[RichDodge]

Logfile of HijackThis v1.99.1
Scan saved at 7:32:16 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\msole32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\hjtcx\abvho.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\system32\jencs\gooe.exe
C:\WINDOWS\system32\uovijv\ndyi.exe
C:\WINDOWS\system32\duxus\njsifl.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\vayndb\vdoddvbk.exe
C:\WINDOWS\system32\twnqk\tpivygco.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\wqeyomi\hudtrtb.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\htdlr\feroan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\hknjl\lkbc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dciayx.exe
C:\WINDOWS\system32\winnook.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mqtkcgvq\wuumk.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rich\Local Settings\Temporary Internet Files\Content.IE5\GD6B4HQB\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp75CC.tmp
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [nekxq] C:\WINDOWS\System32\qxdllqly\nekxq.exe
O4 - HKLM\..\Run: [rmlypj] C:\WINDOWS\System32\oidfgs\rmlypj.exe
O4 - HKLM\..\Run: [vtunqpj] C:\WINDOWS\System32\iskupibl\vtunqpj.exe
O4 - HKLM\..\Run: [jddcup] C:\WINDOWS\System32\ptmha\jddcup.exe
O4 - HKLM\..\Run: [pnaqgj] C:\WINDOWS\system32\windrknq\pnaqgj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [vmsh] C:\WINDOWS\system32\durqnr\vmsh.exe
O4 - HKLM\..\Run: [axkx] C:\WINDOWS\system32\hlkaf\axkx.exe
O4 - HKLM\..\Run: [lqndkck] C:\WINDOWS\system32\ldjtfkpm\lqndkck.exe
O4 - HKLM\..\Run: [wiqyyh] C:\WINDOWS\system32\udyewih\wiqyyh.exe
O4 - HKLM\..\Run: [igqs] C:\WINDOWS\system32\kaqle\igqs.exe
O4 - HKLM\..\Run: [yhow] C:\WINDOWS\system32\twogwkki\yhow.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [knifs] C:\WINDOWS\system32\khibhoe\knifs.exe
O4 - HKLM\..\Run: [vqvyq] C:\WINDOWS\system32\myhm\vqvyq.exe
O4 - HKLM\..\Run: [ewqtlqk] C:\WINDOWS\system32\grfjtcj\ewqtlqk.exe
O4 - HKLM\..\Run: [lwqug] C:\WINDOWS\system32\xmscr\lwqug.exe
O4 - HKLM\..\Run: [jrllcngf] C:\WINDOWS\system32\agfdr\jrllcngf.exe
O4 - HKLM\..\Run: [tieh] C:\WINDOWS\system32\akobisp\tieh.exe
O4 - HKLM\..\Run: [njsifl] C:\WINDOWS\system32\duxus\njsifl.exe
O4 - HKLM\..\Run: [uwiqn] C:\WINDOWS\system32\lwyjhli\uwiqn.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [lnbpiuk] C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe
O4 - HKLM\..\Run: [ydxm] C:\WINDOWS\system32\pxgtsm\ydxm.exe
O4 - HKLM\..\Run: [vdoddvbk] C:\WINDOWS\system32\vayndb\vdoddvbk.exe
O4 - HKLM\..\Run: [ctvqdmhb] C:\WINDOWS\system32\bvamtqmk\ctvqdmhb.exe
O4 - HKLM\..\Run: [hvvus] C:\WINDOWS\system32\bnpd\hvvus.exe
O4 - HKLM\..\Run: [exgc] C:\WINDOWS\system32\cbefdfjg\exgc.exe
O4 - HKLM\..\Run: [cryvrf] C:\WINDOWS\system32\hityvftk\cryvrf.exe
O4 - HKLM\..\Run: [terws] C:\WINDOWS\system32\gtbs\terws.exe
O4 - HKLM\..\Run: [wjytk] C:\WINDOWS\system32\exje\wjytk.exe
O4 - HKLM\..\Run: [tpivygco] C:\WINDOWS\system32\twnqk\tpivygco.exe
O4 - HKLM\..\Run: [nfiago] C:\WINDOWS\system32\lqsftiwg\nfiago.exe
O4 - HKLM\..\Run: [yadpiagr] C:\WINDOWS\system32\edrjclbs\yadpiagr.exe
O4 - HKLM\..\Run: [evnrlv] C:\WINDOWS\system32\ruoc\evnrlv.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\system32\LogFiles\A5281300.so
O4 - HKLM\..\Run: [abvho] C:\WINDOWS\system32\hjtcx\abvho.exe
O4 - HKLM\..\Run: [wuumk] C:\WINDOWS\system32\mqtkcgvq\wuumk.exe
O4 - HKLM\..\Run: [hudtrtb] C:\WINDOWS\system32\wqeyomi\hudtrtb.exe
O4 - HKLM\..\Run: [gooe] C:\WINDOWS\system32\jencs\gooe.exe
O4 - HKLM\..\Run: [ndyi] C:\WINDOWS\system32\uovijv\ndyi.exe
O4 - HKLM\..\Run: [feroan] C:\WINDOWS\system32\htdlr\feroan.exe
O4 - HKLM\..\Run: [lkbc] C:\WINDOWS\system32\hknjl\lkbc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [awq8RijEe] dciayx.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\winnook.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\DOCUME~1\Rich\LOCALS~1\Temp\atbqpabs.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: lnbpiukcxwehsqi - Unknown owner - C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe
O23 - Service: lwqugxmscr - Unknown owner - C:\WINDOWS\system32\xmscr\lwqug.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
O23 - Service: pnaqgjwindrknq - Unknown owner - C:\WINDOWS\system32\windrknq\pnaqgj.exe
O23 - Service: rmlypjoidfgs - Unknown owner - C:\WINDOWS\System32\oidfgs\rmlypj.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: terwsgtbs - Unknown owner - C:\WINDOWS\system32\gtbs\terws.exe
O23 - Service: vmshdurqnr - Unknown owner - C:\WINDOWS\system32\durqnr\vmsh.exe
O23 - Service: wuumkmqtkcgvq - Unknown owner - C:\WINDOWS\system32\mqtkcgvq\wuumk.exe

