Seems that you still may be infected Try clicking Start-> Run -> cmd Now in the black command prompt box, type ping www.google.com What are the stats at the bottom, eg x send, x receive, x lost Now do it to ping 66.102.7.99 and see the same. Also after you have done that, re-post your hijackthis log (fresh one) CJC
Hi CJC Below is hijackthis.log file. I cannot manage to delete R0 line, it stays there. I did what you said about "ping", I got the same statistics for both www.google.com and 66.102.7.99 packets sent=4, received=0, lost=4 approx round trip times max, min and average =0 ms. many thanks for your help Logfile of HijackThis v1.99.1 Scan saved at 18:16:08, on 21/05/2005 Platform: Windows 2000 SP4 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\PROGRA~1\Navnt\defwatch.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\cba\pds.exe C:\PROGRA~1\Navnt\rtvscan.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\cba\xfr.exe C:\WINNT\system32\MsgSys.EXE C:\WINNT\System32\svchost.exe C:\WINNT\Explorer.EXE C:\PROGRA~1\Navnt\vpexrt.exe C:\PROGRA~1\Navnt\vptray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE C:\WINNT\system32\internat.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.jimbutt.com/stuffs/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [hpfsched] C:\WINNT\hpfsched.exe O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Navnt\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe O23 - Service: Intel File Transfer - Intel Corporation - C:\WINNT\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel Corporation - C:\WINNT\system32\cba\pds.exe O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Navnt\rtvscan.exe
Hi CJC Below is hijackthis.log file. I cannot manage to delete R0 line, it stays there. I did what you said about "ping", I got the same statistics for both www.google.com and 66.102.7.99 packets sent=4, received=0, lost=4 approx round trip times max, min and average =0 ms. many thanks for your help
One more thing, I keep getting #317 Windows Security Warning, Your windows corrupted with spyware virus. You must patch your system with private info is accessed by ports 8080 3128 You should download AntiSPY software. ok or cancel. I keep cancelling it since it must be part of the virus.
Hey Have a read of this thread, and do what this says. http://www.bleepingcomputer.com/for...wwjimbuttcom_and_wwwhotoffersinfo-t15126.html See how that goes. CJC
Hi CJC, Thanks for the web site you suggested, I managed to kill it! But I am having problems with openning up some web site in internet explorer. I cannot open, google, yahoo, BBC etc. I can open my university web page when I make it my home page. And I can navigate there. Also when it boots it asks for a password. I say ok and then it moves on. I suspect I tried to change so many settings, now I cannot remember what I did. And I cannot seem to reverse it. Do you think this problem is still virus related or I really messed up my settings/configurations? many thanks for your help.
Hi CJC I had deleted but may be I should put this line back in? R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www.york.ac.uk/proxy.config what do you think? If so, how can I put a line in the registry? thanks kumru
CJC hoping you can help me out. i read this entire thread, and have made SOME success cleaning my system, but i still have a couple bugs. thus far, i have dl'd ccleaner, spysweeper, spybot, adaware, hijackthis and AVG. these have managed to remove almost all of my problems, but i still seem to have some sort of spyware that i cannot get rid of.....perhaps in my registry? can you check this log and advise? i appreciate any and all help. i think the main culprit is a spyware that reads "aroura" in the popup window.....keeps hitting me w/ trojans. Logfile of HijackThis v1.99.1 Scan saved at 10:17:57 PM, on 05/23/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Dell\AccessDirect\dadapp.exe C:\Program Files\Dell\QuickSet\quickset.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\WINDOWS\System32\DSentry.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Dell\AccessDirect\DadTray.