[mjordan2001]

I did as suggested. Installed and ran SpyBot S&D, fixed all problems, then ran HGT and got a new log.

I *think* I got rid of the rapid blaster but am not sure so if someone could take a look at the new log and let me know I would much appreciate it.

Logfile of HijackThis v1.94.0
Scan saved at 6:12:49 PM, on 5/22/2003
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://www.comcast.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title=Microsoft Internet Explorer provided by Comcast
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: WebFerret - {A58686ED-FC46-44C3-95C6-4A812AB776F1} - C:\Program Files\FerretSoft\WebFerret\FerretBand.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Comcast\BBClient\Programs\RegCon.exe" /admincheck
O4 - HKLM\..\Run: [ComcastSUPPORT] C:\Program Files\Support.com\bin\tgkill.exe /cleaneahtioga /start
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
O4 - HKLM\..\Run: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autoclose /waitmore
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Help (HKCU)
O9 - Extra button: ComcastHSI (HKCU)
O9 - Extra button: Support (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.comcast.net
O16 - DPF: {0713E8D2-850A-101B-AFC0-4210102A8DA7} (Microsoft ProgressBar Control, version 5.0 (SP2)) - http://download.mcafee.com/molbin/Sh...2/ComCtl32.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...ctor/swdir.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {3B240FE6-F3DC-4E56-954D-257471ABF8F8} (Artwork Player) - http://www.geecreations.com/cab/artworkplayer.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/...4/mcinsctl.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...683.8331018519
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

[Top Banana]

SSD done its' job. Log is clean.

[mjordan2001]

THANK YOU!!

Now, any ideas on what this "Avenue A, Inc" is that I keep being warned about by SSD whenever I load this page?

Seems rather ironic that I'm receiving potential bots on a page made for getting rid of them......ROFL

[Top Banana]

"Avenue A. Inc" is a tracking cookie. It gathers information on your web browsing habits. Concerns privacy as opposed to security. In the grand scheme of things, a minor irritant. Easily dealt with.

[18c]

well i have teh same problem, i have tried these programs inculding ad-aware and i have gone into my regsitry and looked for it.. i have deleted teh the program file of it but it is still in my start-up.. "msconfig" and i unchecked it for now.. but how do i get rid of it..i cannot seem to find it anywhere in my registry or in that high jacker program or in my internet folder and it is not in my program files.. but it is in my start up.. which must mean that it is loading when my comp starts.. can someone please help..

[18c]

also do you want me to post what highjacker came up with?

[shy.hobbs]

Thanks to Steve; from following the directions to use regedit and hotkeys it looks as though the virus has been removed.

[18c]

Does anyone know how to get this program off of my start-up list.. i have tried teh regedit but i dont see anything in any of teh files that you mentioned... please help

[TonyKlein]

Please do the following:

Go to http://www.tomcoyote.org/hjt/ , and download 'Hijack This!'.
Unzip, doubleclick HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log somewhere, and please show us its contents.

Most of what it lists will be harmless or even required, so do NOT fix anything yet.
Someone here will be happy to help you analyze the results.

[TonyKlein]

BTW, if you unchecked it, it won't be visible in your log...

After restarting, delete the RapidBlaster/RB32 folder in Program Files.

If you want to get the unchecked RB entry of your Msconfig/Startup loist (although it's harmless), you'll need to edit the Registry.

But please post that Hijack This log first.

[tendoboy101]

i've run spybot and adaware, after searching for updates and getting them, looked in reg edit and found nothing, looked in msconfig, found nothing, and its still coming up! help! heres my hijack this log...