[Advertisements]

RichDodge,

Hello! and welcome to our help forums.

-

You may wish to print out a copy of these instructions to follow while you complete this procedure.


===============

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\hjtcx\abvho.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\jencs\gooe.exe
C:\WINDOWS\system32\uovijv\ndyi.exe
C:\WINDOWS\system32\duxus\njsifl.exe
C:\WINDOWS\system32\vayndb\vdoddvbk.exe
C:\WINDOWS\system32\twnqk\tpivygco.exe
C:\WINDOWS\system32\wqeyomi\hudtrtb.exe
C:\WINDOWS\system32\htdlr\feroan.exe
C:\WINDOWS\system32\hknjl\lkbc.exe
C:\WINDOWS\system32\dciayx.exe
C:\WINDOWS\system32\winnook.exe
C:\WINDOWS\system32\mqtkcgvq\wuumk.exe

Exit Task Manager.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Open Notepad. Copy EVERYTHING in the box below and paste it into a new notepad file. Change the 'Save As Type' to "All Files" and save it as fix.reg on your desktop. Make sure there is NO blank line above REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-

Locate fix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right Click HERE and go to Save As in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Reboot your computer

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

===============



IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

[njustice]

RichDodge,

Hello! and welcome to our help forums.

-

You may wish to print out a copy of these instructions to follow while you complete this procedure.


===============

Please read these instructions carefully and print them out! Be sure to follow ALL instructions!

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid

Exit Add/Remove Programs.

