F25ED-67D5-AF05-3CA4-EAB7F2BBD184} - C:\PROGRA~1\OWNSST~1\Load Bat.exe (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf1.dll
O2 - BHO: (no name) - {F9ECD04B-FA0B-AB5D-6A9D-F151366E4948} - C:\DOCUME~1\kelleke\APPLIC~1\OwnsStartIdol\Load Bat.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NewDotNet\newdotnet6_38.dll,NewDotNetStartup -s
O4 - HKLM\..\Run: [atov] C:\WINDOWS\atov.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\version.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O4 - HKLM\..\Run: [Bone Mp3 Mfcd Bat] C:\Documents and Settings\All Users\Application Data\Rdr once bone mp3\FirstAudio.exe
O4 - HKCU\..\Run: [BowsFlaw] C:\DOCUME~1\x\APPLIC~1\Frag book sixth\Openbags.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\system32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/CDTInc/ie/bridge-c3.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hello sorry about the delay

Run Hijackths and have it fix just this for now
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - =http://static.windupdates.com/cab/C...e/bridge-c3.cab
=============
Install SpywareBlaster (By JavaCool): http://www.javacoolsoftware.com/spywareblaster.html
to keep that from happening again.

While off line in addremove programs look for and uninstall New.Net, Newdotnet(Domains) WebHancer
IF it will not work or If you can't find it there go here and follow procedure number 4:
http://www.newdotnet.com/#remove

Restart the PC
Delete the newdotnet folder on program files

Run Both Ad-aware se.1.5 and SpyBot 1.3 while in safe mode, one at a time
fix anything they find,

restart back to a normal windows session


Post a new Hijackthis log

 

hijackthis log

Did everything you told me, only the adaware and spybot search i did in normal windows session, because when i tried in safe mode when i clicked on my account he crashed.
Logfile of HijackThis v1.99.0
Scan saved at 17:48:55, on 16/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe
C:\WINDOWS\system32\lssas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Win Comm\WinComm.exe
C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\Win Comm\WinLock.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\version.exe
C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\switpa.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rhwmvjboxvidxzztoteiusit...kdiYcnXLD5IQVriLtw8TGDv/eDlTZyOfQxCpCgMKH.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wvqdzoghzyxxbnflbfxfydx.com/pEMUJzuY4DpHb1X_LJ/6t5TcJgJn7GD_knSO2W4gAUw.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://gtbiaxamdviwzzpovh.us/pEMUJzuY4DpHb1X_LJ/6t39VWuasxGEfknSO2W4gAUw.jpg "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SearchRelevancy\SearchRelevancy1.dll
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A22F25ED-67D5-AF05-3CA4-EAB7F2BBD184} - blank (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
O2 - BHO: (no name) - {F9ECD04B-FA0B-AB5D-6A9D-F151366E4948} - C:\DOCUME~1\kelleke\APPLIC~1\OwnsStartIdol\Load Bat.exe
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\version.exe
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O4 - HKLM\..\Run: [Bone Mp3 Mfcd Bat] C:\Documents and Settings\All Users\Application Data\Rdr once bone mp3\FirstAudio.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKCU\..\Run: [BowsFlaw] C:\DOCUME~1\x\APPLIC~1\Frag book sixth\Openbags.exe
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\system32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - http://advnt01.com/dialer/belgio_ver3.CAB
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: Netbios Helper Service - Unknown - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections - Unknown - C:\WINDOWS\system32\service.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hello

Set windows to show hidden extensions file's and folder's.
>click here for instructions<.

Run hijackthis Hit "config" then "misc tools" > "open proccess manager'
select each of these in turn and KILL Process
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\version.exe
C:\WINDOWS\switpa.exe

Hit refresh and see if they came back, wheather or not they have move on to the next steps.
Hit >back< then Scan and Place a check next to these, close all browers and programs that show in the taskbar including this window and any open folder's

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.rhwmvjboxvidxzztoteiusit...OfQxCpCgMKH.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?ap...ODQ6NTo5&Terms=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wvqdzoghzyxxbnflbfxfydx....nSO2W4gAUw.html
O2 - BHO: LocalNRDObj Class - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\localNRD.dll (file missing)
O2 - BHO: Search Relevancy - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SearchRelevancy\SearchRelevancy1.dll
O2 - BHO: ohb - {285B5CCD-C3F0-4EB6-9632-7D0A3C3AF824} - C:\WINDOWS\system32\hsrb.dll
O2 - BHO: InstaFinder - {4E7BD74F-2B8D-469E-DCF7-F96DA086B434} - C:\WINDOWS\DOWNLO~1\instafin.dll
O2 - BHO: (no name) - {A22F25ED-67D5-AF05-3CA4-EAB7F2BBD184} - blank (file missing)
O2 - BHO: ohb - {CB5B2BC6-F957-4D8A-BE67-83F3EC58BA01} - C:\WINDOWS\system32\dsktrf.dll
O2 - BHO: (no name) - {F9ECD04B-FA0B-AB5D-6A9D-F151366E4948} - C:\DOCUME~1\kelleke\APPLIC~1\OwnsStartIdol\Load Bat.exe
O4 - HKLM\..\Run: [UsbD] C:\WINDOWS\system32\smss32.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\system32\version.exe
O4 - HKLM\..\Run: [Bone Mp3 Mfcd Bat] C:\Documents and Settings\All Users\Application Data\Rdr once bone mp3\FirstAudio.exe
O4 - HKLM\..\Run: [switp] C:\WINDOWS\switpa.exe
O4 - HKCU\..\Run: [BowsFlaw] C:\DOCUME~1\x\APPLIC~1\Frag book sixth\Openbags.exe

O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\system32\toolbar.dll/SEARCH.HTML
O16 - DPF: {970BF476-3CF2-4572-9EF9-4479E1591DB8} (VacPro.belgio_ver3) - =http://advnt01.com/dialer/belgio_ver3.CAB

O23 - Service: Netbios Helper Service - Unknown - C:\WINDOWS\system32\altsvc.exe
O23 - Service: Network DDE Connections - Unknown - C:\WINDOWS\system32\service.exe
===========================
and hit fix checked, when it fix's those rouge services (O23's) say no to the prompt to rebot the PC.

