I have an old computer I still use often that runs win95. I've been having some problems starting, it likes to freeze up and can be very difficult to get going. When I do get it going I have noticed somethings running that I am not sure what they are and suspect they are scumware and possibly part of the problem. I've run adware but it just does not seem to notice or find them. They are

Mkgvarfc.exe in C:\windows

Winkmmy.exe in C:\windows\system

Winh.exe in C:\windows

Anyone have any idea what these are? Is it safe to assume they are scumware and I can get rid of them? Thanks

Originally posted by coldnorth@15 March 2004 - 12:24
I have an old computer I still use often that runs win95. I've been having some problems starting, it likes to freeze up and can be very difficult to get going. When I do get it going I have noticed somethings running that I am not sure what they are and suspect they are scumware and possibly part of the problem. I've run adware but it just does not seem to notice or find them. They are

Mkgvarfc.exe in C:\windows

Winkmmy.exe in C:\windows\system

Winh.exe in C:\windows

Anyone have any idea what these are? Is it safe to assume they are scumware and I can get rid of them? Thanks
the WinH.exe file was the only one i was able to find info on with google, and most of teh pages say smoething about adware or spyware at the top so im sure that one is 'scumware'.

try running spysweeper, you can download it from here (http://www.webroot.com) or download the full version from kazaa lite. make sure to update the definitions before running!

Use Ad-Aware or Spybot-S&D to remove it.

I have used both and neither one seem to pick up on these and at least one, Winh is scumware. Guess I'll have to remove it manually. Spybot I just downloaded today and it found a couple I had not noticed before and computer is running better.

yeah, they don't target the many new 'random' stuff that comes out all the time.

download hijack this here (http://www.zerosrealm.com/downloads.php).

scan, save a log, then copy and paste the contents.


cheers

All right dopey. I downloaded the program, ran it, and here is the log, rather large.

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\azexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LXDBOXCP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\ELEGANT TECH\INFO-GUARDIAN\INFOGUARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SVCHOST.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\UNZIPPED\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://81.211.105.9/search.php?v=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://81.211.105.9/index.php?v=3
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://81.211.105.9/index.php?v=3
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://in.webcounter.cc/-/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://in.webcounter.cc/-/?ydtfs about:blank (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://in.webcounter.cc/---/?ydtfs (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.pcpages.com/svc/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = http://in.webcounter.cc/--/?ydtfs (obfuscated)
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F1 - win.ini: run=lxdboxcp.exe
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {baf6dcf8-7c5f-476b-ae4a-79f05b783a83} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {DB044C3D-979A-A17C-120F-BAFEE81BE095} - C:\windows\system\vkwtbdmr.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O2 - BHO: (no name) - {32BBB93F-1E01-9DAB-E404-F3A72E7C0F08} - C:\windows\system\osnnvlrg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Msdapp] C:\WINDOWS\SYSTEM\Elegant Tech\Info-Guardian\infoguard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [kxybwpjv] C:\WINDOWS\SYSTEM\kxybwpjv.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [Winkmmy] C:\WINDOWS\SYSTEM\Winkmmy.exe
O4 - HKLM\..\Run: [Online Service] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [fovrdtwi] C:\WINDOWS\mkgvarfc.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\RunServices: [azmodem] WINMODEM.101\azexe.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: Yahoo! Euchre - http://download.yahoo.com/games/clients/y/er1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab)
O16 - DPF: ChatSpace Java Client 2.1.0.84N - http://about.chatspace.com/Java/cs4msn084.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab (http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab)
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx)
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab
O19 - User stylesheet: C:\WINDOWS\Web\tips.ini
O19 - User stylesheet: C:\WINDOWS\hh.htt (HKLM)

:o

make sure you update spybot before scanning.
you also have a coolwebsearch infection.

go back to here (http://www.zerosrealm.com/downloads.php) and download cwshredder. close all browser windows and hit fix.

reboot and post another log.

Thanks dopey. Nice to get rid of that coolwebsearch at last. It's been a real pain in the butt. Had trouble updating spybot tonight. Will try again tomorrow and post a new log then. Getting a little late for me. Thanks again for the link on the CWShedder, it worked great.