*IMPORTANT*CLICK THIS LINK TO LEARN HOW TO VIEW HIDDEN FILES

Press CTRL ALT DELETE to open Windows Task Manger. Click on the Processes tab and end the following processes:

C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\msole32.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\hjtcx\abvho.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\jencs\gooe.exe
C:\WINDOWS\system32\uovijv\ndyi.exe
C:\WINDOWS\system32\duxus\njsifl.exe
C:\WINDOWS\system32\vayndb\vdoddvbk.exe
C:\WINDOWS\system32\twnqk\tpivygco.exe
C:\WINDOWS\system32\wqeyomi\hudtrtb.exe
C:\WINDOWS\system32\htdlr\feroan.exe
C:\WINDOWS\system32\hknjl\lkbc.exe
C:\WINDOWS\system32\dciayx.exe
C:\WINDOWS\system32\winnook.exe
C:\WINDOWS\system32\mqtkcgvq\wuumk.exe

Exit Task Manager.

I need you to copy all of the Killbox file paths below and paste them into Notepad.

* Please download the Killbox by Option^Explicit. *In the event you already have Killbox, this is a new version that I need you to download.
Unzip it to the desktop.

* Please run Killbox.

* Select "Delete on Reboot".

* Open the Notepad file where you saved the file paths earlier and copy the file paths below to the clipboard by highlighting them and pressing CTRL + C:

C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

* Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Make sure you can view hidden files.

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

Reboot into normal mode.

Open Notepad. Copy EVERYTHING in the box below and paste it into a new notepad file. Change the 'Save As Type' to "All Files" and save it as fix.reg on your desktop. Make sure there is NO blank line above REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-

Locate fix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", follow the rest of instructions below.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Right Click HERE and go to Save As in order to download DelDomains.inf to your desktop.
To use: RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

Reboot your computer

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log along with the results from ActiveScan

===============



IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

[RichDodge]

