Greetings, First let me explain how I got this worm, virus, or trojan or whatever it is. There are several sites that use flash games and advertisements on those pages like yahoo. When one goes to them they automatically try and load java. Next you have this trojan called Think Power trying to get you to scan your computer for antispyware. I know this is a dummy or bogus prog. The file is actually called hotfix.exe which is the trojan. Naturally I got rid of it but thats not the prob. Somehow this trojan rewrites WScript.exe and svchost.exe. which in turn tries to constantly load explorer and connect to a Malware site. I was running Avast and it would block it but when scanning would not fix or find the problem. It also tries to shutdown svchost and then windows tries to go into DOS or classic mode. eeeeeerrrrr. Avast would tell me these two exe files were trying to go to malware sites but will only block them. I have ran Avast, Superantispyware, windows defender(which no says has a problem and cannot load), the Onelive care on microsoft site, the malware removal tool on microsoft, the TDSS rootkit killer removal tool, Norton, Macaffree, Hijackthis, NOD32, spybot, symantec fix it(for several worms), Trojan Remover, and of course the progam everyone thinks is God Maleware bytes - this prog doesn't do jack cept eat up time. Not one can find or fix the problem. Whats up with that? Out of 20 of the best progs not one can do the job? They found lil stuff like cookies but thats it really. I have followed the advice on microsft and other sites downloading all the best maleware and virus antipsyware progs and none work. Why would I pay for anything that doesn't work LOL! You feel me? This is what NOD32 from ESET shows now that I am running it which keeps blocking this site and gives me random numbers for an address or site. Z0g7yail0.com/ random letters numbers PTAmcmQ9MA = = 38x is the site it keeps blocking. thats only part of the prob. explorer keeps opening up a window to something like a walmartgift card site too. antivirus prog not block that. Last but not least is the annoying fact that this worm/virus has changed part of the text I view on web pages to ittalic but not all the text is like that. eeeerrrrrrrr. Does anyone know hat the heck is going on with my computer? cause searching the forums doesn't seem as if anyone else discusses the same probs I have. Can someone for the love of God help me kill this nasty pest that has freaking snuck its way into my computer? Please?

Hi DjNasT, ·What is the version of Internet explorer you have installed on your computer?·Provide us the complete error message you receive when you try to connect to Windows update or Windows defender.·What is the service pack installed on your computer? 1. Run the fix it which will reset the security setting in internet explorer : Improve performance, safety and security in Internet Explorer:http://support.microsoft.com/mats/ie_performance_and_safety/en-us 2. Also you may follow the steps from the below link:Prevent Pop-up Ad Windows When Browsing:http://www.microsoft.com/windows/ie/ie6/using/howto/privacy/restrictedsites/stoppopups.mspx Regards:Samhrutha G S - Microsoft Support.Visit our Microsoft Answers Feedback Forum and let us know what you think.

I have windows XP, IE8, Ok for windows defender when I try and load it the error message given is 0x800106ba. Defender was given me the error message Numbers then efe or fee I think which I looked up already and the support page for error codes just says I am unable to connect to the page. I already tried all the suggested tips on the support page to fix the problem and none of them worked. I have already tried the run the fix it site too and it did not work either. I have tried a system restore several times even in safe mode. System restore just said it was unable to restore on that date. I tried 6 different dates too. I alreday have several popup blockers installed. NOD32 just keeps poping up from time to time giving me randomly blocked ip addresses trying to laod explorer to the site I mentioned in my first post. I honestly believe something has taken over my scvhost.exe and WScript.exe files and is causeing them to try and load MAlware sites. Like I mentioned earlier though none of the antispyware/virus/malware progs have found anything wrong but obviously something has put a script file or something on my computer thats messing with my registry keys or something ya know. Just non of the malware progs seem to recognize it as malware either that or it has cloned an existing file and the malware progs do not recognize it as a threat. Like I said earlier downloaded almost 20 different freaking malware progs including everything on the microsft for maleware Onelive and MSRT, tried the fix it too. Nothing has helped. As for the ittalic text for the browser I fixed that on my own. Just went and redownloaded the font file for arial and everything went back to normal. SO right now I need help figuring out how to find what is causing explorer to attempt to open my browser to a Mal site. 2 what is blocking windows defender and win update from loading or connecting to microsft and what is blocking system restore that won't allow it to complete. Thats just crazy why have a system restore if you cannot even use it LOL!.Anyways if you can please help me figure out those two problems it would be greatly appreciated. I have read something about manually fixing svchost.exe on E-How but I'm not about to go deleting that file cause I know you have to have it for windows to run. Peace!