I should update on what I found ou regarding the files I mentioned in my first post.

Winkmmy.exe turned out to be a worm, spybot got rid of it. Winh.exe I did find some info on it, it's a worm. Neither adaware or spybot seem to be able to find it so I suppose I'll have to manually remove it. Was unable to find any info on Mkgvarfc.exe and that's the one I suspect is causing me problems.

Thanks everyone

your welcome. :)

but please do some follow up. there is alot more to do.

about the spybot update problem: a little trick that seems to help is to start the program--> search for updates--> switch the server. Unido (Europe) is the default selection. In the dropdown box, the Eon (Australia) server works best for me.

cheers.

dopey

ok, I have run spybot again. It still will not let me update nor will it let me switch servers. I ran hijack this again and have a new log. It's still rather large. The computer is running much better but a long way from perfect. I still have not discovered what this MKgvarfc.exe is. I've mad several searches on google and no luck. The winh.exe is still there spybot and adaware both don't seem to see it so I suppose I should remove it manually. I though that spybot had taken care of winkmmy.exe but I'm not so certain. I received a message earlier today that winkmmy.exe had performed an illegal operation, etc so it may still be there. What would you advise next?


Logfile of HijackThis v1.97.7
Scan saved at 12:10:10 PM, on 3/16/04
Platform: Windows 95 B (Win9x 4.00.1212)
MSIE: Internet Explorer v5.00 (5.00.2919.6304)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\azexe.exe
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\LXDBOXCP.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\WINDOWS\SYSTEM\LOADWC.EXE
C:\WINDOWS\SYSTEM\ELEGANT TECH\INFO-GUARDIAN\INFOGUARD.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\UNZIPPED\HJT\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://msnmember.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by MSN
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.pcpages.com/svc/index.html
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F1 - win.ini: run=lxdboxcp.exe
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O2 - BHO: (no name) - {baf6dcf8-7c5f-476b-ae4a-79f05b783a83} - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {DB044C3D-979A-A17C-120F-BAFEE81BE095} - C:\windows\system\vkwtbdmr.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O2 - BHO: (no name) - {32BBB93F-1E01-9DAB-E404-F3A72E7C0F08} - C:\windows\system\osnnvlrg.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [MSWHEEL] C:\WINDOWS\SYSTEM\mswheel.exe
O4 - HKLM\..\Run: [POINTER] C:\MSINPUT\point32.exe
O4 - HKLM\..\Run: [BrowserWebCheck] loadwc.exe
O4 - HKLM\..\Run: [Msdapp] C:\WINDOWS\SYSTEM\Elegant Tech\Info-Guardian\infoguard.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [kxybwpjv] C:\WINDOWS\SYSTEM\kxybwpjv.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [Winkmmy] C:\WINDOWS\SYSTEM\Winkmmy.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [fovrdtwi] C:\WINDOWS\mkgvarfc.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [Winkmdd] C:\WINDOWS\SYSTEM\Winkmdd.exe
O4 - HKLM\..\RunServices: [azmodem] WINMODEM.101\azexe.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: Crystal 3D Audio Control.lnk = C:\WINDOWS\CWB3DSND.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O12 - Plugin for .mpeg: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mp3: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mov: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O13 - WWW. Prefix: http://
O14 - IERESET.INF: START_PAGE_URL=http://msnmember.msn.com
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab (http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab)
O16 - DPF: {0FC6BF2B-E16A-11CF-AB2E-0080AD08A326} - http://www.liveupdate.com/controls/getcab2.dll
O16 - DPF: Yahoo! Euchre - http://download.yahoo.com/games/clients/y/er1_x.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab (http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab)
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} (MSN Chat Control 4.2) - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potb_x.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080...all/xscan53.cab (http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab)
O16 - DPF: ChatSpace Java Client 2.1.0.84N - http://about.chatspace.com/Java/cs4msn084.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} (ContentAuditX Control) - http://a840.g.akamai.net/7/840/5805/v1503/...uditControl.cab (http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab)
O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundl...ArcadeRdxIE.cab (http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab)
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx (http://us.games2.yimg.com/download.games.yahoo.com/games/play/client/exentctl_0_0_0_1.ocx)
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab

Should I go ahead and remove these manually? Also, I've heard or read that when you remove these and edit the registry you do so while the computer is running in safe mode. Is this true?