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe C:\Program Files\Common Files\Dell\EUSW\Support.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe C:\Program Files\HP\hpcoretech\hpcmpmgr.exe C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe C:\Fipsco Life Portraits\AHL\B2BMC-Starter.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe C:\Program Files\EarthLink TotalAccess\TaskPanl.exe C:\Fipsco Life Portraits\AHL\AHLWebServer.exe C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe C:\WINDOWS\System32\wbem\wmiapsrv.exe C:\Program Files\EarthLink TotalAccess\FastLane\IPClient.exe C:\Program Files\EarthLink TotalAccess\Accelerator\ElinkAcc.exe C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe C:\Documents and Settings\Glen Grossi\My Documents\HijackThis.exe C:\Program Files\Messenger\msmsgs.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nascar.com R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://81.222.131.49/index.php R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080 R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: EarthLink Popup Blocker - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" O4 - HKLM\..\Run: [B2BMC_STARTER] "C:\Fipsco Life Portraits\AHL\B2BMC-Starter.exe" CLT=AHL O4 - HKLM\..\Run: [kkgyabh] c:\windows\system32\wtmzgow.exe O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe" O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-page.html O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\EarthLink TotalAccess\Accelerator\\pac-image.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll O16 - DPF: {297AEB8E-D78B-427A-BBC2-E6496017D290} (AHLDSync.ctlDataSync) - https://allapp.ahlcorp.com/DataSync/Control/AHLDSync.cab O16 - DPF: {61093F1C-B4E6-4CC4-AC44-8EE32A22DD86} (FipFiller Class) - http://localhost:1217/Forms/Control/AHLNetCl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1103409347681 O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {E5238271-D692-408F-A625-275DF49EE4E3} (AHLInfoUpdate.Login) - https://allapp.ahlcorp.com/InfoUpdate/Control/AHLInfoUpdate.CAB O16 - DPF: {E6545011-41C1-41E8-A553-2457571D1BBC} (TimeDlgBox Class) - http://localhost:1217/Sessionctl/control/SessionCtl.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{EB0A72BB-9E42-4FCC-9D03-B9A216574736}: NameServer = 207.69.188.187 207.69.188.186 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Hi CJC, mines too infected with bloodhound.exploit 6. can you please help me to see if i hv anything to remove.thks. u seemed liked a very nice gentleman who put so much time in helping others. Logfile of HijackThis v1.99.1 Scan saved at 11:55:54 PM, on 5/31/05 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\Cpqdiag\Cpqdfwag.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\PROGRA~1\NORTON~1\navapw32.exe C:\Program Files\Microsoft Works\WksSb.exe C:\Program Files\Compaq\EAB\EabServr.exe C:\WINDOWS\System32\atiptaxx.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\Program Files\Hello\Hello.exe C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe C:\Program Files\Picasa2\PicasaMediaDetector.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe C:\WINDOWS\FSScrCtl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Owner\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iesearch&c=3C01&lc=6809 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://biz.thestar.com.my/marketwatch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=6809 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://biz.thestar.com.my/marketwatch R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file) F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: IEHooks Class - {00000000-0000-0000-0000-000000000240} - (no file) O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: URLLink Class - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - (no file) O2 - BHO: Curl - {A78CC2FF-6E4E-4556-B27C-D7C3A70D7A50} - C:\WINDOWS\System32\NDrv.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O2 - BHO: WebBar Class - {EE392A64-F30B-47C8-A363-CDA1CEC7DC1B} - C:\PROGRA~1\ADVANC~1\bar.dll O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll O4 - HKLM\..