oldman gets up nerve

I'm sure you are throughly sick of the hijack probs, but since i'm pretty sure that I have one and am getting up the nerve to tackle it myself, with help from you all, i'm going to impose on you all.

Logfile of HijackThis v1.98.2
Scan saved at 12:25:44 AM, on 11/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ray.Wood\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sureseeker.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\PROGRA~1\MCAFEE\MCAFEE~1\FIRSTA~1\HTML\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://communities.msn.com/central/helium/en-us/uni/msnchat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D08CA307-A4B4-4952-A235-B2B62866993A}: NameServer = 64.136.20.133 64.136.28.133

I love computers and have been fooling with them for a while but getting into the registry i something i've avoided so should be a great learning experience for me. Thanks for helping with what must be a mundane subject,
Raybob
PS This is an old dell computer pentium II that i put together andjust had got on line when i got the virus. I hadn't downloaded any protection for it and that wasn't smart. But there isn't anything of value on in this old dell. i just hate being a victom of these thugs.
. I read and reread the other posts on this subject but I'm still not sure what to hold and what to fold.

I guess i wasn't very clear in saying that it was just an old dell computer, that's true, but more importantly, it's the only one i have. I'd sure like some help with it. my My problem is like a broken finger on a cancer ward, but i'm still hurting , and my problem may not be enough, or too common to attract any attention. If that's true, would someone direct me to a place that would find it more interesting, please?
Thank you, raybob

I will fix the log. I'll edit later with it, ok?

Sorry i'm so late in getting back to you. Any help would be much apprieciated. I'll do whatever is necessarry on my end. thanks again, raybob

[here' s the latest log


Scan saved at 10:49:47 PM, on 12/7/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ray.Wood\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sureseeker.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\PROGRA~1\MCAFEE\MCAFEE~1\FIRSTA~1\HTML\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://communities.msn.com/central/helium/en-us/uni/msnchat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D08CA307-A4B4-4952-A235-B2B62866993A}: NameServer = 64.136.20.133 64.136.28.133

Hi RayBob,

I like tinkering with computers too

You might want to print these instructions for reference or copy and paste them into notepad and save them on your desktop, as you will be off the internet while using HijackThis.

If you have any questions before starting the fix, please don't hesitate to ask!

Logoff your internet connection. Run HijackThis, click scan, place a checkmark next to the following items. Close all browsers and any other windows or the fix may not work! Click "fix checked". It is OK if some of these items are no longer listed.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sureseeker.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\PROGRA~1\MCAFEE\MCAFEE~1\FIRSTA~1\HTML\blank.htm
O16 - DPF: {386A771C-E96A-421F-8BA7-32F1B706892F} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_regular.cab

Next...

Boot into Safe Mode. Reboot your computer, start tapping F8 when it first starts booting, select Safe Mode.

Make sure your computer is configured to show all files and folders.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden Files and Folders heading select Show Hidden Files and Folders.
Uncheck hide extensions for known file types.
Uncheck the Hide Protected Operating System Files option.
Click Yes to confirm.
Click OK.

Search for and delete the following files. They may not be present, but please check anyway:

seekerjs.js
trojan.js.seeker.h.exe
trojan.js.seeker.o

Next....

Go to Start > Run > type "cleanmgr" (without the quotes). > Select the drive to clean up (usually C ) > Place a checkmark next to the following:

Temporary Internet Files
Recycle Bin
Temporary Files

Then click OK.

Reboot normally.

Next...

Perform an onlne virus scan from this site:

Trend Micro Housecall - Select all of your drives for scanning. Please check "Auto clean" before scanning.

http://housecall.trendmicro.com/

If you can, copy and paste the report logs from the scans into your next post.

Please post a fresh HijackThis log.

Tom

Thanks for all your help. i saw you do this for someone else and it was like a laying on of hands and you and he fixed (heal! heal!!)his computer. i'll do everything just as you asked , i hope, and send another log.
Again, thanks for the help,
Raybob

Happy to help RayBob!

Post a fresh log when you get the time. This infection may take more than one go-round to get it cleaned-up.

