referred by GR@ph<"S"

[irishsupplyguy]

Good morning Rawe:
Ran WebRoot as you suggested. Attached is the session log and a fresh HJT log. I really appreciate your help!!

********
9:55 AM: |       Start of Session, Wednesday, October 26, 2005       |
9:55 AM: Spy Sweeper started
9:55 AM: Sweep initiated using definitions version 561
9:55 AM: Starting Memory Sweep
9:57 AM: Memory Sweep Complete, Elapsed Time: 00:01:45
9:57 AM: Starting Registry Sweep
9:57 AM:   Found Adware: coolwebsearch (cws)
9:57 AM:   HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {81a1550a-a544-72d8-f0e6-372bee4fa644} (ID = 110295)
9:57 AM: Registry Sweep Complete, Elapsed Time:00:00:08
9:57 AM: Starting Cookie Sweep
9:57 AM:   Found Spy Cookie: 2o7.net cookie
9:57 AM:   administrator@2o7[2].txt (ID = 1957)
9:57 AM:   Found Spy Cookie: pointroll cookie
9:57 AM:   administrator@ads.pointroll[1].txt (ID = 3148)
9:57 AM:   Found Spy Cookie: atlas dmt cookie
9:57 AM:   administrator@atdmt[2].txt (ID = 2253)
9:57 AM:   Found Spy Cookie: atwola cookie
9:57 AM:   administrator@atwola[1].txt (ID = 2255)
9:57 AM:   Found Spy Cookie: ru4 cookie
9:57 AM:   administrator@edge.ru4[1].txt (ID = 3269)
9:57 AM:   Found Spy Cookie: nextag cookie
9:57 AM:   administrator@nextag[2].txt (ID = 5014)
9:57 AM:   Found Spy Cookie: questionmarket cookie
9:57 AM:   administrator@questionmarket[1].txt (ID = 3217)
9:57 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:57 AM: Starting File Sweep
10:02 AM:   mortgage life insurance.url (ID = 130681)
10:02 AM:   search the web.url (ID = 54454)
10:02 AM:   seven days of free porn.url (ID = 54472)
10:07 AM:   Found Adware: liveshows online
10:07 AM:   backup-20041228-130716-528.inf (ID = 65674)
10:07 AM: File Sweep Complete, Elapsed Time: 00:09:38
10:07 AM: Full Sweep has completed.  Elapsed time 00:11:35
10:07 AM: Traces Found: 12
10:08 AM: Removal process initiated
10:08 AM:   Quarantining All Traces: coolwebsearch (cws)
10:08 AM:   Quarantining All Traces: liveshows online
10:08 AM:   Quarantining All Traces: 2o7.net cookie
10:08 AM:   Quarantining All Traces: atlas dmt cookie
10:08 AM:   Quarantining All Traces: atwola cookie
10:08 AM:   Quarantining All Traces: nextag cookie
10:08 AM:   Quarantining All Traces: pointroll cookie
10:08 AM:   Quarantining All Traces: questionmarket cookie
10:08 AM:   Quarantining All Traces: ru4 cookie
10:09 AM: Removal process completed.  Elapsed time 00:01:18
********
9:45 AM: |       Start of Session, Wednesday, October 26, 2005       |
9:45 AM: Spy Sweeper started
9:54 AM: Your spyware definitions have been updated.
9:55 AM: |       End of Session, Wednesday, October 26, 2005       |


Logfile of HijackThis v1.99.1
Scan saved at 10:15:12 AM, on 10/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\NetZero\exec.exe
C:\Program Files\NetZero\qsacc\x1exec.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALPSWX.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXALJSWX.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,First Home Page = C:\Program Files\AOL Toolbar\welcome.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://my.netzero.net/s/sp?r=al&cf=sp&mem=irishsupplyguy&login=ff7dd50d38554aacc7f54e2f02101075/irishsupplyguy:netzero.net/1128621779/30/sss.1.51174/&ts=434566d3&A=0&B=1120892400000&C=1120892400000&D=1125471600000&I=7.NH3&N=PLHS&O=I&UT=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll
O3 - Toolbar: ZeroBar - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - C:\Program Files\NetZero\Toolbar.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKLM\..\Run: [USRpdA] C:\WINDOWS\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA
O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\RunOnce: [untd_recovery] "C:\Program Files\NetZero\qsacc\x1exec.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &AOL Toolbar search - res://c:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Display All Images with Full Quality - res://c:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://c:\Program Files\NetZero\qsacc\appres.dll/227
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1130265368093
O20 - Winlogon Notify: igfxcui - igfxsrvc.dll (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[Rawe]

Much better. What problems you do have at the moment?

