[the_dude_]

I was downloading some emulators/roms couple days ago, when all of a sudden pop-ups from www.hotoffers.info kept popping up.
for example:

Error #317 – Microsoft Windows Security Warning X

X Your Windows is corrupted with spyware virus.
You must patch your PC urgently to protect your system.
Private info is accessed by ports:

-8080
-3128

You can patch your PC for free now and delete all spyware viruses.

Click OK to chose and download free spyware removal using AntiSPY


OK Cancel

Also it has changed my homepage to this site. I have ran Norton Antivirus, Spybot - S&D, and Ad-Aware, but to no avail. Hoping you could give me a hand.

thanks

Conrad

Here is my hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 5:36:15 PM, on 4/2/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CANON\MULTIPASS4\MPDBMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\WINDOWS\netdde.exe
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\PTOO.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\WINWORD.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\MY DOCUMENTS\CONRAD\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {DE52096E-C6D5-C722-FE79-C8C9DEC06E95} - C:\WINDOWS\SYSTEM\UVIS.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [Clock] C:\WINDOWS\netdde.exe
O4 - HKCU\..\Run: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\Run: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe
O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\netdde.exe
O4 - HKCU\..\RunServices: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe
O4 - HKCU\..\RunServices: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunServices: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-...sapplet-epf.cab

[Advertisements]

Hi Conrad, welcome to Geeks to Go!

Download CleanUp!.
Don't run the program, we'll do that later.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

***
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\PTOO.EXE
press ‘back’

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {DE52096E-C6D5-C722-FE79-C8C9DEC06E95} - C:\WINDOWS\SYSTEM\UVIS.DLL

O4 - HKCU\..\Run: [Clock] C:\WINDOWS\netdde.exe

O4 - HKCU\..\Run: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe

O4 - HKCU\..\Run: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe

O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\netdde.exe

O4 - HKCU\..\RunServices: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe

O4 - HKCU\..\RunServices: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-...sapplet-epf.cab

Click on Fix Checked when finished and exit HijackThis.

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, do not log off.

***

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. For each of the files in the box, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\tezw.exe
C:\WINDOWS\SYSTEM\ptoo.exe

Let the system reboot.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot the system again. Post back in this topic with a fresh log using HijackThis.

[g2i2r4]

Hi Conrad, welcome to Geeks to Go!

Download CleanUp!.
Don't run the program, we'll do that later.

***

Download Pocket Killbox.
Unzip the files to a folder like c:\killbox\
Don't run the program, we'll do that later.

***
Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\PTOO.EXE
press ‘back’

***

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/

R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)

O2 - BHO: (no name) - {DE52096E-C6D5-C722-FE79-C8C9DEC06E95} - C:\WINDOWS\SYSTEM\UVIS.DLL

O4 - HKCU\..\Run: [Clock] C:\WINDOWS\netdde.exe

O4 - HKCU\..\Run: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe

O4 - HKCU\..\Run: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe

O4 - HKCU\..\RunServices: [Clock] C:\WINDOWS\netdde.exe

O4 - HKCU\..\RunServices: [Ixcxkyik] C:\WINDOWS\SYSTEM\tezw.exe

O4 - HKCU\..\RunServices: [Spmr] C:\WINDOWS\SYSTEM\ptoo.exe

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab

O16 - DPF: TruePass EPF 7,0,100,684 - https://blrscr3.egs-...sapplet-epf.cab

Click on Fix Checked when finished and exit HijackThis.

****Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.
***

Find and doubleclick the file cleanup312.exe.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, do not log off.

***

Run Killbox (doubleclick Killbox.exe).

Run it, and click the radio button that says Delete a file on reboot. For each of the files in the box, paste them one at a time into the full path of file to delete box and click the red circle with a white cross in it.

The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.

C:\WINDOWS\netdde.exe
C:\WINDOWS\SYSTEM\tezw.exe
C:\WINDOWS\SYSTEM\ptoo.exe

Let the system reboot.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Reboot the system again. Post back in this topic with a fresh log using HijackThis.