Here is a copy of the log file from Hijackthis, and no I haven't done anything with hijackthis no fixes with the prog. Perhaps it will help IDK. Logfile of Trend Micro HijackThis v2.0.4Scan saved at 12:47:19 PM, on 12/15/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\windows\System32\smss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\system32\lsass.exeC:\windows\system32\svchost.exeC:\windows\System32\svchost.exeC:\windows\system32\svchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\windows\Explorer.EXEC:\Program Files\ESET\ESET NOD32 Antivirus\egui.exeC:\windows\system32\ctfmon.exeC:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeC:\Program Files\Alwil Software\Avast5\AvastUI.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\windows\System32\mshta.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\msiexec.exeC:\Program Files\Trend Micro\HiJackThis\HiJackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.htmlR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.comR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.comR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.comO2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\YTSingleInstance.dllO3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dllO3 - Toolbar: Veoh Web Player Video Finder - {0FBB9689-D3D7-4f7a-A2E2-585B10099BFC} - C:\Program Files\Veoh Networks\VeohWebPlayer\VeohIEToolbar.dllO3 - Toolbar: Veoh Video Compass - {52836EB0-631A-47B1-94A6-61F9D9112DAE} - C:\Program Files\Veoh Networks\Veoh Video Compass\SearchRecsPlugin.dllO4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /autoO4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitserviceO4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exeO4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exeO4 - Global Startup: avast! Free Antivirus.lnk = C:\Program Files\Alwil Software\Avast5\AvastUI.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\windows\system32\shdocvw.dllO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\windows\system32\shdocvw.dllO16 - DPF: {000F1EA4-5E08-4564-A29B-29076F63A37A} (SOE Web Installer) - http://launch.soe.com/plugin/web/SOEWebInstaller.cabO16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dllO16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) -http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6770.cabO16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) -http://picture.vzw.com/activex/VerizonWirelessUploadControl.cabO16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cabO16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLLO22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\windows\system32\browseui.dllO22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\windows\system32\browseui.dllO23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exeO23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exeO23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe--End of file - 6040 bytes

Please look at my previous post. It has a log file from Hijackthis as well. TY!

Wow, looks like you've tried everthing. Time for a format and reinstall.