Logfile of HijackThis v1.99.1
Scan saved at 11:09:39 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\shnlog.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hjtcx\abvho.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\uovijv\ndyi.exe
C:\WINDOWS\system32\jencs\gooe.exe
C:\WINDOWS\system32\duxus\njsifl.exe
C:\WINDOWS\system32\vayndb\vdoddvbk.exe
C:\WINDOWS\system32\twnqk\tpivygco.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\wqeyomi\hudtrtb.exe
C:\WINDOWS\system32\htdlr\feroan.exe
C:\WINDOWS\system32\hknjl\lkbc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\dciayx.exe
C:\WINDOWS\system32\winnook.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\mqtkcgvq\wuumk.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rich\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp7399.tmp
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [nekxq] C:\WINDOWS\System32\qxdllqly\nekxq.exe
O4 - HKLM\..\Run: [rmlypj] C:\WINDOWS\System32\oidfgs\rmlypj.exe
O4 - HKLM\..\Run: [vtunqpj] C:\WINDOWS\System32\iskupibl\vtunqpj.exe
O4 - HKLM\..\Run: [jddcup] C:\WINDOWS\System32\ptmha\jddcup.exe
O4 - HKLM\..\Run: [pnaqgj] C:\WINDOWS\system32\windrknq\pnaqgj.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [vmsh] C:\WINDOWS\system32\durqnr\vmsh.exe
O4 - HKLM\..\Run: [axkx] C:\WINDOWS\system32\hlkaf\axkx.exe
O4 - HKLM\..\Run: [lqndkck] C:\WINDOWS\system32\ldjtfkpm\lqndkck.exe
O4 - HKLM\..\Run: [wiqyyh] C:\WINDOWS\system32\udyewih\wiqyyh.exe
O4 - HKLM\..\Run: [igqs] C:\WINDOWS\system32\kaqle\igqs.exe
O4 - HKLM\..\Run: [yhow] C:\WINDOWS\system32\twogwkki\yhow.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [knifs] C:\WINDOWS\system32\khibhoe\knifs.exe
O4 - HKLM\..\Run: [vqvyq] C:\WINDOWS\system32\myhm\vqvyq.exe
O4 - HKLM\..\Run: [ewqtlqk] C:\WINDOWS\system32\grfjtcj\ewqtlqk.exe
O4 - HKLM\..\Run: [lwqug] C:\WINDOWS\system32\xmscr\lwqug.exe
O4 - HKLM\..\Run: [jrllcngf] C:\WINDOWS\system32\agfdr\jrllcngf.exe
O4 - HKLM\..\Run: [tieh] C:\WINDOWS\system32\akobisp\tieh.exe
O4 - HKLM\..\Run: [njsifl] C:\WINDOWS\system32\duxus\njsifl.exe
O4 - HKLM\..\Run: [uwiqn] C:\WINDOWS\system32\lwyjhli\uwiqn.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [lnbpiuk] C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe
O4 - HKLM\..\Run: [ydxm] C:\WINDOWS\system32\pxgtsm\ydxm.exe
O4 - HKLM\..\Run: [vdoddvbk] C:\WINDOWS\system32\vayndb\vdoddvbk.exe
O4 - HKLM\..\Run: [ctvqdmhb] C:\WINDOWS\system32\bvamtqmk\ctvqdmhb.exe
O4 - HKLM\..\Run: [hvvus] C:\WINDOWS\system32\bnpd\hvvus.exe
O4 - HKLM\..\Run: [exgc] C:\WINDOWS\system32\cbefdfjg\exgc.exe
O4 - HKLM\..\Run: [cryvrf] C:\WINDOWS\system32\hityvftk\cryvrf.exe
O4 - HKLM\..\Run: [terws] C:\WINDOWS\system32\gtbs\terws.exe
O4 - HKLM\..\Run: [wjytk] C:\WINDOWS\system32\exje\wjytk.exe
O4 - HKLM\..\Run: [tpivygco] C:\WINDOWS\system32\twnqk\tpivygco.exe
O4 - HKLM\..\Run: [nfiago] C:\WINDOWS\system32\lqsftiwg\nfiago.exe
O4 - HKLM\..\Run: [yadpiagr] C:\WINDOWS\system32\edrjclbs\yadpiagr.exe
O4 - HKLM\..\Run: [evnrlv] C:\WINDOWS\system32\ruoc\evnrlv.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\system32\LogFiles\A5281300.so
O4 - HKLM\..\Run: [abvho] C:\WINDOWS\system32\hjtcx\abvho.exe
O4 - HKLM\..\Run: [wuumk] C:\WINDOWS\system32\mqtkcgvq\wuumk.exe
O4 - HKLM\..\Run: [hudtrtb] C:\WINDOWS\system32\wqeyomi\hudtrtb.exe
O4 - HKLM\..\Run: [gooe] C:\WINDOWS\system32\jencs\gooe.exe
O4 - HKLM\..\Run: [ndyi] C:\WINDOWS\system32\uovijv\ndyi.exe
O4 - HKLM\..\Run: [feroan] C:\WINDOWS\system32\htdlr\feroan.exe
O4 - HKLM\..\Run: [lkbc] C:\WINDOWS\system32\hknjl\lkbc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [awq8RijEe] dciayx.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\winnook.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: lnbpiukcxwehsqi - Unknown owner - C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe
O23 - Service: lwqugxmscr - Unknown owner - C:\WINDOWS\system32\xmscr\lwqug.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
O23 - Service: pnaqgjwindrknq - Unknown owner - C:\WINDOWS\system32\windrknq\pnaqgj.exe
O23 - Service: rmlypjoidfgs - Unknown owner - C:\WINDOWS\System32\oidfgs\rmlypj.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: terwsgtbs - Unknown owner - C:\WINDOWS\system32\gtbs\terws.exe
O23 - Service: vmshdurqnr - Unknown owner - C:\WINDOWS\system32\durqnr\vmsh.exe
O23 - Service: wuumkmqtkcgvq - Unknown owner - C:\WINDOWS\system32\mqtkcgvq\wuumk.exe

[RichDodge]

