I am at the end of my rope. I have downloaded and installed all of the appropriate sites, AdAware, CW Shredder, HiJAck This and I delete the junk when the experts tell me to when I run a scan. But everything keeps coming back like; All About Searching, ZestyFind.com, etc. Everytime I re-boot my home page changes back to one of those sites. Now my computer is operating very erradically and it won't let me view regular sites and completely shuts down regular sites and takes me back to my desk top. I guess I will have to have a PC Repair guy come in and look at it, but thought I would check with you guys one more time for any more advice you might be able to give me.

Thanks

I am also getting RUNDLL Error windows saying, "Error loading wincore.dll Paging file toos small for this operation to complete" before the site shuts down and takes me back to the desktop.

If you still keep getting hijacked this problem could still be in your restore points. Have you cleared them? If not, go to "My Computer" and right click on this, then scroll to "Properties" and then click on the "System Restore" tab and put a check mark in "Turn off System Restore" restart your computer. This will clear any restore points you have and clear any nasties saved there. After restarting, go back to System Restore and take the check mark out enablig your system to create restore points again.

Can you download the following app & run it, making sure to have one internet exploder window open. Save the log & paste the results back here.
VX2Finder (http://download.broadbandmedic.com/VbStuff/VX2Finder.exe)

Next, type javascript:navigator.userAgent or just copy and paste it in your IE Address bar then hit enter.

Post the log from VX2Finder here along with the results from the address bar.

Log:

Files Found---
C:\WINDOWS\System32\6co4svc.dll
C:\WINDOWS\System32\6ho4svc.dll
C:\WINDOWS\System32\6io4svc.cpy.dll
C:\WINDOWS\System32\6lo4svc.cpy.dll
C:\WINDOWS\System32\6no4svc.cpy.dll
C:\WINDOWS\System32\6no4svc.dll
C:\WINDOWS\System32\6po4svc.dll
C:\WINDOWS\System32\6ro4svc.cpy.dll
C:\WINDOWS\System32\6ro4svc.dll
C:\WINDOWS\System32\6so4svc.cpy.dll
C:\WINDOWS\System32\6so4svc.dll
C:\WINDOWS\System32\6wo4svc.dll
C:\WINDOWS\System32\6xo4svc.cpy.dll
C:\WINDOWS\System32\6zo4svc.dll
C:\WINDOWS\System32\abaamon.dll
C:\WINDOWS\System32\agaamon.dll
C:\WINDOWS\System32\aptxprxy.dll


Guardian Key--- is called: GuardianNQRWJ
Asynchronous 000
DllName C:\WINDOWS\system32\agaamon.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {8DD6771F-700B-476A-9A60-C460220F868E}
IDex BM0

User Agent String---
{8DD6771F-700B-476A-9A60-C460220F868E}

Download Killbox from http://download.broadbandmedic.com/VbStuff/KillBox.zip
Unzip to your desktop.
Run Killbox.exe. From the menu click “Fix L2M” then click “Kill VX2.BetterInternet"

Restart your system

Next, type javascript:navigator.userAgent or just copy and paste it in your IE Address bar then hit enter.

Post the complete result again. (That is, VX2finder log + the IE results)

I also did the System restore thing that was suggested also.

Then I downloaded Killbox and did the Fix L2M, etc. just as you instructed.

I then rebooted (Note: I am still getting my home page re-directed to (http://www.spotresults.com/dns.php?url=about:blank)

typed the java script, etc in the IE Address bar and got "This page cannot be displayed" I also noticed at the very top of the screen after the blue "e" it said, "Invalid Syntax Error"

Here is the log from VX2finder:


Log for VX2.BetterInternet File Finder

Files Found---
C:\WINDOWS\System32\6co4svc.dll
C:\WINDOWS\System32\6fo4svc.cpy.dll
C:\WINDOWS\System32\6ho4svc.dll
C:\WINDOWS\System32\6io4svc.cpy.dll
C:\WINDOWS\System32\6lo4svc.cpy.dll
C:\WINDOWS\System32\6no4svc.cpy.dll
C:\WINDOWS\System32\6no4svc.dll
C:\WINDOWS\System32\6oo4svc.cpy.dll
C:\WINDOWS\System32\6po4svc.dll
C:\WINDOWS\System32\6ro4svc.cpy.dll
C:\WINDOWS\System32\6ro4svc.dll
C:\WINDOWS\System32\6so4svc.cpy.dll
C:\WINDOWS\System32\6so4svc.dll
C:\WINDOWS\System32\6wo4svc.dll
C:\WINDOWS\System32\6xo4svc.cpy.dll
C:\WINDOWS\System32\6zo4svc.dll
C:\WINDOWS\System32\abaamon.dll
C:\WINDOWS\System32\agaamon.dll
C:\WINDOWS\System32\aptxprxy.dll


Guardian Key--- is called: GuardianLIWHS
Asynchronous 000
DllName C:\WINDOWS\system32\agaamon.dll
Impersonate 000
Logon WinLogon
Logoff WinLogoff
Version 124
ID {8DD6771F-700B-476A-9A60-C460220F868E}
IDex BM0

User Agent String---
{8DD6771F-700B-476A-9A60-C460220F868E}

That didn't fix it but it should have. We will do something else now & can I also get you to download hijackthis & post the log here. I am certain we can get it fixed for you, no charge. ;)

Download the VX2 fix here. (http://download.broadbandmedic.com/VbSt...ternet.exe)
You must run it three times in a row to completely remove the files registry keys.

Download HijackThis from here (http://www.computercops.biz/downloads-file-328.html) & unzip it into it's own, permanent folder, (not a temporary folder & not on the desktop). Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is harmless & even necessary to the running of your system.

I already have Hi Jack This. That was suggested in an earlier posting a week or so ago. I have been continually scanning and removing items I know are bad (because of them appearing before) but I remove them and they come right back as soon as log onto the Internet. For ex; All About Searching and Zesty.com ALWAYS come right back. My home page shows it is a Pass Through All About Searching before my home page appears. Then my home page frequently changes to http://www.spotresults.com/dns.php?

But I will run the scan again and post it back here along with downloading VX2 and running it 3 times.

Your hyperlink to VX2 does not work. I get an error page - document not found.

Here is the URL when I click on your VX2 Hyperlink

http://download.broadbandmedic.com/VbSt...ternet.exe

Hi Dianne

I think the link that crunchie wants you to go to is http://download.broadbandmedic.com/VbStuff/VX2Finder.exe. BF

I already had the VX2Finder. When you say to run it 3 times in a row - do you mean I should be removing the files in the lower box on every run or sending you a log and then you tell me what to fix?

Originally posted by diannekw
I already had the VX2Finder. When you say to run it 3 times in a row - do you mean I should be removing the files in the lower box on every run or sending you a log and then you tell me what to fix?

Can you PM me an email address & I can send you the VX2 tool.

sure - send away


[


Also....now my computer is running sooooo slow I have to wait forever for screens to change and I continually get Virtual Memory warnings saying they are upgrading my memory and some programs won't work. I checked my hard drive and I have 18 GB left, so that shouldn't be the problem.

What is virtual memory anyway?

It's on the way. You can remove the email addy now.
Virtual memory is what the system uses when you run out of physical memory, RAM. It should be set at about 1.5 times your actual physical RAM.
With the VX2 fix, you need to run that 3 times for it to remove all the registry entries. Set up a system restore first. Your system will reboot on every fix. You can also run it like VX2 finder to see if anything is there.

I ran the program three times, but had to do it manually the last 2 times. It only re-booted the first time it ran. I am not convinced the files were deleted because the last time ran sort of funky. There was a white screen but it was a big white window and not just the little OE window. Does it sound like i know what the heck I am talking about? Not!

