My compooter is acting weird. Getting alot of pop ups, freezes up and sometimes it will just shut down. I followed your advice for the others and here is my results. Please take a look at it and see what you can find.

Logfile of HijackThis v1.99.1
Scan saved at 5:00:12 PM, on 5/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\outlook\outlook.exe
C:\windows\defender1.exe
C:\WINDOWS\eanexeaA.exe
C:\WINDOWS\ms05521732-2007.exe
C:\WINDOWS\system32\swinqqaf.exe
C:\Program Files\aim\aim.exe
C:\DOCUME~1\LIVING~1\APPLIC~1\ICROSO~1\dllhost.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLHostManager.exe
C:\Documents and Settings\Living room\Application Data\?racle\m?config.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\eanexea.exe
C:\Program Files\Windows\wWinUpdate.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
c:\program files\common files\aol\1118265035\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Living room\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CF246E97-F60A-FEF8-5270-FE3AF42272E3} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
N2 - Netscape 6: user_pref("browser.startup.homepage", "http://foxnews.com/"); (C:\Documents and Settings\Living room\Application Data\Mozilla\Profiles\default\23r2ecqr.slt\prefs.js)
N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://D%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Living room\Application Data\Mozilla\Profiles\default\23r2ecqr.slt\prefs.js)
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118265035\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard18.exe
O4 - HKLM\..\Run: [newname] C:\\newname18.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [defender] C:\windows\defender1.exe
O4 - HKLM\..\Run: [eanexeaA] C:\WINDOWS\eanexeaA.exe
O4 - HKLM\..\Run: [ms05521732-2007] C:\WINDOWS\ms05521732-2007.exe
O4 - HKLM\..\Run: [{7A-A6-63-3C-ZN}] c:\windows\system32\dwdsregt.exe CORN004
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinqqaf.exe CORN004
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kkuq] C:\PROGRA~1\COMMON~1\kkuq\kkuqm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Usrr] "C:\DOCUME~1\LIVING~1\APPLIC~1\ICROSO~1\dllhost.exe" -vt yazr
O4 - HKCU\..\Run: [Wgpdjfuw] C:\Documents and Settings\Living room\Application Data\?racle\m?config.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinqqaf.exe
O4 - Startup: Z_Start.lnk = ?
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: svchost.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134791429921
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\i2lolc331f.dll (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\svdll.dll (file missing)
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eanexea.exe

One that caught my eye is this entry
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinqqaf.exe


I am not sure if HiJack This will completely clean it, but here is what Symantec and Grisoft say to do to clear it.


Click Start > Run.
Type regedit

Then click OK.
Navigate to the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the value:

"SysStart" = "[PATH TO ADWARE]\[ADWARE FILENAME]"
"{1C-CC-C5-54-ZN}" = "c:\windows\system32\dwdsregt.exe FI002"


Navigate to and delete the subkey:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Zeno Browser Enhancer


Exit the Registry Editor.




Another one I see that is normally a bigger problem Is SurfSideKick

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CF246E97-F60A-FEF8-5270-FE3AF42272E3} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll





Uninstall Adware.SurfSideKick using the Add/Remove Programs utility.
Run a full system scan.
Delete the value that was added to the registry.






Click Start > Run.
Type regedit

Then click OK.


Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Current Version\Run


In the right pane, delete the values:

"SurfSideKick" = "%Program Files%\SurfSideKick\Ssk.exe"
"SurfSideKick 3" = "%Program Files%\SurfSideKick 3\Ssk.exe"


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


In the right pane, delete the values:

"SurfSideKick" = "%Program Files%\SurfSideKick\Ssk.exe"
"SurfSideKick 3" = "%Program Files%\SurfSideKick 3\Ssk.exe"


Delete the values:

{02EE5B04-F144-47BB-83FB-A60BD91B74A9}
{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}

from the registry key

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\UrlSearchHooks


Delete the values:

{000AB0005-FF12-42C2-8DF5-39E12E5F9C91}
{02EE5B04-F144-47BB-83FB-A60BD91B74A9}
{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}

from the registry key

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks


Navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks


In the right pane, right click and select New String Value. Set the name of this value to:

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}

and leave the Value Data field blank.


Navigate to and delete the following keys:

HKEY_CLASSES_ROOT\CLSID\{000AB0005-FF12-42C2-8DF5-39E12E5F9C91}
HKEY_CLASSES_ROOT\CLSID\{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076}
HKEY_CLASSES_ROOT\CLSID\{02EE5B04-F144-47BB-83FB-A60BD91B74A9}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf Sidekick
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf Sidekick_is1
HKEY_CURRENT_USER\Software\SurfSideKick2
HKEY_CURRENT_USER\Software\SurfSideKick3
HKEY_LOCAL_MACHINE\SOFTWARE\SurfSideKick3


Exit the Registry Editor.


Shifty may see more, but that is what caught my attention.