\Run: [1A:Stardock TrayMonitor] "C:\Program Files\Common Files\Stardock\TrayServer.exe" O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [PicasaNet] "C:\Program Files\Hello\Hello.exe" -b O4 - HKLM\..\Run: [MoneyStartUp10.0] "c:\Program Files\Microsoft Money\System\Activation.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINDOWS\Cpqdiag\CpqDfwAg.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0 O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner\RegClean.exe" O4 - Startup: DLHelperEXE.exe O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ? O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZHxdm006XXBN O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll O9 - Extra button: PowerWord - {8DE0FCD4-5EB5-11D3-AD25-00002100131B} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll O9 - Extra button: Joyo - {C8CE29C5-7589-11D3-B81B-0080C8DC5DC8} - C:\WINDOWS\System32\shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_30.dll' missing O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=iehomepage&c=3C01&lc=6809 O16 - DPF: IEToolbarCab - http://download.dailytoolbar.com/DailyToolbarAff.CAB O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {093F9CF8-0DE1-491C-95D5-5EC257BD4CA3} - http://akamai.downloadv3.com/binaries/IA/dtc32_EN_XP.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {2ABE804B-4D3A-41BF-A172-304627874B45} - http://akamai.downloadv3.com/binaries/DialHTML/EGDHTML_XP.cab O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1095430286609 O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx O16 - DPF: {A02780C3-7F77-4E28-855B-28890F3CF37A} - http://akamai.downloadv3.com/binaries/DialHTML/EGCOMLIB_1034_pack_XP.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (WebHandler Class) - http://activex.microgaming.com/DLhelper/version6/dlhelper.cab O16 - DPF: {B9B2EE1A-E314-4338-A305-BE845EACB102} (CS Control) - https://www.taonline.com.my/TAOnline/EF/control/csw.cab O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{B87EA17C-3385-45C9-B145-8448FF4A1290}: NameServer = 202.152.64.27 202.152.64.28 O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: Compaq Remote Diagnostics Enabling Agent (CpqDfwWebAgent) - Compaq Computer Corporation - C:\WINDOWS\Cpqdiag\Cpqdfwag.exe O23 - Service: FLEXlm License Manager - Unknown owner - C:\PROGRA~1\Flexlm\lmgrd.exe (file missing) O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
Hey Guys... I'm new to this thread, joined cuz I'm trying to find out more about the bloody virus that's plaging my com. Apparently I do suffer from the same things as most of the people do here... 1. Norton keeps telling me that they've deleted the MHTMLRedir.Exploit virus. However, this stupid Norton window pops up like 300 - 500 times, each time with a new numeral addition to the Exploit file. 2. I've tried loading all the patches from Microsoft but none of em works for me even when I already have Outlook Express 6 installed. 3. All my viruses are in Norton's quarantined section, but the horrific thing is that they're replicating at tremendous speeds. And that whole quarantined chunk took like 12.7GB of my harddisk. I've tried manually deleting them, but I can't. 4. It is said that IE users are more vunerable to this virus. But I contacted this virus through using Netscape. Cuz I entered this bloody website to search for serial numbers for a programme. And it happens that this website's infected. 5. None of my bloody antivirus programmes work. They are Norton(,,|,,) Avast, AntiVir XP(something like that) and bla bla bla... 6. I can't run any online scans cuz most of them require me to do something to the ActiveX controls in IE. But apparently IE doesn't allow me to tamper with the security controls. 7. I've tried my windows update, but apparently it always jams or screws up halfway so my comp won't get updated. 8. This bloody virus is making my com lag/jam/stall... I'm using my bro's com as I'm typing this, cuz I don't want it replicating and destroying everything precious I have in my com. I've to run like dozens of Error Reports cuz everything's screwed up big time. 9. I've read many of the threads. Please tell me what's the HiJacker thing for... And help me! I beg you to!!! PLease!!!!!