Anyway, my computer is still running slow and freezing up for a bit, but I did another HiJack this and here is the log:

Logfile of HijackThis v1.97.7
Scan saved at 1:17:26 AM, on 5/11/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sccmgr.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AIMKEE~1\BITSBAGS.exe
C:\Program Files\Common files\WinTools\WToolsA.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Common files\WinTools\WToolsS.exe
C:\Program Files\Common files\WinTools\WSup.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passthrough/index.html?http://scwmls.fnismls.com/Paragon/Login.asp?Error=Invalid%20Login,%20try%20again.&LoginID=castle
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us6.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us6.hpwis.com/
O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bait film] C:\PROGRA~1\AIMKEE~1\BITSBAGS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [STOPzilla] C:\Program Files\STOPzilla!\Stopzilla.exe /autorun
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Inet Delivery] C:\Program Files\Inet Delivery\intdel_2.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [UltimateBuddy] C:\Program Files\UltimateBuddy\UltimateBuddy.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~3\PSFree.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\pchbutton.exe
O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Billminder.lnk = C:\Program Files\QUICKENW\billmind.exe
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\QUICKENW\QWDLLS.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: {01111C00-3E00-11D2-8470-0060089874ED} (Support.com ActionRunner Class) - http://help.rr.com/Foundrysdccommon/download/tgctlar.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1267/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinstc.cab
O16 - DPF: {4DEE438E-5A3F-463C-8944-006534BA52F2} - http://www.topmoxie.com/external/builds/boxtopgmills/BoxTopsShoppingReminder_moxie.cab
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {853BB786-B7C5-11D3-927D-00C0DF41B505} (FlyerViewer Control) - http://www.topproducer.com/downloads/controls/FlyView.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.brightstreet.com/cif/download/bin/actxcab.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://download.yahoo.com/dl/mail/autocomplete.cab
O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/hitodama.exe
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://rr.esecurecare.net/rnt/rnl/java/RntX.cab
O16 - DPF: {ECDEDB7F-BFD2-4010-9502-D300C3DDCD54} (SystemChecker.CheckerCtrl) - http://scwmls.fnismls.com/Paragon/Codebase/SystemChecker.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/ym/yiebio5_1_6_0.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://sc.communities.msn.com/controls/chat/msnchat45.cab

Hmmm. Yucky. You also have jraun there too, as well as bonzi buddy.

Download LSPfix from here (http://www.computercops.biz/downloads-file-334.html)
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "inetadpt.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Is ultimatebuddy a wanted program? If not, have HJT fix the entry, then delete the folder in safe mode.

Unzip HJT into it's own permanent folder before doing anything in order for it to create backups. (Not a temporary folder or the desktop & not directly on your hard drive). Close all (browser) windows & rescan with hijackthis. When the scan is finished place a check in the box to the left of the following entries & click 'fix checked'=

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://allaboutsearching.com/passth...;LoginID=castle

O1 - Hosts: 207.36.196.189 auto.search.msn.com
O1 - Hosts: 207.36.196.189 search.netscape.com
O1 - Hosts: 207.36.196.189 ieautosearch

O4 - HKLM\..\Run: [Bait film] C:\PROGRA~1\AIMKEE~1\BITSBAGS.exe
O4 - HKLM\..\Run: [WinTools] C:\Program Files\Common files\WinTools\WToolsA.exe

O16 - DPF: {BD11A280-2E73-11CF-B6CF-00AA00A74DAF} - http://www.talkingbuddy.com/characters/hitodama.exe
O16 - DPF: {5C7F15E1-F31A-44FD-AA1A-2EC63AAFFD3A} - http://www.atelys.com/src/Speedup.ocx

Reboot into safe mode following the instructions here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) & navigate to & delete

C:\PROGRA~1\AIMKEE~1< folder
C:\Program Files\Common files\WinTools< folder

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here. (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)

Reboot normally after doing the above then post a fresh log plz.

Please post a VX2Finder log as well.