add/remove, system restore failure

Guest · Dec 20, 2005

not sure if i am posting this in the correct place, have been advised to scan
my system with "hijack this" and wait for a kind hearted expert to analyse
and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround
Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rmctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\WPM_Monitor\WPMMonitor.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\WinAce\WinAce.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinAce\WinAce.exe
C:\Program Files\WinAce\WinAce.exe
C:\Program Files\WinAce\WinAce.exe
C:\Documents and Settings\John\My Documents\My Videos\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.blueyonder.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.dell.co.uk/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IE PopUp-Killer ; Neikeisoft -
{49E0E0F0-5C30-11D4-945D-000000000003} -
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program
Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} -
C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 -
{9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program
Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar2.dll
O3 - Toolbar: Norton Internet Security 2006 -
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common
Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} -
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog
Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program
Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control
Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event
Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live!
24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common
Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media
Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Workflow] D:\Workflow.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft
AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MUSICMATCH\MUSICMATCH
Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program
Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common
Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"
-atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\WINDOWS\system32\rmctrl.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec
Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe"
/startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google
Desktop Search\GoogleDesktop.exe" /startup
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker]
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft
ActiveSync\WCESCOMM.EXE"
O4 - Startup: WPM Monitor.LNK = C:\Program Files\WPM_Monitor\WPMMonitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program
Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HPAiODevice(hp psc 900 series) - 1.lnk = C:\Program
Files\Hewlett-Packard\AiO\hp psc 900 series\Bin\hpobrt07.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program
Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program
Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program
Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Create Mobile Favorite -
{2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -
C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... -
{2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft
ActiveSync\inetrepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -
http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage
Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) -
https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility
Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124954846031
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
http://download.zonelabs.com/bin/promotions/spywaredetector/ICSScanner37380.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge)
-
http://a248.e.akamai.net/f/248/5462...img/operations/symbizpr/xcontrol/SymDlBrg.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) -
http://www.blueyonder.co.uk/assets/tool/files/MotivePreQual.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) -
https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) -
http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326
O23 - Service: Ati HotKey Poller - Unknown owner -
C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) -
Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program
Files\Norton Internet Security\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -
C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak
Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec
Corporation - C:\Program Files\Norton Internet Security\Norton
AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\Security
Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program
Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec
Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

many thanks

Malke · Dec 20, 2005

seanpaul99 said:
not sure if i am posting this in the correct place, have been advised
to scan my system with "hijack this" and wait for a kind hearted
expert to analyse and advise.

We ask that you not post HijackThis logs in the MS newsgroups. Analyzing
HJT logs takes a lot of time and expertise and you will not get the
attention you need here. Instead, choose one of the following forums
and post your log there:

http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

Malke

PA Bear · Dec 20, 2005

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

<snip>

Mike Hall \(MS-MVP\) · Dec 20, 2005

PA

What's wrong with WinAce?..

--
Mike Hall
MVP - Windows Shell/User

PA Bear said:
What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

Click to expand...

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Click to expand...

<snip>

PA Bear · Dec 20, 2005

Oops! That'd be WinAce.exe located in %system%\Media. <emily litella>
nevermind...

PA Bear said:
PA

What's wrong with WinAce?..

PA Bear said:

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

Click to expand...

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

not sure if i am posting this in the correct place, have been advised
to scan my system with "hijack this" and wait for a kind hearted
expert to analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Click to expand...

<snip>

Click to expand...

Guest · Dec 22, 2005

well hopefully you have helped me to identify and remove the cause of my
problem. now how do i get system restore to restore and how do i get
ad/remove programs to change /remove programs?
thanks for your help.
merry xmas
--
seanpaul99

PA Bear said:
What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

Click to expand...

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Click to expand...

<snip>

PA Bear · Dec 22, 2005

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

Post your log to one of the above forums.
--
~PA Bear

well hopefully you have helped me to identify and remove the cause of my
problem. now how do i get system restore to restore and how do i get
ad/remove programs to change /remove programs?
thanks for your help.
merry xmas

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

Click to expand...

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Click to expand...

<snip>

Click to expand...