Alright lets try this again. I have used every antispyware, malware, and virus prog you can think of even the ones on microsoft site like Liveone care, fix it, and MSRT. Can one of you moderators please take a look at this log file and maybe you can explain to me what is going on and how to fix this. I am sure something in my keys or the exe files I mentioned got rewritten I just need to know how to go about fixing them so whatever is trying to load IE is not trying to go to a malware site anymore. If you notice in the NOD32 log file it says it has quarintined and removed these items but something is still trying to load IE to the sites mentioned and none of the 20 top anti progs can seem to find it. SO please help guys. Peace! 12/14/2010 12:20:15 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 11:20:03 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 10:20:17 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 9:20:17 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 8:20:17 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 7:20:17 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 6:20:18 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 5:20:17 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 4:20:17 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 3:20:02 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/14/2010 12:20:23 AM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 11:20:18 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 10:20:22 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 9:20:01 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 8:20:16 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 7:20:16 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 6:20:16 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 5:20:19 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 4:20:19 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 3:20:03 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 2:20:18 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 1:20:17 PM HTTP filter file http://funnybarsshow.com/jhkhj.php?kxdkhjk= JS/TrojanDownloader.Agent.NWG trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\mshta.exe.12/13/2010 8:34:00 AM Real-time file system protection file C:\System Volume Information\_restore{4715539F-EC51-4104-AACE-B4A124ABB28C}\RP36\A0013700.exe a variant of Win32/RegCure potentially unwanted application deleted - quarantined NT AUTHORITY\SYSTEM Event occurred on a file modified by the application: C:\WINDOWS\system32\svchost.exe.12/12/2010 4:17:58 PM Real-time file system protection file C:\System Volume Information\_restore{4715539F-EC51-4104-AACE-B4A124ABB28C}\RP36\A0013724.exe Win32/RegistryBooster potentially unwanted application deleted - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\MRT.exe.12/12/2010 4:17:56 PM Real-time file system protection file C:\System Volume Information\_restore{4715539F-EC51-4104-AACE-B4A124ABB28C}\RP36\A0013723.dll Win32/RegistryBooster potentially unwanted application deleted - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\MRT.exe.12/12/2010 9:48:36 AM Real-time file system protection file C:\System Volume Information\_restore{4715539F-EC51-4104-AACE-B4A124ABB28C}\RP34\A0013656.rbf Win32/RegistryBooster potentially unwanted application deleted NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:25:25 PM Real-time file system protection file C:\Documents and Settings\All Users\Application Data\{F03307B7-E779-4F5E-A32E-9A73D8D6E0F2}\rbia.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe.12/11/2010 9:25:24 PM Real-time file system protection file C:\Program Files\Uniblue\RegistryBooster\registrybooster.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe.12/11/2010 9:25:23 PM Real-time file system protection file C:\Program Files\Uniblue\RegistryBooster\rb_move_serial.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe.12/11/2010 9:25:23 PM Real-time file system protection file C:\Program Files\Uniblue\RegistryBooster\rbnotifier.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe.12/11/2010 9:25:20 PM Real-time file system protection file C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe.12/11/2010 9:25:19 PM Real-time file system protection file C:\Program Files\Uniblue\RegistryBooster\Launcher.exe Win32/RegistryBooster potentially unwanted application cleaned by deleting - quarantined DIMENSION2400\User Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\rundll32.exe.12/11/2010 9:23:07 PM Startup scanner file C:\Program Files\Uniblue\RegistryBooster\rbmonitor.exe Win32/RegistryBooster potentially unwanted application deleted (after the next restart) - quarantined 12/11/2010 9:22:03 PM Real-time file system protection file C:\windows\Tasks\At9.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:02 PM Real-time file system protection file C:\windows\Tasks\At8.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:02 PM Real-time file system protection file C:\windows\Tasks\At7.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:02 PM Real-time file system protection file C:\windows\Tasks\At6.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:01 PM Real-time file system protection file C:\windows\Tasks\At5.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:01 PM Real-time file system protection file C:\windows\Tasks\At24.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:01 PM Real-time file system protection file C:\windows\Tasks\At3.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:01 PM Real-time file system protection file C:\windows\Tasks\At4.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:01 PM Real-time file system protection file C:\windows\Tasks\At21.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:00 PM Real-time file system protection file C:\windows\Tasks\At23.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:00 PM Real-time file system protection file C:\windows\Tasks\At22.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:00 PM Real-time file system protection file C:\windows\Tasks\At20.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:00 PM Real-time file system protection file C:\windows\Tasks\At2.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:22:00 PM Real-time file system protection file C:\windows\Tasks\At19.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:55 PM Real-time file system protection file C:\windows\Tasks\At10.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:55 PM Real-time file system protection file C:\windows\Tasks\At15.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:55 PM Real-time file system protection file C:\windows\Tasks\At16.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At1.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At17.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At14.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At12.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At18.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At11.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.12/11/2010 9:21:54 PM Real-time file system protection file C:\windows\Tasks\At13.job Win32/Adware.FakeAntiSpy.O application cleaned by deleting - quarantined NT AUTHORITY\SYSTEM Event occurred during an attempt to access the file by the application: C:\WINDOWS\system32\svchost.exe.

Hi DjNasT,Which version of Internet Explorer you are using?Let’s follow these methods & check if it helps.Method 1You may follow this link & check if the issue persists.How to restore a hijacked web browserRefer: What is browser hijacking?Method 2You may also optimize Internet Explorer and check if the issue persists.For more information, follow this link: How to optimize Internet ExplorerHope the information helps. Please post back and let us know.RegardsDebleena SMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.

