Any time I load up the internet (cable) I always end up with this web site ( res://ysgmc.dll/index.html#37049 ) as my home page. I change all the settings under internet options for the home page I want, clear my history and delete temp files and cookies. Still the next time I load up the internet that very same web page pops up as my home page. I have scaned for a virus, torjan horses etc..eveything has been cleaded up......any ideas on what to do????

I use Panda Antivirus Platinum (30day trial)

Thanks

Mike

you have Coolweb

If you could

First, create a folder for HijackThis in the root folder of your hard drive so it can make proper backups
example
C:/HJT
C/hijackthis
next
Click here (http://www.sherrylynn.us/HijackThis.exe) to download Hijack This. Save it to the folder you have just created
Close all open windows and open HIJACK THIS. Click “Scan”[/b] . When the scan is finished (it only takes a second), the scan button will change to“Save Log”. Click on“Save Log” and save it to NotePad. Copy the entire log and paste it here.

DO NOT FIX ANYTHING YET , most items that appear in the log are harmless or even needed. Wait for someone to analyze the scan and advise.

Logfile of HijackThis v1.97.7
Scan saved at 2:02:34 PM, on 6/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\FIREWALL\PAVFIRES.EXE
C:\WINDOWS\SYSTEM\SDKQO.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\JAVAVZ.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\WEBSHOTS.SCR
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {B9D90B27-AD4A-413a-88CB-3E6DDC10DC2D} - C:\WINDOWS\MSOPT.DLL (file missing)
O2 - BHO: (no name) - {40085E62-C8C2-5EB8-A6B0-0E40313EDEB3} - C:\WINDOWS\JAVAVZ.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [Image] rundll32 C:\WINDOWS\JAVANV.DLL,Install
O4 - HKLM\..\Run: [JAVAVZ.EXE] C:\WINDOWS\JAVAVZ.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SDKQO.EXE] C:\WINDOWS\SYSTEM\SDKQO.EXE
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\RunServices: [Image] rundll32 C:\WINDOWS\JAVANV.DLL,Install
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Lets try this

Click here (http://www.spywareinfo.com/~merijn/cwschronicles.html#cwshredder) to down load CWShredder by Merijn Bellekom, the creator of Hijack This

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot

CWS installs via the byte verifier exploit in M$ JavaVM so just surfing a page with an infected applet can install it with no user participation. So once you’ve run the above, it is vital that you go here, click Scan for updates in the main frame, and download and install all CRITICAL updates recommended.
http://v4.windowsupdate.microsoft.com/en/default.asp
------------------------------------------------------------------------------------------

Then go Click here (http://www.safer-networking.org/index.php?page=download) and download Spybot Search & Destroy 1.3

Install the program and launch it.

Before scanning press Online and Search for Updates.

Put a check mark at and install all updates.

Click Check for Problems and when the scan is finished let Spybot fix/remove all it finds marked in RED.

Restart your computer.

---------------------------------------------------------------------------------------------------------------
Click here (http://www.lavasoftusa.com/) to download AdAware 6 181
Before scanning click on "check for updates now" to make sure you have the latest reference file. Then click the gear wheel at the top and check these options:

General> activate these: "Automatically save log-file" and "Automatically quarantine objects prior to removal"

Scanning > activate these: "Scan within archives", "Scan active processes", "Scan registry", "Deep scan registry", "Scan my IE Favorites for banned sites" and "Scan my Hosts file"

Tweaks > Scanning Engine> activate this: "Unload recognized processes during scanning."

Tweaks > Cleaning Engine: activate these: "Automatically try to unregister objects prior to deletion" and "Let Windows remove files in use after reboot."

Click "Proceed" to save your settings, then click "Start", make sure "Activate in-depth scan" is ticked green then scan your system. When the scan is finished, the screen will tell you if anything has been found, click "Next". The bad files will be listed, right click the pane and click "Select all objects" - this will put a check mark in the box at the side, click "Next" again and click "OK" at the prompt "# objects will be removed. Continue?".

Reboot when done. Rescan with HJT and post a new log here so that any remnants can be removed manually.