Tom

This may take longer than we thought, but I'll hang in if you will. I couldn't copy from the scan site so I just wrote it down. First, the hijack scan.

StartupList report, 12/10/2004, 9:16:34 AM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Ray.Wood\Desktop\HijackThis.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Ray.Wood\Desktop\HijackThis.exe
C:\Program Files\Juno\bin\juno.exe
C:\Program Files\Internet Explorer\iexplore.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Ray.Wood\Start Menu\Programs\Startup]
SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

SystemTray = SysTray.Exe
Synchronization Manager = mobsync.exe /logon
B'sCLiP = C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
THGuard = "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
WinPatrol = C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

SpywareGuard Download Protection - C:\Program Files\SpywareGuard\dlprotect.dll - {4A368E80-174F-4872-96B5-0B27DDD11DB2}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[MSN Chat Control 3.0]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MSNCHAT30.OCX
CODEBASE = http://communities.msn.com/central/helium/en-us/uni/msnchat.cab

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38307.7408333333

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\macromed\flash\swflash.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: C:\WINDOWS\system32\NETSHELL.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5,321 bytes
Report generated in 1.562 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


here's what they found at the on line scan;

virus scan result file

TROJ ISTBAR.FZ non cleanable
WORM BBMAIL.A " " C:\Program Files\bbmail15.exe
WORM BBMAIL.A " " C:\Program Files\bbmail15.zip

I am having trouble getting a log file copied and posted. That is embarrassing. I may be to rummy from looking at this screen tooo long. i'll be back, raybob

It finally worked right
wasn't letting save the log but i rebooted and it worked fine. here it is.

Logfile of HijackThis v1.98.2
Scan saved at 10:39:26 AM, on 12/10/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\msdtc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\mqsvc.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\minilog.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\Ray.Wood\Desktop\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://juno.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.worldnet.att.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\PROGRA~1\MCAFEE\MCAFEE~1\FIRSTA~1\HTML\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by AT&T WorldNet Service
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [B'sCLiP] C:\PROGRA~1\B'SCLI~1\Win2K\BSCLIP.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.0\THGuard.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {81361155-FAF9-11D3-B0D3-00C04F612FF1} (MSN Chat Control 3.0) - http://communities.msn.com/central/helium/en-us/uni/msnchat.cab

Tom, thanks again for all the help. Getting into the inside of the computer will really force you to pay attention and learn and do love to to "tinker" with it, and, by the way, you are much too modest as to your abillty with them.
Raybob

Using My Computer or your computer's search function, browse to these files and delete them. You may have to boot into Safe Mode to remove them.

C:\Program Files\bbmail15.exe
C:\Program Files\bbmail15.zip

Next...

I'd like you to download the Istbar Removal Tool from Symantec:

Removal using the Adware.Istbar Removal Tool:

Symantec Security Response has developed a removal tool for Adware.Istbar. Use this removal tool first, as it is the easiest way to remove this threat.

The tool can be found here:

http://securityresponse.symantec.co...er/FxIstbar.exe

Download the tool to a convenient place such as your desktop, close all other windows and browsers and run it.

The current version of the tool is version 1.0.7. It will have a digital signature timestamp of 23 November 2004 04:45:25 AM PST

Note:

* The date and time displayed will be adjusted to your time zone, if your computer is not set to the Pacific time zone.
* The removal tool may terminate Internet Explorer and Windows Explorer. It is recommended that users save their work and log out of these programs before running the removal tool.
* The removal tool will reset the Internet start page to a blank page. The start page can be modified by clicking on Tools > Internet Options in Internet Explorer.
* The removal tool will not delete some harmless Temporary Internet files, which Adware.Istbar created, in C:\Documents and Setings\Administrator\Local Settings\Temporary Internet Files.
These can be manually deleted using the following steps:
1. Start Internet Explorer.
2. Click Tools > Internet Options.
3. In the Temporary Internet Files section, then click the Delete Files button.
4. Check Delete all offline content, and then click OK.

Tom

i'm hot on the trail of getting this together. thanks, tom