I had the bloodhound earlier this year and CJC helped me remove it. I got a brief popup from Norton again today saying that I had this virus, and it could not be repaired. Then inexplicably my computer rebooted itself before I could even read the message or take any action. Please take a look at my hijack this and let me know if anything looks strange. Since my computer rebooted, I haven't noticed any homepage hijacking, but the free xoftspy scan that you recommend in your general virus thread indicates I have a trojan (but I'm not ready to fork over the $40 for the full version of that just yet). Norton scan doesn't detect it. C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINNT\system32\LEXBCES.EXE C:\WINNT\system32\spoolsv.exe C:\WINNT\system32\LEXPPS.EXE C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Executive Software\DiskeeperLite\DKService.exe C:\WINNT\System32\svchost.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe C:\PROGRA~1\NORTON~1\NORTON~1\NPROTECT.EXE C:\WINNT\system32\nvsvc32.exe C:\Program Files\Tiny Personal Firewall\persfw.exe C:\WINNT\system32\regsvc.exe C:\WINNT\system32\MSTask.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\PROGRA~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.EXE C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINNT\System32\WBEM\WinMgmt.exe C:\WINNT\system32\svchost.exe C:\Program Files\Intel\Intel(R) Active Monitor\imonnt.exe C:\WINNT\Explorer.EXE C:\Program Files\Common Files\Symantec Shared\SymTray.exe C:\WINNT\system32\shpc32.exe C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe C:\Program Files\Analog Devices\SoundMAX\Smax4.exe C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINNT\system32\internat.exe C:\WINNT\DvzCommon\DvzMsgr.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Microsoft Office\Office\FINDFAST.EXE C:\Program Files\Microsoft Office\Office\OSA.EXE C:\Program Files\Palm\HOTSYNC.EXE C:\Program Files\Grisoft\AVG Free\avgwb.dat C:\PROGRA~1\WinZip\winzip32.exe C:\DOCUME~1\@\LOCALS~1\Temp\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [SHPC32] shpc32.exe O4 - HKLM\..\Run: [xkstartup] RunDll32 InstZ82.dll,SetUsbPrinterPort O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray O4 - HKLM\..\Run: [IMONTRAY] C:\Program Files\Intel\Intel(R) Active Monitor\imontray.exe O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtray.exe SetReg O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe O4 - HKLM\..\Run: [LexStart] lexstart.exe O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE O4 - Global Startup: DataViz Messenger.lnk = C:\WINNT\DvzCommon\DvzMsgr.exe O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE O16 - DPF: SEAGULL J Walk Java Client 4_0C8 - http://www.co.winnebago.il.us/jwalk/jwalk/jwalk_ie.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - https://ras.us.nomura.com/msrdp.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4385/mcfscan.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab
I am also having issues with the Bloodhound.Exploit.6 virus. Below is a copy of my log from HijackThis. Thank you for your help. Logfile of HijackThis v1.99.1 Scan saved at 12:38:25 PM, on 6/24/2005 Platform: Windows XP (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 (6.00.2600.0000) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Common Files\Symantec Shared\ccProxy.exe C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe C:\Program Files\Norton Internet Security\ISSVC.exe C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe C:\WINDOWS\System32\S3tray2.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\Program Files\QuickTime\qttask.exe C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\ctfmon.exe C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe C:\WINDOWS\System32\wdfmgr.exe C:\WINDOWS\System32\wuauclt.exe C:\WINDOWS\explorer.exe C:\WINDOWS\System32\ctfmon.exe C:\Program Files\Java\j2re1.4.2_06\bin\jucheck.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe C:\WINDOWS\System32\msiexec.exe C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.ipre.net R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = www.google.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/ R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\WINDOWS\PCHEALTH\HELPCTR\System\panels\blank.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: <html> O1 - Hosts: <head> O1 - Hosts: <title>Refresh Page</title> O1 - Hosts: </head> O1 - Hosts: </html> O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file) O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O2 - BHO: AlxTB BHO - {F1FABE79-25FC-46de-8C5A-2C6DB9D64333} - C:\WINDOWS\System32\AlxTB1.dll (file missing) O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb03.exe O4 - HKLM\..