Thank you Palf70step for the help.
I can't even get the regedit to work says "regedit is not a valid win32 application".
Can I just delete the items you mentioned in HijackThis?

This computer is driving me nuts. Some pop-ups won't go away. They just sit in the middle of the screen and taunt me. Computer just freezes up.

You're infected something fierce. Like, really badly. Give me about a half an hour, I need to do some serious digging here. Hope you're willing to invest the time in this you'll need to get clean. :)

Ok, it doesn't look like you did anything in the cleanup thread that was posted at the top of the forum. Either way, your copy of McAffee has been disabled or doesn't exist, so your computer is wide open, no virus protection, no clear trojan protection, nothing but a simple (ineffective) popup blocker. I hope you are at least using XP's built-in firewall.

I want to make it really clear - you should be worried right now. There are several items on your computer I cannot identify. You have at least a half dozen backdoors open on your system right now that would allow anyone to access your files, rifle through your data, steal your identity, etc. The damage is done! If you do any online transactions with this computer like online banking, Ebay, email or other things, you would be wise to change all of your passwords once we get your computer cleaned up.

LETS GET STARTED.

Download Ewido Security Suite from here: http://download.ewido.net/ewido-setup.exe

Install it, open the program, BUT DO NOT SCAN YOUR SYSTEM. Use the update feature to hunt for updates, then close the program and proceed to the next step.

Print out this page to your Printer. If your HP Printer is not available, save this page to Notepad or some other program.

Once the page is printed out, close EVERY open program on your computer - especially this one.

Open Hijackthis. Choose "scan only".

Put a checkmark next to all of these lines....IMPORTANT: you better get all of them checked, so double and triple check for ones you missed. If you don't see one of these in the list, skip it and move on to the next one. Place a checkmark next to the entire group before proceeding.


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - _{CF246E97-F60A-FEF8-5270-FE3AF42272E3} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll

F2 - REG:system.ini: UserInit=userinit.exe

N2 - Netscape 6: user_pref("browser.startup.homepage", "http://foxnews.com/"); (C:\Documents and Settings\Living room\Application Data\Mozilla\Profiles\default\23r2ecqr.slt\prefs.js)

N2 - Netscape 6: user_pref("browser.search.defaultengine", "engine://D%3A%5CPROGRA%7E1%5CNETSCAPE%5CNETSCA%7E1%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Living room\Application Data\Mozilla\Profiles\default\23r2ecqr.slt\prefs.js)

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard18.exe
O4 - HKLM\..\Run: [newname] C:\\newname18.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [defender] C:\windows\defender1.exe
O4 - HKLM\..\Run: [eanexeaA] C:\WINDOWS\eanexeaA.exe
O4 - HKLM\..\Run: [ms05521732-2007] C:\WINDOWS\ms05521732-2007.exe
O4 - HKLM\..\Run: [{7A-A6-63-3C-ZN}] c:\windows\system32\dwdsregt.exe CORN004
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinqqaf.exe CORN004
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [kkuq] C:\PROGRA~1\COMMON~1\kkuq\kkuqm.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Usrr] "C:\DOCUME~1\LIVING~1\APPLIC~1\ICROSO~1\dllhost.exe" -vt yazr
O4 - HKCU\..\Run: [Wgpdjfuw] C:\Documents and Settings\Living room\Application Data\?racle\m?config.exe

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinqqaf.exe
O4 - Startup: Z_Start.lnk = ?

O4 - Global Startup: svchost.exe

O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O16 - DPF: NDWCab - http://www.neededware.com/ndw3.cab

O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\i2lolc331f.dll (file missing)
O20 - Winlogon Notify: CSCSettings - C:\WINDOWS\system32\svdll.dll (file missing)

O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\eanexea.exe

Now - once you got those checkmarks in place, click the FIX button in Hijackthis. Once that's done, Close Hijackthis and reboot your computer into SAFE MODE. If you don't know how to do this, read here:

Restart the computer. When the computer actually resets, press the F8 key once every 2 seconds (one one-thousand, two-one thousand, press, repeat) until you are prompted with a menu of boot options. Choose SAFE MODE from the list (with networking is fine).

When you get into safe mode, run Ewido. Scan the computer. Fix any items it finds. Once it's done, reboot again in NORMAL mode.

Go to this website and scan your computer:

http://housecall.trendmicro.com

It should help clean up most of the rest of your crap.

After that scan is done, reboot one more time.

Next, I need a fresh, new Hijackthis logfile after you complete the above steps.

Shifty-I went home for lunch and I got everything done except the Ewido scan (still scanning when I left). I will post the results when I get home today

Thanks!

No............. thank you.

Shifty-After a lot of trouble getting this thing to start up this is what I have now. I followed your instructions and is def running better, alot better. Some of the items you told me to check and fix will not go away. Things are looking better though. I think yhe only two left that I can't fix are in bold below. Also, how do I create a restore point? Through Safe Mode? THANK YOU for your help.