Logfile of HijackThis v1.94.0
Scan saved at 12:30:01 PM, on 06/07/2003
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v5.00 (5.00.2614.3500)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL=http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL=http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant=http://www.couldnotfind.com/search_page.html?&account_id=50108
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL=http://www.terra.es/personal8/robrimer/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.search-plus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar=http://www.terra.es/personal8/robrimer/search.html
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [CLMFrontPanel] clmpanel /i
O4 - HKLM\..\Run: [ConMgr.exe] "C:\PROGRAM FILES\EARTHLINK 5.0\CONMGR.EXE"
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\PROGRA~1\HPCD-W~1\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [Realtime Monitor] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\realmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\Program Files\ICQ\NDetect.exe
O4 - HKLM\..\Run: [vwtnpxfn] C:\WINDOWS\SYSTEM\vwtnpxfn.exe
O4 - HKLM\..\Run: [vqaexpya] C:\WINDOWS\SYSTEM\vqaexpya.exe
O4 - HKLM\..\Run: [HP CD-Writer] C:\Program Files\HP CD-Writer\Mmenu\hpcdtray.exe
O4 - HKLM\..\Run: [aimaol lptt01] "c:\program files\aimaol\aimaol.exe"
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKLM\..\RunServices: [TVWatch] C:\WINDOWS\SYSTEM\TVWatch.exe
O4 - HKLM\..\RunServices: [InoTask] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoTask.exe
O4 - HKLM\..\RunServices: [InoRT] C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\InoRT9x.exe
O4 - HKCU\..\Run: [ICQ Plus] "C:\Program Files\ICQPlus\vplus.exe"
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Internet Answering Machine.lnk = C:\Program Files\CallWave\IAM.EXE
O4 - Startup: EarthLink ToolBar 5.0.lnk = C:\Program Files\EarthLink 5.0\etoolbar.exe
O4 - Startup: TextBridge Instant Access OCR.lnk = C:\Program Files\TextBridge Classic\Bin\TBMenu.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW Prefix:
O15 - Trusted Zone: http://free.aol.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37624.7372916667
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[TonyKlein]

Yes, this new version is a nightmare...

Try starting your computer in Safe Mode, find the aimaol folder in c:\program files and delete it.

Also delete the following files:

C:\WINDOWS\SYSTEM\vwtnpxfn.exe
C:\WINDOWS\SYSTEM\vqaexpya.exe

Then, still in Safe Mode, run hijack This, and have it fix these:

O4 - HKLM\..\Run: [vwtnpxfn] C:\WINDOWS\SYSTEM\vwtnpxfn.exe
O4 - HKLM\..\Run: [vqaexpya] C:\WINDOWS\SYSTEM\vqaexpya.exe
O4 - HKLM\..\Run: [aimaol lptt01] "c:\program files\aimaol\aimaol.exe"



By the way, could you please do a Find Files for winsysx
Do you happen to have a file by that name?

[tendoboy101]

i knew that aimaol file was weird! just never opened (stupid me)
i ran a find, and found no winsysx, but heres a dumb question (i'm not computer literate) how do i start up in safe mode?

[TonyKlein]

How to start the computer in Safe Mode


BTW, these are the RB file names we've collected at present. When in Safe Mode, better look for each and every one of them:

- rb32 lptt01 = rb32.exe (In a "RapidBlaster" folder in Program Files)

- realplay lptt01 = realplay.exe (In a "RealPlay" folder in Program Files)

- Notepad lptt01 = Notepad.exe (In a "Notepad" folder in Program Files)

- Bsoft lppt01 = Bsoft.exe (In a "BelmontSoft" folder in Program Files)

- Icon lptt01 = icon.exe (In a "Icon" folder in Program Files)

- msys lptt01 = msys.exe > (In a "Msyss" folder in Program Files)

- aimaol lptt01 = aimaol.exe (In a "Aimaol" folder in Program Files)

- nvd32 lptt01 = nvd32.exe ( In a Program Files\NvidStar directory)

- syscon lptt01 = syscon.exe (In a "Syscon" folder in Program Files)

- winwan lptt01 = winwan.exe (In a "Winwan" folder in Program Files)

- taskmngr lptt01 = taskmngr.exe > (In a "Taskmngr" folder in Program Files)

- mcf lptt01 = mcf.exe (In a "Mcf" folder in Program Files)

- winsyslog lptt01 = winsyslog.exe (In a "Winsyslog" folder in Program Files)

You'd better check for ALL of those!

[tendoboy101]

i did as you said and so far so good. thank you! i couldn't find the two files in the system folder, but i did pick them up in hijack this and fixed them, and i did delete the aimaol folder. thank you again, this thing has been a thorn in my side for too long. a regular sars of the computer world with all its lovely mutations if you will lol. thanks again!