Guest · Dec 22, 2005

hi sean i'm also having the same probblem with one of my pcs.pliz post the
solution once you get it.thanx

PA Bear said:
When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

Post your log to one of the above forums.
--
~PA Bear

well hopefully you have helped me to identify and remove the cause of my
problem. now how do i get system restore to restore and how do i get
ad/remove programs to change /remove programs?
thanks for your help.
merry xmas

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

seanpaul99 wrote:
not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
<snip>

Click to expand...

Click to expand...

Guest · Dec 24, 2005

hi pa bear.
your advice has been followed, used hijack this and posted the log in the
various places but unfortunately still no joy, my problem still exists. any
further advice?
seasons greetings to all.
--
seanpaul99

PA Bear said:
When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

Post your log to one of the above forums.
--
~PA Bear

well hopefully you have helped me to identify and remove the cause of my
problem. now how do i get system restore to restore and how do i get
ad/remove programs to change /remove programs?
thanks for your help.
merry xmas

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

seanpaul99 wrote:
not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
<snip>

Click to expand...

Click to expand...

Guest · Dec 24, 2005

hiya Jazz
yep i will post the solution as soon as i find it, i trust you will do
likewise.
seasons greetings.
--
seanpaul99

jazz said:
hi sean i'm also having the same probblem with one of my pcs.pliz post the
solution once you get it.thanx

PA Bear said:

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware. **Post
your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

Post your log to one of the above forums.
--
~PA Bear

well hopefully you have helped me to identify and remove the cause of my
problem. now how do i get system restore to restore and how do i get
ad/remove programs to change /remove programs?
thanks for your help.
merry xmas

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

seanpaul99 wrote:
not sure if i am posting this in the correct place, have been advised to
scan my system with "hijack this" and wait for a kind hearted expert to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
<snip>

Click to expand...

Click to expand...

Guest · Dec 24, 2005

hiya Malke
thanks for your comments. an oversight on my part, it won't happen again.
if you can find a solution to my problem i would be most grateful.
seasons greetings.

PA Bear · Dec 24, 2005

Please post the URLs linking to your forum threads & we'll have a look/see.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Security, Shell/User)

hi pa bear.
your advice has been followed, used hijack this and posted the log in the
various places but unfortunately still no joy, my problem still exists.
any
further advice?
seasons greetings to all.

When all else fails, HijackThis v1.99.1
(http://aumha.net/downloads/hijackthis.zip) is the preferred tool to use.
It will help you to both identify and remove any hijackware/spyware.
**Post your log to http://forums.spywareinfo.com/,
http://castlecops.com/forum67.html or http://aumha.net/viewforum.php?f=30
for expert analysis, not here.**

Post your log to one of the above forums.
--
~PA Bear

well hopefully you have helped me to identify and remove the cause of my
problem. now how do i get system restore to restore and how do i get
ad/remove programs to change /remove programs?
thanks for your help.
merry xmas

What Malke said.

This is one of the Bad Guys:

C:\Program Files\WinAce\WinAce.exe

<QP>
W32.HLLW.Yoof is a worm that spreads by using the KaZaA file-sharing
program. It tricks KaZaA users into downloading and executing the worm.
</QP>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.yoof.html

P2P file sharing is not without its risks: Though you may not use KaZaA
yourself, any files you got from a KaZaA user may be infected with
W32.HLL.Yoof (AKA W32/Duload.worm [McAfee], W32/Duload-A [Sophos],
WORM_DULOAD.A [Trend]).
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE/OE, Shell/User, Security), Aumha.org VSOP, DTS-L.org

seanpaul99 wrote:
not sure if i am posting this in the correct place, have been advised
to
scan my system with "hijack this" and wait for a kind hearted expert
to
analyse and advise.
Logfile of HijackThis v1.99.1
Scan saved at 04:13:38, on 20/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
<snip>

Click to expand...

Click to expand...

add/remove, system restore failure

Guest

Malke

PA Bear

Mike Hall \(MS-MVP\)

PA Bear

Guest

PA Bear

Guest

Guest

Guest

Guest

PA Bear