[irishsupplyguy]

Good aternoon Rawe:
Thank you for your quick response. There are two obvious issues. When I reboot two strange things happen.
1. Before the computer shuts down I get a pop up message. The header reads "USR prbda.exe  DLL initilaziton failed. " the body reads " the application failed to initialize because a windows station is shutting down". In the backgound you can see the end task window run briefly then the computer shuts down.

2. When the computer restarts I get a pop up message that reads:
       isactiveguard: RegOpenKeyEx failed 50

Hope that is enough information to get the rest. Thank you, I can't tell you how much I appreciate you efforts on my behalf!

[Rawe]

Hi, ok, let's try this.

First, please DISABLE Ewido Security Guard. Once you have done that, please UNinstall Ewido completely, including the deletion of the folder.
Then empty recycle bin.

When completed, download CCleaner. Install the program and launch it. Don't run it yet.

When you launch the program, click on "Tools" - menu. Click "Startup".

List the entries here what you see.

[irishsupplyguy]

Good morning Rawe:
You must have the patience of Job. Here is the start-up menu from CCleaner. Thank you for your help!

Ad-Aware SE Personal
Adobe Reader 7.0
Agere Systems PCI Soft Modem
America Online (Choose which version to remove)
AntiVir/XP
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Toolbar
AOL You've Got Pictures Screensaver
CCleaner (remove only)
CleanUp!
HijackThis 1.99.1
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2_01
Kaspersky On-line Scanner
Learn2 Player (Uninstall Only)
Lexmark Supplies Monitor
Lexmark Z65
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Works 7.0
NetZero
Pure Networks Port Magic
QuickTime
RealPlayer Basic
Roxio Easy Media Creator 7 Basic Edition
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Software Setup
SoundMAX
Spy Sweeper
Trend Micro Anti-Spyware
Viewpoint Media Player
Windows Installer 3.1 (KB893803)

[Rawe]

That's a Uninstall list, not the start-up list?

Can you just let me know what you see in the startup list.. And do you still get all the same errors?

[irishsupplyguy]

Sorry Rawe:
I know that this must be very trying. When I reboot now I only get the message before shut down. ( USR prbda.exe  DLL initialization failed) I no longer get a error message at start up.
The start up menu in CCleaner has 15 files. Everything there looks normal except these 3. I could no do a copy and paste from that screen.
1.  Key=HKLM:RUN  Program= 3c1807pd  no file
2.  Key=HKCU:Run  Program= spc_w   File= "C:\Program Files\NZSearch\nzspc.exe" _w
3.  Key=HKLM:Run  Program=USRpdA  File= C:\WINDOWS\SYSTEM32\USRmlnkA.exe       
                                                                  RunServices\Device

If you need me to send the other files I will copy them down and type them in. Thank you so much for your help!

[Rawe]

Go to Windows Search and look for this file: prbda.exe

Tell me the location where it is if you find it.

[irishsupplyguy]

Good afternoon Rawe:
This is the search results. Hope it is what you are looking for.

1. usrprbda      C:\i386\Driver.Cab
2. USRPRBDA.EXE -2F63B139F.pf   C:\WINDOWS\Prefetch
3. usrprbda      C:\WINDOWS\System 32
4. usrprbda      C:\WINDOWS\DriverCache\i386\driver.cab

That was all that was found with "prbda". I hope I did it right, I know you must be tired of fooling with me. Thank you for your help.

[Rawe]

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used, then launch it.