Hi,
well, first you should fix them with hijack this. ;)

rescan and check the following items:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pcpages.com/svc/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.pcpages.com/svc/index.html

R3 - Default URLSearchHook is missing

O1 - Hosts: 217.116.231.7 aimtoday.aol.com
O1 - Hosts: 217.116.231.7 aimtoday.aol.com

O2 - BHO: (no name) - {baf6dcf8-7c5f-476b-ae4a-79f05b783a83} - (no file)
O2 - BHO: (no name) - {DB044C3D-979A-A17C-120F-BAFEE81BE095} - C:\windows\system\vkwtbdmr.dll
O2 - BHO: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)
O2 - BHO: (no name) - {32BBB93F-1E01-9DAB-E404-F3A72E7C0F08} - C:\windows\system\osnnvlrg.dll

O3 - Toolbar: (no name) - {71ED4FBA-4024-4bbe-91DC-9704C93F453E} - c:\progra~1\iesearchbar\iesearchbar.dll (file missing)

O4 - HKLM\..\Run: [kxybwpjv] C:\WINDOWS\SYSTEM\kxybwpjv.exe
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\SYSTEM\stcloader.exe
O4 - HKLM\..\Run: [Winkmmy] C:\WINDOWS\SYSTEM\Winkmmy.exe
O4 - HKLM\..\Run: [System Service] C:\WINDOWS\SYSTEM\MSREXE.EXE
O4 - HKLM\..\Run: [fovrdtwi] C:\WINDOWS\mkgvarfc.exe
O4 - HKLM\..\Run: [winnet] C:\PROGRA~1\COMMON~2\ADDRES~1\WINNET.EXE
O4 - HKLM\..\Run: [WinFavorites] C:\PROGRAM FILES\WINFAVORITES\WINFAVORITES.exe1
O4 - HKLM\..\Run: [Winhost] C:\WINDOWS\winh.exe
O4 - HKLM\..\Run: [Winkmdd] C:\WINDOWS\SYSTEM\Winkmdd.exe

O13 - WWW. Prefix: http://

O16 - DPF: {A19A291A-9653-4498-93F6-5BA06CF699D8} - http://download.peopleonpage.com/pop/adx/PopLoad.cab
O16 - DPF: ConferenceRoom Java Client - http://chat.strictlyhosting.com:8080/java/cr.cab
O16 - DPF: {26E8361F-BCE7-4F75-A347-98C88B418322} - http://dst.trafficsyndicate.com/Dnl/T_99/QDow.cab

close all browser windows and hit fix checked. Reboot in safe mode (hit f8 during start) and delete the following:
C:\WINDOWS\SYSTEM\kxybwpjv.exe
C:\WINDOWS\SYSTEM\stcloader.exe
C:\WINDOWS\SYSTEM\Winkmmy.exe
C:\WINDOWS\SYSTEM\MSREXE.EXE
C:\WINDOWS\mkgvarfc.exe

C:&#092;PROGRAM FILES&#092;WINFAVORITES <----- folder

check to see if common name winnet is listed in the control panel&#39;s add/remove programs. Use that to uninstall, if not, delete the
C:&#092;PROGRAM FILES&#092;COMMONNAME <---- folder

try one of these online virus scans:
http://housecall.trendmicro.com/housecall/start_corp.asp
http://www3.ca.com/virusinfo/virusscan.aspx

Reboot and post a new log if you still have problems.

Thanks dopey, I&#39;ll try that tonight or tomorrow. The housecall anti virus you posted I have used before and it always worked well. Tried it a few days ago and as soon as it started loading the web page turned off.

I&#39;ll let you know how it works out. Thanks