Logfile of HijackThis v1.99.1
Scan saved at 8:26:56 AM, on 5/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLHostManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
c:\windows\system32\ppdsregq.exe
C:\Program Files\MSN\MSN Explorer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\common files\aol\1118265035\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\swinqqaf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Living room\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118265035\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [{7A-A6-63-3C-ZN}] c:\windows\system32\ppdsregq.exe CORN004O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: C:\WINDOWS\system32\swinqqaf.exe CORN004
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
[B]O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinqqaf.exe
O4 - Startup: Z_Start.lnk = ?
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134791429921
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

DO NOT create a restore point until you have this stuff gone. If you create a restore point now, the system will save those little baddies in a system folder and if you ever rollback to this restore point, it will screw you later and you'll be reinfected. Typically when you are clean, you'll need to turn off system restore (to flush your restore points) and re-enable it to get it to make a new restore point.

I'll get back to you on the above in a few.

Ok, so when we removed one of those earlier, one of the files installed some new stuff on its way out - THIS IS COMMON and no cause for concern. We'll just remove it.

I see there are a couple of things that we need to do here. This stupid Zenotecnico thing (the Z_Start and Zeno.lnk entries) are what's killing us. You have also acquired Toolbar888 from one of them.

Here's what we're going to do:

1) Setup your system to "show all system files" and "hidden files". You can do this following a couple of steps: Open your file browser (double-click My Computer). Click the Tools menu and choose Folder Options. Click the View tab and:

a) choose "show hidden files and folders"
b) UNcheck "hide extensions for known filetypes"
c) UNcheck "hide protected operating system files"
d) click OK.

2) Navigate to the C:\Windows \System32 folder. Locate these two files and rename them to what I suggest:

a) find: ppdsregq.exe --rename to--> ppdsregq.exe.old
b) find: swinqqaf.exe --rename to--> swinqqaf.exe.old

3) Press CTRL+ALT+DEL and choose "Task Manager". Sort the list by "Image name", then locate the two filenames I just listed, highlight each one and choose "end task". It may be necessary to checkmark the box "show processes from all users" and re-sort the list in order to see these items.

4) Close all open programs, including all browsers. Open Hijackthis again. Choose Scan only. Put a checkmark next to each of these items:


O2 - BHO: XBTB04715 - {A8B0BDED-64A5-495b-97DA-42C0301E229B} - C:\PROGRA~1\TOOLBA~1\TOOLBA~1.DLL

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Toolbar888\ToolBar888.dll

O4 - HKLM\..\Run: [{7A-A6-63-3C-ZN}] c:\windows\system32\ppdsregq.exe CORN004

O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\swinqqaf.exe CORN004

O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\swinqqaf.exe
O4 - Startup: Z_Start.lnk = ?

Doublecheck to make sure you got all of them. Afterwards, click FIX, then reboot your computer again.

Scan again. Give me a new logfile. It is very possible one will come back. This thing uses a couple of methods to reinfect you after you think you killed it, if this doesn't work, I have another suggestion.

Shifty-You are the man. Thank you so much for your help. Cumputer is running alot better. No pop ups, no freezing up, back to normal (so far). Thank you for taking the time to help me out.


Logfile of HijackThis v1.99.1
Scan saved at 9:34:04 PM, on 5/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\aim\aim.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLHostManager.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoFXM08.exe
c:\program files\common files\aol\1118265035\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1118265035\ee\AOLServiceHost.exe
C:\Program Files\Windows\wWinUpdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\Winamp.exe
C:\WINDOWS\system32\dumprep.exe
C:\Documents and Settings\Living room\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1118265035\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\aim\aim.exe -cnetwait.odl
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O12 - Plugin for .xml: C:\Program Files\Netscape\Netscape Browser\PLUGINS\npTrident.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1134791429921
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

OK - next....

1) Disable and re-enable system restore. To do this, go into the Control Panel and double-click the System icon. Click the System Restore tab. "Turn off system restore on all drives" then click Apply. Say "OK" to the warning. Next, turn it back on again and click Apply again, then OK. Create a system restore poing again - this is done in the Start Menu, there is an option in "Help" to get you into the System Restore options.

2) Once that is done, you need to do something about McAffee. My personal opinion is GET RID OF IT. Uninstall it, then *reboot* your computer and install something better (and free :)). Avast is a good one. Here: http://www.avast.com/eng/download-avast-home.html

3) I left a sticky post in this forum up near the top. Go in there and read up on spyware protection stuff. At minimum, once you finish reading, I highly recommend installing SpywareGuard and SpywareBlaster. The built-in Windows XP Firewall should suit you for firewall stuff, so it's not necessary to install any firewall software per se. Just stick to antivirus and some spyware protection software - It's free! Good way to save your own ass.

I'm a little tossed right now, but that should get you covered, I think. If you notice anything weird, let me know. HTH :)