hi i got a problem whit IE when i start it, it alwais bring me to a adult site even if i change the home page in "Internet option ".
if i do change the home page, once i restart my computer it put the adult site back as my home page.

my 2nd problem is whit my favorites i got 4 adult site if i delete them they come back when i restart my computer


my 3rd problem is proply related whit the 2 other , in my desktop i got a icon to a adult site site and when i delete it , once i restart its back where it was


i notice too i alwais get pop up of adult site for evrywhere i go even on this site i get adult site popup

D/load and run HiJack This! (http://www.tomcoyote.org/hjt/). Don't make any changes, just click on Save Log, copy it and paste it in this thread.

Logfile of HijackThis v1.95.0
Scan saved at 8:24:44 PM, on 6/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\WINDOWS\System32\id85255.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RSNet\RSEDNClient.exe
C:\WINDOWS\wintrim\WINTRIMS.EXE
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\winzip\WZQKPICK.EXE
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Gigex Downloads\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://dev.ntcor.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\Id8525.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\Id85 25.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O3 - Toolbar: TopText - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - C:\PROGRA~1\eZula\eabh.dll
O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer
O4 - HKLM\..\Run: [Id8525] "C:\WINDOWS\System32\id85255.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIMS.EXE
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE
O9 - Extra button: Find &Mp3s (HKLM)
O9 - Extra 'Tools' menuitem: Planet.MP3Find (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.fullversionwarez.com/free_warez.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.weed-warez.net/mp3_search.exe
O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1042.cab
O16 - DPF: {965E6B07-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QaBar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {B3E93EB5-5B7D-41E2-9225-F1EF49693E2F} - http://pms.localscripts.nl/plugins/id8525.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab

For starters (I'll probably be back suggesting more........just have to check on a few of them), have Hijack This fix the following:

O3 - Toolbar: TopText - {55910916-8B4E-4C1E-9253-CCE296EA71EB} - C:\PROGRA~1\eZula\eabh.dll

O4 - HKLM\..\Run: [Uninstall0001] "C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe" LASTCALL!adverts.mp3dancer.com!StatsMP3Dancer

O4 - HKCU\..\Run: [Red Swoosh EDN Client] C:\Program Files\RSNet\RSEDNClient.exe

O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe

i did what you say now that what the scan say

Logfile of HijackThis v1.95.0
Scan saved at 8:46:28 PM, on 6/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Totem Shared\Uninstall0001\upd.exe
C:\WINDOWS\System32\id85255.exe
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\RSNet\RSEDNClient.exe
C:\WINDOWS\wintrim\WINTRIMS.EXE
C:\PROGRA~1\ezula\mmod.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\winzip\WZQKPICK.EXE
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Gigex Downloads\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://dev.ntcor.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\Id8525.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\Id85 25.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O2 - BHO: (no name) - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet4_88.dll
O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS1.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll
O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL
O4 - HKLM\..\Run: [Id8525] "C:\WINDOWS\System32\id85255.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,NewDotNetStartup
O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIMS.EXE
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE
O9 - Extra button: Find &Mp3s (HKLM)
O9 - Extra 'Tools' menuitem: Planet.MP3Find (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.fullversionwarez.com/free_warez.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.weed-warez.net/mp3_search.exe
O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.net/download/Object/DialerHTML/DHTMLAccessXP1042.cab
O16 - DPF: {965E6B07-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QaBar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {B3E93EB5-5B7D-41E2-9225-F1EF49693E2F} - http://pms.localscripts.nl/plugins/id8525.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab

BTW the fix obove seem to have fix the destop ,favorit and popup :D but i still get the adult site as home page when i restart .