\Run: [APL] "C:\Program Files\ACT\ACT for Win 7\APL.exe" O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe O4 - HKCU\..\Run: [Tracks Eraser Pro] C:\Program Files\Acesoft\Tracks Eraser Pro\te.exe min O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" O4 - Startup: Run hotfix bat file.lnk = C:\Program Files\REX2XCU\msxml3 hotfix\runhfix.bat O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O8 - Extra context menu item: Fill Forms &] - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html O8 - Extra context menu item: RoboForm Toolbar &R - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html O8 - Extra context menu item: Save Forms &[ - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html O8 - Extra context menu item: Write a Review... - http://client.alexa.com/holiday/script/actions/review.htm O9 - Extra button: Security Module monitor - {CBC61F6A-F9DB-4A7A-8A74-346B11D9AD18} - C:\WINDOWS\System32\iegfxfrw.dll O9 - Extra 'Tools' menuitem: Security Module monitor - {CBC61F6A-F9DB-4A7A-8A74-346B11D9AD18} - C:\WINDOWS\System32\iegfxfrw.dll O9 - Extra button: Security Module monitor - {CBC61F6A-F9DB-4A7A-8A74-346B11D9AD18} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU) O9 - Extra 'Tools' menuitem: Security Module monitor - {CBC61F6A-F9DB-4A7A-8A74-346B11D9AD18} - C:\WINDOWS\System32\iegfxfrw.dll (HKCU) O14 - IERESET.INF: START_PAGE_URL=www.ipre.net O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409 O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rmlsfl.mlxchange.com/Control/MultiSelectComboBox.cab O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - http://support.rexplorer.net/iftw_install//iftwclix.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1119629546877 O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rmlsfl.mlxchange.com/Control/IRCSharc.cab O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/SymAData.cab O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup/downloader/imloader.cab O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60/code/iPIX-ImageWell-ipix.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{3A267CE6-4D5B-42BC-84CD-D9C11DBE912F}: NameServer = 69.50.184.84,195.225.176.37 O17 - HKLM\System\CCS\Services\Tcpip\..\{80F2757B-C4E1-467B-A68E-4FD9414632F0}: NameServer = 69.50.184.84,195.225.176.37 O23 - Service: AutoComplete Service (Autocomplete) - Acesoft - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Hi all, I seem to have the same bloodhound problem. My logfile looks like this ogfile of HijackThis v1.99.1 Scan saved at 11:17:37, on 05/07/2005 Platform: Windows XP SP1 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Sygate\SPF\smc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\svchost.exe C:\WINDOWS\System32\alg.exe C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe C:\WINDOWS\system32\crypserv.exe C:\Program Files\Norton AntiVirus\navapsvc.exe C:\Program Files\Norton Utilities\NProtect.exe C:\WINDOWS\System32\nvsvc32.exe C:\WINDOWS\Explorer.exe C:\Program Files\Speed Disk\nopdb.exe C:\WINDOWS\System32\svhost.exe C:\WINDOWS\System32\00THotkey.exe C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe c:\windows\system32\eubohck.exe C:\WINDOWS\System32\kernels32.exe C:\WINDOWS\System32\perfcl.exe C:\WINDOWS\msxmidi.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\System32\wuactl2.exe C:\Program Files\MSN Messenger\MsnMsgr.Exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\FinePixViewer\QuickDCF.exe C:\Program Files\CASIO\Photo Loader\Plauto.exe C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe C:\WINDOWS\System32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\WinRAR\WinRAR.exe C:\DOCUME~1\NEO\LOCALS~1\Temp\Rar$EX00.931\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/ R3 - URLSearchHook: (no name) - {CEC64A9D-62AB-F13A-F60A-6068CD4644E8} - slamm.dll (file missing) F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: CCHelper - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll O2 - BHO: Internet Explorer Hot Fix - {1ECE1B08-E50A-4ADD-AF4A-BE1A68E9A6AA} - C:\WINDOWS\System32\vmjgr.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet O4 - HKLM\..\Run: [00THotkey] C:\WINDOWS\System32\00THotkey.exe O4 - HKLM\..\Run: [000StTHK] 000StTHK.exe O4 - HKLM\..\Run: [TFncKy] C:\Program Files\Toshiba\TOSHIBA Controls\TFncKy.exe /Type 28 O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [barint] TemplateDongle.exe O4 - HKLM\..