Logfile of HijackThis v1.97.7
Scan saved at 4:12:06 PM, on 6/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SDKQO.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\JAVAVZ.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\WEBSHOTS.SCR
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Rogers Hi-Speed Internet
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {40085E62-C8C2-5EB8-A6B0-0E40313EDEB3} - C:\WINDOWS\JAVAVZ.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [JAVAVZ.EXE] C:\WINDOWS\JAVAVZ.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SDKQO.EXE] C:\WINDOWS\SYSTEM\SDKQO.EXE
O4 - HKLM\..\RunServices: [PANDASCHEDULER] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Pavsched.exe"
O4 - HKLM\..\RunServices: [PAVFIRES] C:\Program Files\Panda Software\Panda Antivirus Platinum\Firewall\PavFires.exe
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

try this

CWShredder

if you have it already update to V1.59.0

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ysgmc.dll/sp.html#37049


O2 - BHO: (no name) - {40085E62-C8C2-5EB8-A6B0-0E40313EDEB3} - C:\WINDOWS\JAVAVZ.DLL

O4 - HKLM\..\Run: [JAVAVZ.EXE] C:\WINDOWS\JAVAVZ.EXE

O4 - HKLM\..\RunServices: [SDKQO.EXE] C:\WINDOWS\SYSTEM\SDKQO.EXE
-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode

How to boot into safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)

delete

these files

C:\WINDOWS\SYSTEM\SDKQO.EXE
C:\WINDOWS\JAVAVZ.EXE
C:\WINDOWS\JAVAVZ.DLL
C:\WINDOWS\ysgmc.dll

CWShredder

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")

change your start page to what you want

come back and post a fresh log and tell me how you computers running

Lobos

I did everything you had said...but it seems like when I run hijack some of the same files end up back....anyway here is the log again....thanks so much for the help....

Logfile of HijackThis v1.97.7
Scan saved at 6:50:38 PM, on 6/17/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\WEBSHOTS.SCR
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hdfoj.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hdfoj.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hdfoj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\hdfoj.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hdfoj.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\hdfoj.dll/sp.html#37049
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {9E515CDC-627C-9542-AEC4-9404D2A010E5} - C:\WINDOWS\SYSTEM\NTRZ32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CRST.EXE] C:\WINDOWS\SYSTEM\CRST.EXE
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

Ok it seems like there might be a hidden .dll
its morphing the file once you delete it it comes back as another file
so do this

First download the following Tools :

Win98Fix from http://www10.brinkster.com/expl0ite...last/pvtool.htm
StartDreck from http://members.blackbox.net/hp_link.../startdreck.htm


unzip them & put them in a folder on the desktop where you can get to them easily

then you need to identify the hidden bad file that is causing the problem, so

DoubleClick: 'StartDreck.exe'
Hit: config
hit: Unmark all
Check these boxes only:
Registry->run keys
System/drivers> Running processes
hit >ok.

Check specifically for this entry in the log :

»Local Machine
»RunServicesOnce
**ozkc=rundll32 C:\WINDOWS\SYSTEM\XXXXX.DLL,StreamingDeviceSetup

Any problems post the log file it makes and we'll identify the file for you

--------------------------------------------------------------------------

After identifying the dll, proceed with :
open the "Win98Fix. folder that yopu earlier unzipped &

-DoubleClick on: 'RunFix.reg' file, hit 'yes'
on the prompt!
-Restart computer!
-File should be visible!
-Do 'find files' for dll listed on log, delete.
*Note: Be sure to Save the StartDreck log before, so
you you'd be able to find the file later!
If lost (Since nothing else will find it when not hooked)
Simply run the included: "who.bat", file
will be found & listed
in "Badfile.txt".

It should be located in C:\WINDOWS\SYSTEM\XXXXX.dll
-------------------------------------------------------------------------

then run cwshredder
Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot
---------------------------------------------------------------------------------------------------
Run AdAware
Before you scan with AdAware, check for updates of the reference file 01R304 16.05.2004 by using the "webupdate".

Now to set it up for optimum performance...

Make sure the following settings are configured. Remember that ON=GREEN.

From main window click Start | Activate in-depth scan.

Then click Use custom scanning options | Customize and have these options switched ON...

Scan within archives
Scan active processes
Scan registryDeep scan registry
Scan my IE Favourites for banned URLs
Scan my host-files

Then click the Settings button.. (the gear icon on the top row) then Tweak | Scanning engine and check..

Unload recognised processes during scanning.
Cleaning engine.
Let windows remove files in use at next reboot.

and uncheck..

Automatically try to unregister objects prior to deletion.

Then click Proceed, to save your settings.

Now click the Scan button.