See if there's anything in Add/Remove Programs or via Start>Programs>(Program Name)
to uninstall these:

C:\Program Files\RSNet
C:\PROGRA~1\ezula\

Have it fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\Id8525.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\Id85 25.html

Some additional info concerning QaBar (http://www.doxdesk.com/parasite/AdultLinks.html)

And have it fix these, too:

R3 - URLSearchHook: Adult Search - {DD1BCA06-F674-424D-A08E-42DA97C4D5DD} - C:\WINDOWS\Downloaded Program Files\QaBar.dll

O3 - Toolbar: Adult Links - {965E6B07-6832-4738-BDBE-25F226BA2AB0} - C:\WINDOWS\Downloaded Program Files\QaBar.dll

O16 - DPF: {965E6B07-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QaBar.cab

O16 - DPF: {B3E93EB5-5B7D-41E2-9225-F1EF49693E2F} - http://pms.localscripts.nl/plugins/id8525.cab

O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.redswoosh.com/Installer/rsinstaller.cab


I'm waiting to find out if it's "safe" to fix the newdotnet entries with HiJack This........I know that, in the past, if you deleted certain of its entries, your Winsock files in registry remained "hijacked" by it, and prevented you from accessing the internet

those 2 line keep comming back when i restart my cumputer

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\Id8525.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\Id85
25.html


nb. In the past i edited the content of Id8525.html so it would only show a blank page

What is the URL for the Home Page that you would like to have? I'll see if helping you to manually edit the registry will solve that problem.

and btw, look for the newdotnet entry in Add/Remove Programs and uninstall it from there.

Fix this one:

O4 - HKLM\..\Run: [Id8525] "C:\WINDOWS\System32\id85255.exe"

I believe that entry is the reason why your home page keeps changing to what you don't want.

i did uninstall RSNet , ezula and newdotnet. But there where not in Add/Romove program , i had to go in Window explorer ,there where uninstall icon. Ather that i fix R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=C:\WINDOWS\System32\Id8525.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Startpagina=C:\WINDOWS\System32\Id85


and when i restarted i got adult site again as home page . But ther noting about RSNet , ezula and newdotnet when i do a search on c:


sry about my bad englis i learned englis in chat room

forgot i want http://www.google.ca/ for home page

Don't worry about your lack of English language skills.........you're communicating just fine :D

Here's some more to get rid of:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://dev.ntcor.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS1.DLL

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

O4 - HKLM\..\Run: [Id8525] "C:\WINDOWS\System32\id85255.exe"

O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.fullversionwarez.com/free_warez.exe

O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.weed-warez.net/mp3_search.exe

O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.ne...ccessXP1042.cab

btw, please post another log

BINGO!!!!! it worked i cant belive i got rid of it ,i had this bug for like 6 month thx alllot :D

i did't do this step should i do it even if i solve the problem??







Here's some more to get rid of:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://dev.ntcor.com/search.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html

O2 - BHO: My Search BHO - {014DA6C1-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O2 - BHO: Support Software - {85A702BA-EA8F-4B83-AA07-07A5186ACD7E} - C:\Program Files\Support Software\SS1.DLL

O3 - Toolbar: My &Search Bar - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - C:\Program Files\MySearch\bar\1.bin\S4BAR.DLL

O4 - HKLM\..\Run: [PromulGate] "C:\Program Files\DelFin\PromulGate\PgMonitr.exe"

O4 - HKLM\..\Run: [Id8525] "C:\WINDOWS\System32\id85255.exe"

O4 - HKLM\..\Run: [DownloadWare] "C:\Program Files\DownloadWare\dw.exe" /H

O15 - Trusted Zone: http://free.aol.com

O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} - http://www.fullversionwarez.com/free_warez.exe

O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.weed-warez.net/mp3_search.exe

O16 - DPF: {946B0485-8F8C-4C35-A6E7-D2115E3B0B4F} (HTMLAccess Class) - http://usa-download.nocreditcard.ne...ccessXP1042.cab

You're very welcome :D
i did't do this step should i do it even if i solve the problem??
Yes, please.

and please post another log here, just in case I missed something

lol i did evryting and it fixed the next bug i was about to post . A row of search button under the ULR but now its gone. did you read my mind