\Run: [Dest068] FLKPT.exe O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels32.exe O4 - HKLM\..\Run: [PerformCl] C:\WINDOWS\System32\perfcl.exe O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe O4 - HKLM\..\Run: [win32servv] C:\WINDOWS\msxmidi.exe O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [nnirba] c:\windows\system32\eubohck.exe r O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background O4 - Global Startup: Exif Launcher.lnk = ? O4 - Global Startup: Photo Loader supervisory.lnk = C:\Program Files\CASIO\Photo Loader\Plauto.exe O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ? O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Microsoft® JavaScript® Console - {B8FA6ADA-E304-4D79-BD68-917D39977D28} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra 'Tools' menuitem: JavaScript Console - {B8FA6ADA-E304-4D79-BD68-917D39977D28} - C:\WINDOWS\System32\comdlg32.ocx O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing) O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - C:\WINDOWS\System32\HPCMDTY.DLL (file missing) (HKCU) O9 - Extra button: Microsoft® JavaScript® Console - {B8FA6ADA-E304-4D79-BD68-917D39977D28} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra 'Tools' menuitem: JavaScript Console - {B8FA6ADA-E304-4D79-BD68-917D39977D28} - C:\WINDOWS\System32\comdlg32.ocx (HKCU) O9 - Extra button: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU) O9 - Extra 'Tools' menuitem: Start spyware remover - {BF69DF00-2734-477F-8257-27CD04F88779} - C:\Program Files\WareOut\WareOut.exe (file missing) (HKCU) O16 - DPF: {03DB1F73-70E9-01A0-6197-46F952E6C3C2} - http://69.50.182.94/1/gdnAU1733.exe O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.samsung.com/Products/NotebookPCs/SamsungXseries/ProductPresentation/ViewPoint/NotebookPCs_SamsungXseries_NX10_ViewPoint.htm O16 - DPF: {1D6C0724-47F0-755F-54E6-0B532064624E} - http://69.50.182.94/1/gdnAU1733.exe O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540000} (CInstall Class) - http://www.spywarestormer.com/files2/Install.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://amazon.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{0247C269-B6A7-43AA-9FE8-167753BD7BA0}: NameServer = 69.50.176.196,195.225.176.110 O17 - HKLM\System\CCS\Services\Tcpip\..\{1B99A5DC-B85B-48D2-8F8C-6D6616A2A38F}: NameServer = 69.50.176.196,195.225.176.110 O17 - HKLM\System\CCS\Services\Tcpip\..\{5A14B231-F6AF-40B6-8849-D478EF719AD2}: NameServer = 69.50.176.196,195.225.176.110 O17 - HKLM\System\CCS\Services\Tcpip\..\{E39662C4-8C99-44B6-AC90-523A9A10A44E}: NameServer = 69.50.176.196,195.225.176.110 O17 - HKLM\System\CS1\Services\Tcpip\..\{0247C269-B6A7-43AA-9FE8-167753BD7BA0}: NameServer = 69.50.176.196,195.225.176.110 O23 - Service: .NET Framework Service (.NET Connection Service) - Unknown owner - C:\WINDOWS\svchost.exe O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NProtect.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
hello i am not having any luck with this Bloodound.Expoit.6 virus i see it has been in the threat report for Nort internet but have had any luck with destroying it. i am about to give up and restore my laptop to factory. help me plz. i have spent forver geting my sysem the way i want it and have files i cant duplicate. thankyou very much for any help Travis
travis, I was in the same boat as you several months ago, so I understand your frustration. The key to ridding yourself of the bloodhound is definitely this forum. Basically, you download "hijack this", run it, and "tick the boxes" next to the harmful files to erase them. It used to be that everyone posted their log on this forum and "knowledgable people" responded and told you which files to tick off. Understandably, this became almost a full-time job for the "knowledgable people", so I think they stopped answering each plea for help and instead left instructions so that people could help themselves. If you read the entire thread in detail (or at least the last few pages) you will find instructions guiding you to other websites that will help you identify which entries in your registry key are harmful. I am far from a computer geek and I was able to run hijack this, print my registry key, and check each entry one-by-one against a database of harmful and non-harmful entries and remove the harmful one(s). If you are still having trouble figuring out which lines to tick off, there are still some "knowledgable people" sites out there on the internet that will help you if you post your "hijack this" log. Hope this helps and good luck!