When scan is finished, check the little box to the left of each entry to select them for removal, and get rid of them
Restart your computer
----------------------------------------


If any of you get a runtime error advised when trying to run Startdreck, then this is the link for them to download it...

http://www.annoyances.org/exec/software/vb4rt


Repost a new log

Lobos

I could only see one dll file.*FFEFABFD=C:\WINDOWS\SYSTEM\KERNEL32.DLL Not sure if this is it...anyway here is the StartDreck log..

--------------------------------------------------------------------
StartDreck (build 2.1.5 public BETA) - 2004-06-17 @ 22:33:17
Platform: Windows ME (Win 4.90.3000 )

»Registry
»Run Keys
»Current User
»Run
*RHSI SHS="C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
»RunOnce
»Default User
»Run
*RHSI SHS="C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
*SpySweeper=C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
»RunOnce
»Local Machine
»Run
*PCHealth=C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
*SystemTray=SysTray.Exe
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*Disc Detector=C:\Program Files\Creative\ShareDLL\CtNotify.exe
*Creative Launcher=C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
*CTAVTray=C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
*SCANINICIO="C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
*APVXDWIN="C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
*MSConfigReminder=C:\WINDOWS\SYSTEM\msconfig.exe /reminder
*Installed=1
*NoChange=1
*Installed=1
*Installed=1
»RunOnce
*CTAVTray=C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
»RunServices
*LoadPowerProfile=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
*SchedulingAgent=mstask.exe
*SSDPSRV=C:\WINDOWS\SYSTEM\ssdpsrv.exe
**StateMgr=C:\WINDOWS\System\Restore\StateMgr.exe
*Machine Debug Manager=C:\WINDOWS\SYSTEM\MDM.EXE
*CRST.EXE=C:\WINDOWS\SYSTEM\CRST.EXE
»RunServicesOnce
»RunOnceEx
»RunServicesOnceEx
»Files
»System/Drivers
»Running Processes
*FFEFABFD=C:\WINDOWS\SYSTEM\KERNEL32.DLL
*FFFFED5D=C:\WINDOWS\SYSTEM\MSGSRV32.EXE
*FFFE6FDD=C:\WINDOWS\SYSTEM\mmtask.tsk
*FFFE642D=C:\WINDOWS\SYSTEM\MPREXE.EXE
*FFFE57B9=C:\WINDOWS\SYSTEM\MSTASK.EXE
*FFFEA05D=C:\WINDOWS\SYSTEM\SSDPSRV.EXE
*FFFE9BF1=C:\WINDOWS\SYSTEM\MDM.EXE
*FFFD4BB5=C:\WINDOWS\SYSTEM\CRST.EXE
*FFFDBE49=C:\WINDOWS\SYSTEM\RPCSS.EXE
*FFFC7629=C:\WINDOWS\SYSTEM\DDHELP.EXE
*FFFC8855=C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
*FFFD92F9=C:\WINDOWS\EXPLORER.EXE
*FFE339F1=C:\WINDOWS\SYSTEM\SYSTRAY.EXE
*FFE316C9=C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
*FFE3598D=C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
*FFE3AB91=C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
*FFE2608D=C:\WINDOWS\SYSTEM\WMIEXE.EXE
*FFE26F19=C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
*FFE29339=C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
*FFE174FD=C:\WINDOWS\WEBSHOTS.SCR
*FFE3EAF5=C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
*FFE71FA1=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE07E55=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE3CD2D=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE05E89=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE11BD5=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE10555=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE08CA1=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE2B5E5=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE2ABA5=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE6B191=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE6DCC1=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE6AB05=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE5A255=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE547DD=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE584A1=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE4F4D5=C:\WINDOWS\SYSTEM\SPOOL32.EXE
*FFE6E741=C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
*FFE57B59=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE64A49=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE7ACDD=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE31AA9=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE3FA55=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE0A07D=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE1C9CD=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE2BF9D=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE41E19=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE45ECD=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE5D525=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE4A355=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE49AA1=C:\WINDOWS\SYSTEM\CRST.EXE
*FFE49181=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEB1199=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEB50D9=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEB19E9=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEBA809=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEBF58D=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEA14A1=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEA4CC5=C:\WINDOWS\SYSTEM\CRST.EXE
*FFEA0565=C:\WINDOWS\DESKTOP\STARTDRECK.EXE
»Application specific
___________________________________________

that is not the file

but try this

CWShredder

Run it, press 'Fix', and allow it to fix all it finds.
And remember to click "Fix" (Not "Scan only")
Reboot

