Father-in-law's PC keeps returning to Smartfinder.us on connection to internet. Have reset security to default and home page to somewhere more sensible. Have recently installed ezantivirus and the Real Secure Desktop Protector. Previously the machine was unprotected and riddled with viruses.

Still having problems with the Secdrop.BO virus which is identified by the antivirus software but doesn't seem able to eliminate it completely. Have checked with company website on this signature and there's no info on the .BO variant.

Anyone any ideas on how to get rid of secdrop once and for all and stop smartfinder.us from re-appearing?

Hi Ham,

You've been hit by CWS..

..please download 'Hijack This!' from here (http://thespykiller.co.uk/hjttut.htm), unzip, and place it in it’s own folder, (not in the temp folder, or on the desktop) doubleclick HijackThis.exe, check for updates by clicking on Config | Misc. Tools | Check for Updates and follow the prompts. Once updated click on Scan. When the scan is finished, click "Save Log", and copy and paste it in a reply.

This will give us a rundown of what’s going on in your PC. One of us here will be glad to analyse it for you. Don’t fix anything yourself yet, as a lot of the stuff on that list will be harmless or required.

Cheers

Liam

Logfile of HijackThis v1.99.0
Scan saved at 17:00:27, on 04/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\SysCgfig.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\WINDOWS\System32\sndsys.exe
C:\WINDOWS\System32\cdaccess.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\ISS\BlackICE\RapApp.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartfinder.us/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartfinder.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartfinder.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartfinder.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartfinder.us/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartfinder.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartfinder.us/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartfinder.us/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [FontsLoader] C:\WINDOWS\Fonts\ldfnt32.hta
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i
O4 - HKLM\..\Run: [httpd] C:\WINDOWS\msgaol.exe /i
O4 - HKLM\..\Run: [QTSvc] C:\WINDOWS\shman.exe /i
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [Windows Sound System] sndsys.exe
O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\Run: [System Configurati0n] SysCgfig.exe
O4 - HKLM\..\Run: [Auto CD-ROM Startup] cdaccess.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\RunServices: [Windows Sound System] sndsys.exe
O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe
O4 - HKLM\..\RunServices: [System Configurati0n] SysCgfig.exe
O4 - HKLM\..\RunServices: [Auto CD-ROM Startup] cdaccess.exe
O4 - HKLM\..\RunOnce: [System Configurati0n] SysCgfig.exe
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - HKCU\..\Run: [System Configurati0n] SysCgfig.exe
O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe
O4 - HKCU\..\Run: [Auto CD-ROM Startup] cdaccess.exe
O4 - HKCU\..\Run: [start uploading] smsss.exe
O4 - HKCU\..\RunServices: [start uploading] smsss.exe
O4 - HKCU\..\RunOnce: [System Configurati0n] SysCgfig.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104575692748
O17 - HKLM\System\CCS\Services\Tcpip\..\{15F27EB2-A6C1-41CF-9353-42C242F7A265}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{B35FCC79-88A0-4D9A-8283-148CD92DAC39}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: CAISafe - Unknown - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\RapApp.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thanks, mate, owe you a beer if this works! Apologies to all for the long post; will delete once snag resolved!

Does anyone have any ideas on the Secdef.BO Trojan.

Hi Ham,

just got in from work, so give me half an hour to get sorted, and I'll go through it.

Cheers

Liam

Hi,

Here we go.. please print this off, as it will be easier to follow.

You’ve been hijacked by CoolWebSearch. Please go here (http://www.intermute.com/spysubtract/cwshredder_download.html) and download, unzip and then open CoolWebShredder (stand alone version). Then click on the Updates button and follow the prompts. Next, run the program by clicking on the Fix-> button.

Please run a new HJT! Scan, and check to fix the following entries, being sure to double check that you haven't missed any. (Some may no longer be present after running the above) Next, close all browser windows and click the Fix checked button…

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smartfinder.us/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://smartfinder.us/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartfinder.us/

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartfinder.us/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://smartfinder.us/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://smartfinder.us/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://smartfinder.us/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://smartfinder.us/

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartfinder.us/sp.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartfinder.us/

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://smartfinder.us/sp.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://smartfinder.us/

O4 - HKLM\..\Run: [FontsLoader] C:\WINDOWS\Fonts\ldfnt32.hta

O4 - HKLM\..\Run: [Update] C:\WINDOWS\csrss.exe /i

O4 - HKLM\..\Run: [httpd] C:\WINDOWS\msgaol.exe /i

O4 - HKLM\..\Run: [QTSvc] C:\WINDOWS\shman.exe /i

O4 - HKLM\..\Run: [Windows Sound System] sndsys.exe

O4 - HKLM\..\Run: [Winproxy Personal] winproxy.exe

O4 - HKLM\..\Run: [System Configurati0n] SysCgfig.exe

O4 - HKLM\..\Run: [Auto CD-ROM Startup] cdaccess.exe

O4 - HKLM\..\RunServices: [Windows Sound System] sndsys.exe

O4 - HKLM\..\RunServices: [Winproxy Personal] winproxy.exe

O4 - HKLM\..\RunServices: [System Configurati0n] SysCgfig.exe

O4 - HKLM\..\RunServices: [Auto CD-ROM Startup] cdaccess.exe

O4 - HKLM\..\RunOnce: [System Configurati0n] SysCgfig.exe

O4 - HKCU\..\Run: [System Configurati0n] SysCgfig.exe

O4 - HKCU\..\Run: [Winproxy Personal] winproxy.exe

O4 - HKCU\..\Run: [Auto CD-ROM Startup] cdaccess.exe

O4 - HKCU\..\Run: [start uploading] smsss.exe

O4 - HKCU\..\RunServices: [start uploading] smsss.exe

O4 - HKCU\..\RunOnce: [System Configurati0n] SysCgfig.exe

O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?