Click "Options". Scroll the arrow to "Custom CleanUp!"
Check the following options:

Empty recycle bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files
CleanUp! All Users

Click OK.

Hit CleanUp!

Once it's finished, reboot. Post back and let me know if you still get the error.

[irishsupplyguy]

Good Morning Rawe:
Ran CleanUp with the settings you recommended. I still get" USRprbda.exe  DLL initilazition failed" when the machine starts to shut down. In the background there are two end program pop-ups in the background.

1.netzeroVpclientwnd
2.zcom_ad

All error meessages go away in about 2-3 seconds and the computer reboots and the start-up screen is clean. Thank you for your help.

[Rawe]

Ok, fix these entries in HijackThis:

O4 - HKCU\..\Run: [NetZero_uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w

Next, can you redo an Kaspersky log for me here. Just run the scan again, please.. I'm checking if you still have malware or are you clean.

[irishsupplyguy]

Good morning Rawe:
According to Kasper all 4 viruses are still there. Attached is the log file.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 31, 2005 09:46:20
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 31/10/2005
Kaspersky Anti-Virus database records: 147877
-------------------------------------------------------------------------------

Scan Settings:
   Scan using the following antivirus database: standard
   Scan Archives: true
   Scan Mail Bases: true

Scan Target - My Computer:
   A:\
   C:\
   D:\
   E:\

Scan Statistics:
   Total number of scanned objects: 51281
   Number of viruses found: 4
   Number of infected objects: 27
   Number of suspicious objects: 0
   Duration of the scan process: 1913 sec

Infected Object Name - Virus Name
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000257.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000262.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000263.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000264.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000269.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000270.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000271.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000272.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000291.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000292.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000297.exe   Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP4\A0000390.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{D0D4C289-1775-4E84-B8F1-E8133151EDAF}\RP5\A0000487.dll   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\aolback.exe.lnk:aotqsb:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\apiqe32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\ftrcl.dat:kfxtx:$DATA   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\ModemLog_Best Data Data Fax Modem.txt:btzsmv:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netpf32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\netsf.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\SchedLgU.Txt:izyqvv:$DATA   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\setupapi.old:barwpx:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\Soap Bubbles.bmp:uyuygr:$DATA   Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\system32\crtu32.exe   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\uytnx.dat:ypeshb:$DATA   Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\WindowsUpdate.log:sbjjle:$DATA   Infected: Trojan-Downloader.Win32.Agent.bc
C:\WINDOWS\_default.pif:pmpywo:$DATA   Infected: Trojan.Win32.Agent.bi
E:\WINDOWS\Temporary Internet Files\Content.IE5\H3786PB0\index[1].htm   Infected: Exploit.HTML.Mht

Scan process completed.

[Rawe]

Ok, let's do this now.. About:Buster should clean that up.

1) Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

2) Download about:buster by RubbeRDuckY Here.

3) Unzip AboutBuster to its own folder (ie c:\Aboutbuster)

4) Update About:Buster

• Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  
• Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  
• Click "OK" at the prompt with instructions.
  
• Click "Update" and then "Check For Update" to begin the update process.
  
• If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  
• Now close About:Buster

5) Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.[/B]

6) Please run about:buster by RubbeRDuckY:

• Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  
• Click Yes to allow it to shutdown explorer.exe.
  
• It will begin to check your computer for malicious files.  If it asks if you would like to do a second pass, allow it to do so.
  
• When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  
• Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

7) Reboot back into normal mode.

8 ) Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

9) Post your About:Buster log.  :thumbsup:

[irishsupplyguy]

Good afternoon Rawe:
Here is the AboutBuster log that you requested. Thank you for your help

AboutBuster 5.1, reference file 32
Scan started on [10/31/2005] at [1:14:28 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
Removed File! : C:\WINDOWS\dkpwz.dat
Removed File! : C:\WINDOWS\dqooj.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:15:20 PM


AboutBuster 5.1, reference file 32
Scan started on [10/31/2005] at [1:17:37 PM]
------------------------------------------------
No Ads Found!
------------------------------------------------
No Files Found!
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 1:18:28 PM