[the_dude_]

Hey
Thanks for the help, but I'm still getting pop-ups that change my IE address, and can't change my homepage from hotoffers.info. I've gone through the all the steps you said, and here is my updated hijackthis log.

thanks

Conrad


Logfile of HijackThis v1.99.1
Scan saved at 6:10:00 PM, on 4/7/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CANON\MULTIPASS4\MPDBMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\MY DOCUMENTS\CONRAD\HIJACKTHIS.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[g2i2r4]

Click here to download eScan's mwav application. Double-click it to run it, select all local drives, scan all files, press 'scan' and when it is completed, anything found will be displayed in the lower pane. Highlight it, CTRL C and paste it in your next reply.

***

Click here to download Pocket Killbox by Option^Explicit. Extract it from the zip file then double-click on Killbox.exe to run it.

Select the Delete on reboot option.

In the 'Full Path of File to Delete' box, copy and paste the following, clicking the 'Delete File' button (red circle with a white X) after pasting:
the full path to the fill found bij eScan. I expect it to be:
C:\WINDOWS\System32\systr.dll. Be sure to paste the one it finds.

It will prompt you to reboot, press the YES button.

***

Open HijackThis.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/278/

Click on Fix Checked when finished and exit HijackThis.
Press 'allow' if Spybot prompts you on a change.

***

Reboot again. Post back here with a fresh log using HijackThis.
Let me know the full path of the file found by eScan.

[the_dude_]

HOORAH!! it's looking good! no more pop-ups! and my homepage is back. I can't thank you enough!
You were dead right: the path of the file from eScan was: C:\WINDOWS\System32\systr.dll
There were, however, 36 different 'things' found by eScan:

File C:\WINDOWS\System32\systr.dll infected by "Trojan-Downloader.Win32.Agent.ko" Virus.
File System Found infected by "IEHijacker.Hotoffers Spyware/Adware" Virus.
File C:\WINDOWS\SYSTEM\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus.
File C:\WINDOWS\SYSTEM\unregister.exe infected by "not-a-virus:AdWare.ToolBar.VB.f" Virus.
File C:\WINDOWS\Application Data\ptoo.exe infected by "not-a-virus:AdWare.PurityScan.ap" Virus.
File C:\WINDOWS\Desktop\Desktop old\realllly old my documents\Audio programs set up\band-in-a-box\setupbb8.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\WINDOWS\Desktop\Desktop old\realllly old my documents\Audio programs set up\waves\SetupWaves.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\WINDOWS\Desktop\Desktop old\realllly old my documents\New FolderOliver\NAlite music\music\FinWinNotePad.exe tagged as not-a-virus:Tool.Win32.Reboot..
File C:\WINDOWS\Desktop\Desktop old\realllly old my documents\unzipped\RA-VSTFA\setupvst.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\WINDOWS\Desktop\Desktop old\realllly old my documents\unzipped\fruity~2\FruityTS404crk1.EXE tagged as not-a-virus:Cracker.AssasinPatch.
File C:\WINDOWS\Desktop\Desktop old\realllly old my documents\My doc stuff\Conrad\My Cool Stuff\trojancleaner3.exe tagged as not-a-virus:Tool.Win32.Reboot.
File C:\WINDOWS\Desktop\Desktop old\my documents from old\downloades and installations\ACW21T.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\WINDOWS\Desktop\Desktop old\my documents from old\downloades and installations\Downloads and installations\SimSynth27DemoInstall.EXE tagged as not-a-virus:Tool.Win32.Reboot..
File C:\WINDOWS\Desktop\Desktop old\my documents from old\downloades and installations\Downloads and installations\soundforumsynth.zip tagged as not-a-virus:Tool.Win32.Reboot.
File C:\Program Files\CD-Writer Plus\E-Reg\Jixxazip.exe tagged as not-a-virus:Tool.Win32.Reboot.
File C:\My Documents\Conrad\backups\backup-20050407-180921-869.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken:
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0005810.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0005962.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0005992.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0006003.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0006087.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0006096.EXE tagged as not-a-virus:Cracker.AssasinPatch..
File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\A0006384.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\Files From Old Drive\audio\Waves\SetupWaves.EXE tagged as not-a-virus:Tool.Win32.Reboot..
File C:\Files From Old Drive\Program Files new reinstall\Online Services\AT&T\ATTSETUP.EXE tagged as not-a-virus:Tool.Win32.Reboot.
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000003.EXE infected by "Trojan-Downloader.Win32.WinShow.p" Virus.
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000026.VXD infected by "not-a-virus:AdWare.BargainBuddy.n" Virus.
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000027.EXE infected by "not-a-virus:AdWare.Aureate" Virus..
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000028.ZIP tagged as not-a-virus:RiskWare.mIRC.5.6.1.
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000032.EXE infected by "not-a-virus:AdWare.WinAD" Virus.
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000035.EXE tagged as not-a-virus:RiskWare.mIRC.6.03..
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000036.EXE tagged as not-a-virus:RiskWare.mIRC.6.01.
File C:\Files From Old Drive\RECYCLED\NPROTECT\00000038.EXE infected by "not-a-virus:AdWare.Cydoor" Virus..
File C:\Files From Old Drive\UNZIPPED\tgpluginsetup[1]\tgpluginsetup.exe tagged as not-a-virus:Tool.Win32.Reboot.
File C:\Files From Old Drive\WINDOWS\WT\WTVH.DLL infected by "not-a-virus:AdWare.WildTangent.b" Virus.
File C:\Files From Old Drive\WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy.zip infected by "Password-protected-EXE" Virus.

