Whenever I log onto the internet and then get on a P2P everything works fine until I exit the P2P and log off the internet. When I try to re-log the computer connects fine and everything, but when I try to go to a webpage, check my e-mail, get on AIM, or get back on the P2P, all of them act like the computer isnt connected to the internet.

For webpages I recieve the following error in the address bar....
res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm#http://www.google.com/
And the webpage reads, "The Page Cannot Be Displayed", doesnt matter which site I try to go to, none of them work.

And the only way that I know of to fix this, is to restart my computer. Then everything works fine until I get on the net, P2P, exit, log off the net and try to log back on the net.

Any ideas?

The only solutions I see is to somehow reinstall IE, or to reinstall Windows

Thanks


P4 2.66ghz
512mb DDR Ram
120gig Total HD Space

IE 6
AOL 9.0 (ive experienced this problem with older versions too)
Windows XP Home

This computer is about 5 months old, and I've been having this problem for probably 2 or 3 months now.

I've tried using the repair guides on Microsofts website, but they didnt work, I even did the one when I have to edit my registry....didnt work.
And where can I download a full version of IE 6? The version that I downloaded somewhere, after trying Microsofts guides still tell me that IE is installed.

In \windows\system32\drivers\etc make a copy of the file "hosts" and rename that e.g. "hosts.org".

Now edit the file "hosts" and empty everything in it except

127.0.0.1 localhost


Reboot, should solve it.

Nope, it didnt work :-(. Just in case I messed something up I copied the whole folder as a backup.

Well I took screenshots of the Before and After of the Folder and File to show what I did, but Geocities doesnt allow Hot-linking (i think thats what its called), so if someone knows a good place to host pics, I'll be greatful....
Thanks

Try using the TechSpot gallery.

TechSpot Gallery

Try and do a repair of your IE6 (control panel, add/remove programs, add/remove Windows components).
Apply SP1 if you have not done so.

Lots of (UK-based) mags have IE6 on the enclosed CD's, as do a lot of ISP's that hand out their free installation CD's (like Tiscali).
Those may be branded, but you can change that afterwards.

I tried the repair, there were multible components selected at first so I un-checked them all but the internet explorer. And clicked next, it peformed the process quickly but I saw it also list the programs that I deselected, after it was done it told me to reboot so I did....
And now my Start menu is totally re-arranged for some reason, and Paint isnt listed anymore.
I'll look through some CD's and see if I can find one that has IE on it.
Thanks

I get the same IE screen on occasion, but with a difference. The URL showing on mine is res://c:\windows\system32\shdoclc.dll/navcancl.htm#http://www.innocentange. The top blue portion of the fake IE screen says "Buy Meds Online Pharmacy". It cannot be moved or removed without shutting down or restarting my computer AND it is there only to hide the fact that behind the unmovable screen, it automatically opens an e-mail to send my screen name and password to an e-mail address with domain based on a little island in the Indian Ocean. On the bright side, I sign on with a screen name from which I allow no e-mail to be sent so it doesn't go anywhere. Very frustrating.

Welcome to Techspot

Your browser has been Hijacked.
Go here and D/L HijackThis from:
http://www.tomcoyote.org/hjt/
Install it in its own, permanent directory, before you run it.
Follow the instructions given on the website.

Problems

Hi I have serious problems with my computer. I run Adware and Spyware and Spyblaster everyday Usually more than once a day. I read through some of these posts and I think based on what you have said I have been hijacked. I already took the steps and this is my log. Thanks for your help.

Logfile of HijackThis v1.99.0
Scan saved at 10:10:24 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Blubster\Blubster.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\MSIMN32.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\BCACHEW.exe
C:\WINDOWS\System32\Llzrgzf.exe
C:\WINDOWS\System32\VwgeT7A.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\usrfaxa.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.osu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.osu.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.osu.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SRLE32M] C:\WINDOWS\System32\SRLE32M.exe
O4 - HKLM\..\Run: [SAFDM] C:\WINDOWS\System32\SAFDM.exe
O4 - HKLM\..\Run: [edl] C:\WINDOWS\System32\edl.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Gsdqx6.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [BCACHEW] C:\WINDOWS\System32\BCACHEW.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [xolehlp] C:\WINDOWS\System32\xolehlp.exe
O4 - HKCU\..\Run: [usrfaxa] C:\WINDOWS\system32\usrfaxa.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O23 - Service: McAfee.com McShield - Unknown - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe

If you can, update your HJT program first. If some obnoxious program won't let you, use the current version, and update afterwards.

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
TASKMGRU.EXE
Blubster.exe
MSIMN32.EXE
BCACHEW.exe
Llzrgzf.exe
VwgeT7A.exe
usrfaxa.exe
SRLE32M.exe
SAFDM.exe
edl.exe
Gsdqx6.exe
xolehlp.exe