Run hijack this put a check next to these close all browsers and hit fix

Make sure not to miss one

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ysgmc.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ysgmc.dll/sp.html#37049
O2 - BHO: (no name) - {9E515CDC-627C-9542-AEC4-9404D2A010E5} - C:\WINDOWS\SYSTEM\NTRZ32.DLL

-----------------------------------------------------------------------------------------------------------------------------------

To enable the viewing of Hidden files follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
6. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
7. Remove the checkmark from the checkbox labeled Hide protected operating system files.
8. Press the Apply button and then the OK button and shutdown My Computer.
9. Now your computer is configured to show all hidden files.

reboot into safe mode
How to boot into safe mode (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406)

delete

these files

C:\WINDOWS\ysgmc.dll
C:\WINDOWS\sp.html
C:\sp.html
C:\WINDOWS\SYSTEM\NTRZ32.DLL

empty your recyle bin
reboot to normal

find these if they are still there
C:\WINDOWS\ysgmc.dll
C:\WINDOWS\sp.html
C:\sp.html

change your homepage back to what you want to be
come back and post a fresh log and tell me how you computers running

Lobos

It was ok for a few minutes...but now back to the same thing. They keep comming back!!!!

__________________________________________

Logfile of HijackThis v1.97.7
Scan saved at 10:41:15 AM, on 6/18/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\CRST.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\CTNOTIFY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\CTLAUNCHER.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAVTRAY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\APVXDWIN.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\PROGRAM FILES\CREATIVE\SHAREDLL\MEDIADET.EXE
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\FIREWALL\PAVFIRES.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKCALREM.EXE
C:\WINDOWS\WEBSHOTS.SCR
C:\PROGRAM FILES\PANDA SOFTWARE\PANDA ANTIVIRUS PLATINUM\PAVPROXY.EXE
C:\PROGRAM FILES\CREATIVE\SBLIVE\LAUNCHER\TASKGUIDE\UPDTRAY.EXE
C:\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vecil.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\vecil.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://vecil.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\vecil.dll/sp.html#37049
F1 - win.ini: run=C:\WINDOWS\SYSTEM\cmmpu.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (file missing)
O2 - BHO: (no name) - {81EC5153-D04F-FDEF-005C-0D6BA674EF32} - C:\WINDOWS\NTNN32.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [Creative Launcher] C:\Program Files\Creative\SBLive\Launcher\CTLauncher.exe
O4 - HKLM\..\Run: [CTAVTray] C:\PROGRAM FILES\CREATIVE\SBLIVE\PROGRAM\CTAvTray.EXE
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Antivirus Platinum\Inicio.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Antivirus Platinum\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [CRST.EXE] C:\WINDOWS\SYSTEM\CRST.EXE
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers Hi-Speed Internet\RHSI SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [CTAVTray] C:\Program Files\Creative\SBLive\Program\CTAvStub.EXE EAX.AVI
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
O9 - Extra button: PartyPoker.com (HKLM)
O9 - Extra 'Tools' menuitem: PartyPoker.com (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://www.hispeed.rogers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} (WSDownloader Control) - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://www.gamespot.com/KDX22/download/kdx.cab

__________________________________________

make absolutely sure you do a windows update (Tools, Windows Update in IE). run cws shredder, adaware, spybot in safe mode. MAKE SURE u have the latest and greatest versions of each. hopefully this helps...

one meg short of a gig,
jsanchez

Alright all seems well. I found this program called BHODemon (http://www.definitivesolutions.com/bhodemon.htm) and ran it. Then ran hijack and fixed everything that was mentioned by Lobos, ran cws shredder, adaware, spybot. Everything seems ok now...lets hope. Thanks so much for the help guys... much appreciated. I can't belive that there are programs out there like this that are legal!!!!!

Cheers

PrackIt

Its back......

Hi Prackit,

There is one program I know that's truly effective for finding adware capable of highjacking your homepage...go to "http://www.download.com/3000-8022-10122137.html" for "Spybot - Search and Destroy" Once found the program offers to fix the issue(s).

Lavasoft also has one at "http://www.download.com/Ad-aware/3000-8022-10214379.html?tag=lst-0-1"

Last but not least, "http://www.javacoolsoftware.com/spywareblaster.html"

All three are freeware (however donations are acceptable) but these 3 programs rock...see what you think.

Regards,

I've tried every program recommended and nothing seemed to work. It would seem like it was all fixed but sure enough, a few minutes later it would take over again. So I formated my hard drive. It turned out to be less frustrating and probably took less time.... thanks for all the help..

Cheers