Logfile of HijackThis v1.95.0
Scan saved at 10:42:37 PM, on 6/30/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DelFin\PromulGate\PgMonitr.exe
C:\Program Files\F-Secure\Common\FSM32.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\NILaunch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\Program Files\DownloadWare\dw.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\wintrim\WINTRIMS.EXE
C:\Program Files\E-Color\Common\IconMgr.exe
C:\winzip\WZQKPICK.EXE
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe
C:\PROGRA~1\F-Secure\BackWeb\7681197\Program\SERVIC~1.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\F-Secure\BackWeb\7681197\Program\BackWeb-7681197.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\F-Secure\Common\FSMA32.EXE
C:\Program Files\F-Secure\Common\FSMB32.EXE
C:\Program Files\F-Secure\Common\FCH32.EXE
C:\Program Files\F-Secure\Common\FAMEH32.EXE
C:\Program Files\F-Secure\Common\FNRB32.EXE
C:\Program Files\F-Secure\Common\FIH32.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Gigex Downloads\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\F-Secure\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Net-It Launcher] C:\WINDOWS\System32\NILaunch.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [OfficeGuard RegChecker] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\ogrc.exe"
O4 - HKLM\..\Run: [AVPCC] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro\avpcc.exe" /wait
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIMS.EXE
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\winzip\WZQKPICK.EXE
O9 - Extra button: Find &Mp3s (HKLM)
O9 - Extra 'Tools' menuitem: Planet.MP3Find (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {965E6B07-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QaBar.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

okay.........we're on the home stretch here, tim

Fix these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://dev.ntcor.com/search.html

O16 - DPF: {965E6B07-6832-4738-BDBE-25F226BA2AB0} (Adult Links) - http://www.mainentrypoint.com/linkzz/QaBar.cab

Reboot and then delete:

PgMonitr.exe (in C:\Program Files\DelFin\PromulGate folder)

dw.exe (in C:\Program Files\DownloadWare folder)

id85255.exe (in C:\WINDOWS\System32 folder)


Also, navigate to this file:
C:\WINDOWS\wintrim\WINTRIMS.EXE

right-click on WINTRIMS.EXE and select Properties.....what does it say about that file?

Type of file: Application
Description: wintrim


Location: C:\WINDOWS\wintrim
Size: 15.5 KB (15,872 bytes)
size on disk: 16.0 KB (16,384 bytes)



created: Saturday, June 28, 2003, 4:59:04 PM
modified: Saturday, June 28, 2003, 4:59:02 PM
accessed: Today, June 30, 2003, 11:00:24 PM

Sorry, I messed up a little bit (nothing critical) because my dogs were howling to go out, and I was trying to get a response to you too fast. Anyhow, delete these folders:

DownloadWare
RSNet
ezula
DelFin
Totem Shared


Also, for the Wintrim file, bring up the Properties window and click on the Version tab.....what does it say there for Description and Copyright?

file version 1.0.1.0

Description: wintrim

copiright : Copyright © 2002

and there a box whit other version info but there are all 1.0.1.0

Fix it with HiJack This

O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIMS.EXE

Delete the wintrim folder and its contents

when i try to delete folder its say

Cannot delete wintrims: assess is denied

make sure the disk is not full or write-protected and that it is not currentrly in use

I'm not sure if you can do this from a Command Prompt from within Windows or not.
Open the Command Prompt (Start>Programs>Accessories>Command Prompt)
At the prompt, key in:
cd C:\windows
<ENTER>

At the C:\WINDOWS prompt, key in:
deltree wintrim
<ENTER>
Press Y at the confirmation of deletion message.

If you're unable to do it from within Windows, restart, keep tapping the F8 key when it's booting up, in order to get the Startup menu. Choose Safe Mode with Command Prompt. The follow my previous instructions.

**EDIT** Perhaps you didn't fix the
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIMS.EXE
with HiJack This and reboot before attempting to delete the folder? If not, try that first.

ok i del wintrim folder i had to do it in safe mode and
O4 - HKCU\..\Run: [MC] C:\WINDOWS\wintrim\WINTRIMS.EXE

is gone

Excellent!!! I think that just about wraps it up :)

One thing you might want to consider is doing an Online Virus Scan (http://www.ravantivirus.com/scan/), just in case you have some hidden nasties.

thx alot im amaze at the service i get over here probly bether then anyting a pay for (:

You're very welcome, timmy :D And don't hesitate to post again if you run into any further problems.