First to answer your question I am using IE 8. Second the sites you mentioned above did not help. I have checked several micrsoft pages looking and following the tips but to no avail. Third I have had browser redirection problems before and TDSS Killer has always fixed the problem. This is not a browser redirect problem though. I do not even have to have IE loaded and NOD32 will flash a window saying it blocked an IP address for which it says was trying to load IE an take it to Z0g7yail0.com/ (a long string of random letters and numbers). I did dnload MSE and it tried to update first but it failed and gave this error code: 0x80072efe, which just means failed to connect or cannot connect. MSE of course did not find anything on my com either. eeeeeerrrrrr something has rewritten a script or something on my com that causes svchost, WScript, or mshta.exe to constantly try and load IE to a maleware site. I do not know how to go in and manually fix scripts or regkeys. I could do it with instructions but I do not know where I need to look or what to actually delete or rewrite. I need a set of instructions on where to look or what file to find and how to go about manually and delete and rewrite the script that has been put on my com. Please help if you can. Peace!

[This thread should NOT have been moved to IE Forum! It should have been merged with OP's original thread.]See... Can I install Microsoft Security Essentials [or any other anti-virus/anti-spyware application] to clean up my already-infected computer? http://social.answers.microsoft.com/Forums/en-US/msescan/thread/87058857-d181-4019-a723-efd9a49d9275~~~~~~~~~~~~~~~~~~~~~~~~~~~Please answer all of the following diagnostic questions by number in your next reply (no need to quote this post):1. When (approx. date) did this ThinkPoint (not Think Power) infection occur and was the computer fully-patched at Windows Update at the time?2a. When (approx. date) did you install NOD32?2b. Have you purchased NOD32?3. When (approx. date) did you install Avast5?4. What anti-virus application was installed before you installed NOD32 and Avast5, was your subscription still current, and did you uninstall it before you installed NOD32 and/or Avast5?5. Has a(nother) Norton application or a McAfee application ever been installed on the computer?6. Did a Norton free-trial or a McAfee free-trial come preinstalled on the computer when you bought it? (Doesn't matter if you never used or Activated it.)~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

We do NOT interpret HJT logs in these forums.Please post any/all further follow-up in replies to your newer thread: http://social.answers.microsoft.com/Forums/en-US/InternetExplorer/thread/05f87e56-08f1-421e-be24-bcadeafef22f~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

HHmmmm ok Bear I will answer your questions but I really do not see the relivence of them for the anti/spy/virus/malware progs are not the problem. 1) A little over two or three weeks ago or so.2a) About two weeks ago.2b) No I do not purchase anti progs that do not work. Why would I? It hasnt fixed the prob just blocks the random addresses from loading IE 8 to a maleware site.3) I have had the up to date version of Avast for almost two years. It to just blocked the addresses saying something was trying to use svchost, WScript, and mshta.exe to try and load IE to a maleware site. I have turned off Avast though since installing NOD32 so it does not interfere.4) I do not remember what I was using before I think it was Norton or macafree but I do know that about two years ago I had the computer taken in, wiped, and windows reinstalled and they gave me Avast for free.5) Yes I have tried both Norton and Macafree and they did not work either to fix the problem. I uninstalled them though and they are no longer on my computer.6) no they did not come preinstalled. If you are going to ask me to do a system restore it will not help I already have tried. Useless program when you can not use it. I tried several times with different dates even in safe mode. I already have ran everything on Microsoft Live Onecare, MSRT, Fix it, and MSE. I have spybot, malwarebytes, synematic, superantispyware, and have tried them all. Nothing can fix the problem. Right now NOD32 blocks the random addresses trying to load IE but it is very anoying seeing that thing pop up constantly. The only thing it does not stop is when I am using IE from time to time it will load a site for a walmart gift card but I just close it. If I am using a different prog or none at all it constantly blocks the random addresses trying to load IE. I don't have to have IE loaded. Yes I have popup blockers but it does not block another page being loaded to the wlmart gift card site. works on everything else though. Please do not give me any more links to microsfot help pages for I have already searched through them all and tried many of the helpful tips and none have worked. What I really need Bear is a set of instructions on what file or files to search for that posibly contain a script that is giving commands to system files causing them to try and load IE to maleware sites. I need to know where to look, what I am looking for, and how to rewrite or delete the script or commands. Probly have to get rid of some HKLM files or commands too if their is commands there as well. I'm sure your gonna tell me its probly in my registry keys as well. Anyways if you can help with a set of instructions on how to manually go in and take care of the problem that would be great. I have seen manual instructions on how to fix scvhost.exe but I'm not about to go messin around and deleting that file cause I know you need it in order for windows to run. I feel sorry for the poor fools who go on Ehow and follow them instructions. Anyways if you can help it would be greatly appreciated I just do not have the money right now to put this thing in the shop again with christmas around the corner and all. Peace!