Exit Hijackthis

Restart the PC into safe mode administrator account this time .
find and delete (ONLY THESE EXACT) files and folder's (If present)
C:\WINDOWS\system32\altsvc.exe
C:\WINDOWS\system32\service.exe (NOT services.exe note the additional s)
C:\DOCUMENTS AND SETTINGS\kelleke\APPLIC~1\OwnsStartIdol
C:\WINDOWS\system32\smss32.exe
C:\WINDOWS\system32\version.exe
C:\Documents and Settings\All Users\Application Data\Rdr once bone mp3
C:\WINDOWS\switpa.exe
C:\DOCUMENTS AND SETTINGS\x\APPLICATION DATA\Frag book sixth
C:\PROGRAM FILES\SearchRelevancy
C:\Program Files\Windows ServeAd
C:\Program Files\Win Comm

===============================================
Rub Ad-Aware then SpyBot fix all that they find.

Restart the PC back to a normal windows session

Run Hijackthis and have it fix these
O4 - HKLM\..\Run: [Win Comm] C:\Program Files\Win Comm\WinComm.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe

Important
Delete the contents of all your temp folders, as in. Open C:\ then >
C:\documents and settings\(all your pc users)\local settings\temp
Note: Some systems have temporary internet files, Application Data and History in that temp, if so leave them and delete all other folders and files inside that temp..
Delete the contents of the C:\windows\temp folder
C:\WINDOWS\Prefetch < delete the contents
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temp <delete the contents
=======================
Clear Internet Explorers's cache
1. In Control Panel, open Internet Options.
2. Click the General tab, and then under Temporary Internet files, click Delete Files.
3. In the Delete Files dialog box, click to select the Delete all offline content check box.
4. wait for the hourglass to disapear
5. Click OK.

Empty the windows recycle bin

Post a new log and mention any problems you have noticed please.

 

hijackthis log

I did everything you wrote, only one problem; it is not possible to start Windows in safe mode. When i select the administrator acount the pc crashes and restarts. Tried with safe mode on administrator, my acount and gf acount, but none of them works. I also had to reactivate Windows again after restarting after the hijack fix.

Logfile of HijackThis v1.99.0
Scan saved at 21:56:27, on 16/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vhmeziifunhrpxqamffdigw....kdiYcnXLD5IQVriLtw8QSfno7z8ptQOfQxCpCgMKH.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://gtbiaxamdviwzzpovh.us/pEMUJzuY4DpHb1X_LJ/6t39VWuasxGEfknSO2W4gAUw.jpg "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hi

With all browsers closed fix these with hijackthis
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vhmeziifunhrpxqamffdigw....OfQxCpCgMKH.htm
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://gtbiaxamdviwzzpovh.us/pEMUJzuY4DpHb1X_LJ/6t39VWuasxGEfknSO2W4gAUw.jpg "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.j s)
==============

Are there any problems other then with safe mode

 

hijack report

Here is my new log file

And no, only when i want to start in safe mode my pc crashes, normal windows sessions go properly.

Logfile of HijackThis v1.99.0
Scan saved at 12:53:04, on 17/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

That looks fine

Clear all your temps again as we did before, empty the recycle bin and
Purge the old System Restore points to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

Now go get several second opinions, eTrust is great But Dont depend on any one antivirus program go get preferably two free onlines

Trend Micro-Free online Scan: http://housecall.trendmicro.com/
check all box's except [ ]auto clean !!, scan and if it cannot clean tell it to delete found files !!

BitDefender AntiVirus Free Scan, check all box's except [ ]auto clean !!,
then have it delete the file if it cannot clean/repair/cure it,
turn off any PopupBlockers before accessing the site:
http://www.bitdefender.com/scan/licence.php

If there are any problems Copy there report's back here please.

Regards

 

report

I cleaned my temp folders, but one item i couldn't remove: ZLT041fb.TMP

I scanned my pc using the two online scans you gave me, i removed everything he found.

Here is a new hijack log:

Logfile of HijackThis v1.99.0
Scan saved at 17:39:13, on 17/01/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.telenet.be
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer aangeboden door Telenet Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://pac.telenet.be
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = pac.telenet.be:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
N3 - Netscape 7: user_pref( "browser.startup.homepage ", "http://home.netscape.com/ "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
N3 - Netscape 7: user_pref( "browser.search.defaultengine ", "engine://C%3A%5CPROGRA%7E1%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src "); (C:\Documents and Settings\x\Application Data\Mozilla\Profiles\default\crj4cm5v.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VetTray] C:\PROGRA~1\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetTray.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe "
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.telenet.be
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O23 - Service: CA ISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\isafe.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Looks fine

Go udate the sunjava plugin
Click Get it now over to the right: http://java.com/en/index.jsp

 

final report (i hope)

Did the java update, guess my pc is back up to date now and virusfree. Hope to keep it that way. Regret that nowadays you are 50% of you time on the computer busy on keeping your pc virus-and spyware free.

But didn't say thanks yet. You helped me out a lot. Everything ok now, and no iexplore there if i close all browsers.

Thank you very much.
maybe till next time (hope not to fast though) bye and thanks again