O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = ?

Next, please double click on the My Computer icon on the desktop. Go to Tools | Folder Options, click on the View tab and make sure that Show hidden files and folders is checked. Also uncheck Hide protected operating system files. Now click Apply to all folders, then click Apply then OK.

Next please find and delete the following bolded files...

C:\WINDOWS\Fonts\ldfnt32.hta

C:\WINDOWS\csrss.exe

C:\WINDOWS\msgaol.exe

C:\WINDOWS\shman.exe

C:\WINDOWS\System32\sndsys.exe

C:\WINDOWS\System32\winproxy.exe

C:\WINDOWS\System32\SysCgfig.exe

C:\WINDOWS\System32\cdaccess.exe

C:\WINDOWS\System32\smsss.exe

(Please check the file path and spelling for each very carefully before deleting. They are spelt like this in order to make them look legit.)

If you have rebooted since posting this, then there is a chance that some/all of the file names have morphed in the meantime.. but that's life. We'll just start again.. at least it won't be as difficult to spot them next time.. :)

Then boot into safe mode, (see here (http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001052409420406) for info if needed) and delete the entire contents of the C:\Windows\Temp (or C:\WINNT\Temp) folder, but not the folder itself.

Then please boot back into normal mode and download AdAware SE from here (http://www.lavasoftusa.com/support/download/).

First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files.

Next, we need to configure Ad-aware for a full scan.

Click on the Gear icon (second from the left) to access the preferences/settings window

1. In the General window make sure the following are selected:
· Automatically save log-file
· Automatically quarantine objects prior to removal
· Safe Mode (always request confirmation)

2. Click on the Scanning button on the left and select :
· Scan Within Archives
· Scan Active Processes
· Scan Registry
· Deep Scan Registry
· Scan my IE favorites for banned URL’s
· Scan my Hosts file

· Under Click here to select drives + folders, choose:
· All of your hard drives | Proceed

3. Click on the Advanced button on the left and select:
· Include additional process information
· Include additional file information
· Include environment information

4. Click the Tweak button and select:
· Under the Scanning Engine:
· Unload recognized processes & modules during scan
· Include additional Ad-aware settings in logfile
· Under the Cleaning Engine:
· Let Windows remove files in use at next reboot

5. Click on Proceed to save the settings.

6. Click Start and on the next screen choose:
· Use Custom Scanning Options

7. Click Next and Ad-aware will scan your hard drive(s) with the options you have selected.

When finished, mark everything for removal and get rid of it. (Right-click the window and choose Select All from the drop down menu and click Next).

Next, please reboot again and download Spybot - Search & Destroy 1.3 from here (http://security.kolla.de): if you haven't already got the program.

Click on Updates | Download Updates, and follow the prompts.

Next, close all Internet Explorer windows, and click Check for Problems. Once the scan is complete, have SpyBot remove all it finds marked in RED.

Next reboot and go here (http://housecall.trendmicro.com/housecall/start_corp.asp), and run the online virus scan; choosing the Autoclean option just before clicking the Scan button. Then please post a new log for a final once over.

I'm odff out this evening, but I'll check up on your progress later on. :)

Cheers

Liam

I noticed that you're using BlackIce Defender as a firewall.

Visit www.grc.com for a review of BlackIce Defender

Steve Gibson also offers 2 firewall checking tools - LeakTest and ShieldsUp.

This guy seems to know what he's talking about as he's been in the hack/security business for years!!! And it's all FREEEEEE!!!!! thanks to people buying his HDD recovery/maintenance too SpinRite

Thanks for all your help; definitely getting there!

Last scan using on-line antivirus detected:

worm_wootbot.gen
worm_rbot.abk
worm_rbot.aer

and said they were non-cleanable. Have deleted them now and will re-run Coolwebshredder et al!

Reran the CWS utility which generated this log:

Logfile of HijackThis v1.99.0
Scan saved at 17:13:47, on 05/01/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\System32\PROMon.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEAKSYSTEMTRAY.EXE
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\Compaq\EAKDRV\EAUSBKBD.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bt.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tesco.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.presario.net/scripts/redirectors/presario/srchredir2.dll?c=1c02&lc=0809&s=search&ap=b204
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Tesco internet access
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\COMPAQ\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [BBDial] C:\Program Files\BT Voyager 105 ADSL Modem\BT Broadband.exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKCU\..\Run: [PPWebCap] C:\PROGRA~1\ScanSoft\PAPERP~1\PPWebCap.exe
O4 - Startup: reminder-ScanSoft Product Registration.lnk = C:\Program Files\ScanSoft\PaperPort\Config\Ereg\REMIND32.EXE
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1104575692748
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{15F27EB2-A6C1-41CF-9353-42C242F7A265}: NameServer = 194.168.4.100,194.168.8.100
O17 - HKLM\System\CCS\Services\Tcpip\..\{B35FCC79-88A0-4D9A-8283-148CD92DAC39}: NameServer = 194.72.9.38 194.74.65.68
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: CAISafe - Unknown - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Intel(R) NMS - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\RapApp.exe
O23 - Service: SoundMAX Agent Service - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Hi Ham,

That's a clean log. Is everything running correctly now?

Cheers

Liam

Yes it does. Are you an aviation enthusiast as well as PC guru? If so, I'd like to thank you for your help. PM me with your address.

Hi Ham,

You're welcome. Am I an aviation enthusiast? I like planes from a distance.. :) We flew out to Austria last year for a week's skiing, and we got the train home, 'cos i bottled the flight back.. :\ :uhoh:

Ironic really, considering the amount of time I spend on this forum.. :D

Cheers

Liam