oppss sorry Bear forgot to say windows was fully updated at the time and yes I was able to connect to windows update and defender update as well before this happened but now I can not connect to either but can connect to anywheree else it seem on microsoft or other sites jus not those two.

Hi DjNasT,For Internet Explorer 8 issue, you may follow these steps & check if the issue persists.Note: Modifying REGISTRY settings incorrectly can cause serious problems that may prevent your computer from booting properly. Microsoft cannot guarantee that any problems resulting from the configuring of REGISTRY settings can be solved. Modifications of these settings are at your own risk.Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click on the link below.http://support.microsoft.com/kb/256986/EN-US/a. Click Start > Run,type 'regedit'in the open box and then click OK.b. Navigate to the following registry subkey & double click on it: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objectsc. Under the Browser Helper Objects key, you may see ClassIDs (CLSIDs). Make a note of the CLSID.d. Locate and then click the following registry subkey: HKEY_CLASSES_ROOT\CLSID\{ CLSID }\InprocServer32 Note: { CLSID } is the CLSID that you noted in step 'c'.e. In the right pane, double-click (Default). f. Click Value data to see the path of the .dll file. The path may be similar to the following:C:\Windows\ Program_Name .dll.Note: Program_Name can be a spyware program or a legitimate program that is using a BHO (Browser Helper Objects).g. If Program_Name is not a recognized or legitimate program, unregister the .dll file, and then remove the {CLSID} subkeys. To do this, follow these steps: i. At a command prompt, type the following command to unregister the .dll file:regsvr32 -u Path \ Program_Name .dllii. Locate and then delete the following {CLSID} registry subkeys:• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\CLSID\{CLSID}• HKEY_CLASSES_ROOT\CLSID\{CLSID}Note: {CLSID} is the 128-bit number that you noted in step 'c'. h. Exit Registry Editor and restart the computer.For Windows update issue, you may follow this link & check if it helps.You may encounter temporary connection-related errors when you use Windows Update or Microsoft Update to install updatesHope the information helps. Please post back and let us know.RegardsDebleena SMicrosoft Answers Support EngineerVisit our Microsoft Answers Feedback Forum and let us know what you think.