you took care of the first one. Should i worry about any others? my ad-aware, spybot, and norton antivirus isn't catching them.

but here is a fresh hjt log

thanks again
conrad

Logfile of HijackThis v1.99.1
Scan saved at 8:00:03 PM, on 4/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCSETMGR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM FILES\CANON\MULTIPASS4\MPDBMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCSVC.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
C:\PROGRAM FILES\COMMON FILES\REAL\UPDATE_OB\REALSCHED.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\SNDSRVC.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\MY DOCUMENTS\CONRAD\HIJACKTHIS.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVW32.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.ca/
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Symantec Core LC] C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMON.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
O4 - HKLM\..\RunServices: [ccSetMgr] "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O12 - Plugin for .pdf: C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by102fd.bay10...es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by102fd.bay10...ex/HMAtchmt.ocx
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab

[g2i2r4]

Weldone, the log looks clean.

Now for some cleanup:

File C:\WINDOWS\System32\systr.dll infected by "Trojan-Downloader.Win32.Agent.ko" Virus.

You did remove this one, didn't you?

Remove the files found.

File C:\My Documents\Conrad\backups\backup-20050407-180921-869.dll

This is a backup from Conrad. Open Conrad to remove its backup.

File C:\System Volume Information\_restore{9423B864-9BFE-4100-99B7-8142BA58B60C}\RP18\
Remove the folder.

The rest of the stuff came from your old-drives. You kept them (and the leftovers from previous infections). Remove them.

Reboot the system.

Your computer should be clean now.

[the_dude_]

Hey! Thank you so much! Computer's running very smoothly. Really glad that there are people out there who will help a guy out for free. thanks again

Conrad

[g2i2r4]

It was a pleasure working with you Conrad.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online & their stand-alone antivirus programs:
  
  Virus, Spyware, and Malware Protection and Removal Resources
  
  
• Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
  
• Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
  
  For a tutorial on Firewalls and a listing of some available ones see the link below:
  
  Understanding and Using Firewalls
  
  
• Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  
  
• Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.
  
  A tutorial on installing & using this product can be found here:
  
  Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers
  
  
• Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
  
  A tutorial on installing & using this product can be found here:
  
  Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
  
  
• Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
  
  A tutorial on installing & using this product can be found here:
  
  Using SpywareBlaster to protect your computer from Spyware and Malware
  
  
• Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Glad I was able to help.