Next, try to UNinstall anything to do with:
C:\Program Files\Blubster\Blubster.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
C:\WINDOWS\System32\TASKMGRU.EXE
C:\Program Files\Blubster\Blubster.exe
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\BCACHEW.exe
C:\WINDOWS\System32\Llzrgzf.exe
C:\WINDOWS\System32\VwgeT7A.exe
C:\WINDOWS\system32\usrfaxa.exe
==>> www.osu.edu is probably your home-page, but 'fix' it for now anyway. <<==
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.osu.edu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.osu.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = www.osu.edu
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll/sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = http://localhost
R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O4 - HKLM\..\Run: [Blubster] C:\Program Files\Blubster\Blubster.exe SILENT
O4 - HKLM\..\Run: [SRLE32M] C:\WINDOWS\System32\SRLE32M.exe
O4 - HKLM\..\Run: [SAFDM] C:\WINDOWS\System32\SAFDM.exe
O4 - HKLM\..\Run: [edl] C:\WINDOWS\System32\edl.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Gsdqx6.exe
O4 - HKLM\..\Run: [BCACHEW] C:\WINDOWS\System32\BCACHEW.exe
O4 - HKLM\..\Run: [sp] rundll32 C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp\se.dll,DllInstall
O4 - HKCU\..\Run: [xolehlp] C:\WINDOWS\System32\xolehlp.exe
O4 - HKCU\..\Run: [usrfaxa] C:\WINDOWS\system32\usrfaxa.exe
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: NDWCab - http://www.neededware.com/NDWCab.CAB
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

Now click on the Fix Checked button in HJT.
When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\DOCUME~1\LINDSE~1\LOCALS~1\Temp
Boot normal. When all OK, switch System Restore back on.

When I open a browser, a window with this URL appears:


res://C:\WINDOWS\System32\shdoclc.dll/navcancl.htm


In \windows\system32\drivers\etc host file the only text is:

127.0.0.1 localhost


When I press 'home' on the browser I just get more and more pop up windows.

From the previous posts in this string I see that I have a virus or spyware.

I would be very greatful for some advice to help me get rid of it.

I've followed some of the above instructions, ran my computer in safe mode and used the hijackthis software.

I did run it in the 'program files' folder but I still got the message that I was running it in a temp folder?

Neverthless, this is the readout.

I'm unqualified to understand what all this means hence I would be very thankful for some help.




Logfile of HijackThis v1.99.1
Scan saved at 3:13:53 PM, on 4/23/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.se1.attbb.net;<local>
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Start Green eKeySetup....lnk = C:\Program Files\eKeys\eKeySetup.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1110512722488
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Start with moving HijackThis from:
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe
to a permanent directory like:
C:\Program Files\HJT

Boot in Safe Mode.
Switch System restore OFF.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
TASKMGRU.EXE
MSIMN32.EXE

Unless this is software for your PDA, UNinstall anything to do with this:
C:\Program Files\eKeys\eKeySetup.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\MSIMN32.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = sas.se1.attbb.net:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.se1.attbb.net;<local>
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O3 - Toolbar: SToolbar - {0E1230F8-EA50-42A9-983C-D22ABC2EED3B} - C:\WINDOWS\stlbd.dll
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
Unless this 'O4 - Global' is software for your PDA, 'fix' eKey:
O4 - Global Startup: Start Green eKeySetup....lnk = C:\Program Files\eKeys\eKeySetup.exe
O16 - DPF: {11111111-1111-1111-1111-111111111111} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1110512722488

Now click on the Fix Checked button in HJT.

When done, delete the highlighted bold files. When a directory-name is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Boot normal. When all OK, switch System Restore back on.

Thanks for the reply.

I followed your instructions but the problem still persists.

When I tried to:

Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
TASKMGRU.EXE
MSIMN32.EXE

I noticed that both files immediately reappeared at the top of the menu.

I did the fix using HJT as instructed. It cleared a lot of files but as you can see from the log below some fixed files are still there.

I definitely checked and fixed these files.

I deleted the temp files as you instructed. I went to ‘find’ as asked it to search for all files with “temp” in the C: drive.

By the way, the computer’s D: drive is labeled SYSTEM and has a lot of program files within it.

I would be very grateful if you could further instruct me.

My log now looks like this:

Logfile of HijackThis v1.99.1
Scan saved at 3:58:45 PM, on 4/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\MSIMN32.EXE
C:\WINDOWS\System32\TASKMGRU.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default.home
O2 - BHO: BHDP Class - {1A1488CB-8028-49ba-AD19-18D13CDC650F} - C:\WINDOWS\bhoass.dll
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [TASKMGRU] C:\WINDOWS\System32\TASKMGRU.EXE
O4 - HKCU\..\Run: [MSIMN32] C:\WINDOWS\System32\MSIMN32.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

This is a 'toughie'.
But I found the solution for you.
I could repeat everything here, but this is not MY knowledge, so kudos go to the originators!

http://www.techsupportforum.com/computer/topic/49162-1.html

Good luck

Side affect

Thanks for directing me there. I followed the instructions and it looks like the problem files have gone; but there is a side affect. When I boot up, there is no taskbar, or icons on my desktop.

This is what I did:

In safe mode I used the Mwav.exe files to locate virus and Trojans. It identified a bunch of files. I deleted each of these files using KillBox.

The files included:

C:\WINNT\bhoass.dll
C:\WINNT\system32\MSIMN32.EXE
C:\WINNT\system32\TASKMGRU.EXE
C:\WINNT\system32\iexplore_dbg.exe
C:\WINNT\system32\expolrer32dbg.exe

I told KillBox to delete on reboot.

Then when I rebooted (I have XP), I used my password to access, but the taskbar and desktop icons were missing. I still have a cursor.

It looks like the

C:\WINDOWS\system32\MSIMN32.EXE
C:\WINDOWS\system32\TASKMGRU.EXE

files have gone since when I press ATL CTRL DEL they are not present as processes.

Would you by any chance know how I can restore my taskbar and icons to my desktop?

Thank you for your help.

Follow this link:
http://forums.wugnet.com/-Taskbar-ftopict352567.html