If Avast had been installed & working properly, it should have blocked this ThinkPoint infection.Installing/uninstalling various & sundry other anti-virus applications (none of which would have installed properly) only made matters worse.See... • Cleaning a Compromised System http://technet.microsoft.com/en-us/library/cc700813.aspxBack-up any personal data (none of which should be considered 100% trustworthy at this point) then format the HDD & do a clean install of Windows. Please note that a Repair Install (AKA in-place upgrade) will NOT fix this!HOW TO do a clean install of WinXP: See http://michaelstevenstech.com/cleanxpinstall.html#steps and/or Method 1 in http://support.microsoft.com/kb/978307NOTE: If your computer didn't come with a set of disks, there will be a hidden Recovery partition (not to be confused with System Restore) you would use to do the clean install (AKA a "destructive recovery").After the clean install, you will have the equivalent of a "new computer" so take care of EVERYTHING on the following page BEFORE otherwise connecting the machine to the internet or a local network (i.e., other computers) AND BEFORE connecting a flash drive, SDCard, or any other external drive to the computer: • 4 steps to help protect your new computer before you go online http://www.microsoft.com/security/pypc.aspxOther helpful references include:HOW TO get a computer running WinXP Gold (no Service Packs) fully patched (after a clean install)http://groups.google.com/group/microsoft.public.windowsupdate/msg/3f5afa8ed33e121cHOW TO get a computer running WinXP SP1(a) or SP2 fully patched (after a clean install)http://groups.google.com/group/microsoft.public.windowsxp.general/msg/a066ae41add7dd2bTip: After getting the computer fully-patched, download/install KB971029 manually before connecting any external drive to the computer: http://support.microsoft.com/kb/971029VERY IMPORTANT!! => Any Norton or McAfee free-trial that came preinstalled on the computer when you bought it will be reinstalled (but invalid) when Windows is reinstalled. You MUST uninstall the free-trial AND download/run the appropriate removal tool BEFORE installing any updates, Windows Service Packs or IE upgrades AND BEFORE installing your new anti-virus application (e.g., Microsoft Security Essentials - free). Norton Removal Tool ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe McAfee Consumer Products Removal Tool http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exeAlso see:Risks & Benefits of P2P file sharing • http://www.microsoft.com/protect/data/downloadfileshare/filesharing.aspx • http://blogs.technet.com/mmpc/archive/2008/10/06/the-cost-of-free-software.aspx • http://www.us-cert.gov/cas/tips/ST05-007.htmlSteps To Help Prevent Spywarehttp://www.microsoft.com/security/spyware/prevent.aspx Steps to Help Prevent Computer Wormshttp://www.microsoft.com/security/worms/prevent.aspxAvoid Rogue Security Software!http://www.microsoft.com/security/antivirus/rogue.aspxIf you need additional assistance with the clean install, please begin a new thread in this forum: http://social.answers.microsoft.com/Forums/en-US/xprepair/threadsIf these procedures look too complex - and there is no shame in admitting this isn't your cup of tea - take the machine to a local, reputable and independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.Wish I'd had better news for you. Good luck!PS: The repair shop didn't "give you Avast for free," it's free to anybody...BUT nlike Microsoft Security Essentials, you MUST renew your Avast registration every year or it won't work (update) anymore.~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft

First to Bear, Thanks for trying to help but Avast actually sux this is the second time thinkpoint has been on my com and both times it let it on my com. The first time I got rid of the hotfix.exe file which is the trojan for thinkpoint and it wiped it. I then took it in and had a computer shop fix it. This time was able to get rid of it again but the difference is now something else snuck in with it trying to load IE. Avast does not stop this trojan. What happens is you go to a flash player site, (in my case it was a game site like yahoo games that use flash or java to play), it autoloads java and bam its on your computer. Either it gets in through the adds on the side of the web page which constantly change or it comes in through the flash or java palyer. Either way it will be the last time I go to a game site with flash or java player games cept for yahoo, never had a problem with them. Second to DEB, I checked regedit and found the BHO file but there is no ClassIDs or CLSIDs. Tis is what it shows me under the BHO file: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}Which just says Name: default Type: REG_SZ Data: (value not set) when clicked on but underneth that file is another called NoExplorer and when clicked on shows this Name: default Type: REG_DWORD Data: 0x00000001 (1)Next uder BHO is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}When clicked on shows Name: Default Type: REG_SZ Data: AcroIEHelperStub Name: NoExplorer Type: REG_DWORD Data: 0x00000001 (1)Next under BHO is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}When clicked on shows this Name: default Type: REG_SZ Data: (value not set) Name: NoExplorer Type: REG_DWORD Data: 0x00000001 (1)Next under BHO is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}When clicked on says Name: default Type: REG_SZ Data:JQSIEStartDetectorImpl Name: NoExplorer Type: REG_DWORD Data: 0x00000001 (1)Next under BHO is HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}Which when clicked on says Name: default Type: REG_SZ Data: (value not set) Anyways thats what I got for ya. Not sure if that helps or not. Peace!

Those BHOs are/belong to, in order: Yahoo Toolbar Adobe Acrobat ActiveX Control (Sun) Java Plug-in Another (Sun) Java Plug-in Yahoo ToolbarThey have nothing to do with your problem.Only a format & clean install is going to return this computer to a secure state. See my previous reply. ~Robear Dyer (PA Bear) ~ MS MVP (IE, Mail, Security, Windows & Update Services) since 2002 ~ Disclaimer: MS MVPs neither represent nor work for Microsoft