Incident Status Location

Virus:Trj/Cloak.A Disinfected Operating system
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\twogwkki\yhow.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\picsvr\picsvr.exe
Virus:Trj/Msnpassword.B Disinfected Operating system
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\akobisp\tieh.exe
Virus:Trj/Downloader.BVH Disinfected Operating system
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\bvamtqmk\ctvqdmhb.exe
Virus:Trj/Downloader.COM Disinfected Operating system
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\lqsftiwg\nfiago.exe
Virus:Trj/Msnpassword.B Disinfected Operating system
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\jencs\gooe.exe
Virus:Trj/Downloader.BVH Disinfected Operating system
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\dciayx.exe
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\system32\winnook.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\javex80.vxd
Adware:Adware/Gator No disinfected C:\Program Files\Common Files\GMT
Adware:Adware/MyWay No disinfected C:\Program Files\MyWay
Adware:Adware/nCase No disinfected Windows Registry
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Internet Optimizer
Adware:Adware/SAHAgent No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\bsx32
Adware:Adware/Apropos No disinfected C:\Program Files\cxtpls
Adware:Adware/WinTools No disinfected C:\Program Files\Common Files\WinTools
Adware:Adware/AdDestroyer No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\Documents and Settings\All Users\Application Data\VBouncer
Adware:Adware/DelFinMedia No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\newmsrdk
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Adware:Adware/WUpd No disinfected Windows Registry
Virus:Trj/Downloader.AWZ Disinfected Operating system
Adware:Adware/Pacimedia No disinfected Windows Registry
Adware:Adware/Popuper No disinfected C:\WINDOWS\system32\hp7399.tmp
Adware:Adware/Virmaid No disinfected Windows Registry
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\ahvecdhp.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\gvssbmmu.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\hslyzbfx.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\dlmax.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\farmmext.inf
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\kiotcmhc.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\owsuonst.exe
Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\smdat32m.sys
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\akobisp\tieh.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\atbqpabs.exe
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\bvamtqmk\ctvqdmhb.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\dciayx.exe
Virus:Trj/Downloader.BYZ Disinfected C:\WINDOWS\system32\dist001.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ezPopStub.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\HookPopup.dll
Adware:Adware/Startpage.YH No disinfected C:\WINDOWS\system32\hp7399.tmp
Adware:Adware/Startpage.YH No disinfected C:\WINDOWS\system32\intmon.exe
Spyware:Spyware/BargainBuddy No disinfected C:\WINDOWS\system32\javex80.vxd
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe]
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\jencs\gooe.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\kmnu.exe
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\lqsftiwg\nfiago.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\mlgko.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvs.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
Virus:Trj/Downloader.COM Renamed C:\WINDOWS\system32\oidfgs\rmlypj.exe
Virus:Trj/Cloak.A Disinfected C:\WINDOWS\system32\oleadm.dll
Adware:Adware/Virmaid No disinfected C:\WINDOWS\system32\perfcii.ini
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\picsvr\picsvr.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\ppcf.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\qecn.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\qjcfg.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\rfacoj.exe
Virus:Trj/Downloader.BVH Disinfected C:\WINDOWS\system32\sew.exe
Adware:Adware/Startpage.YH No disinfected C:\WINDOWS\system32\shnlog.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\shssnvjr.exe
Spyware:Spyware/LZIO-Media No disinfected C:\WINDOWS\system32\twogwkki\yhow.exe
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\tyye.exe
Adware:Adware/eZula No disinfected C:\WINDOWS\system32\vhrtn.exe
Adware:Adware/TopSpyware No disinfected C:\WINDOWS\system32\winnook.exe
Virus:Trj/Downloader.COM Renamed C:\WINDOWS\system32\xmscr\lwqug.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\DrTemp\farmmext.ini
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI24FE.tmp\farmmext.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\Temp\THI24FE.tmp\farmmext.ini
Adware:Adware/eZula No disinfected C:\WINDOWS\woinstall.exe
<><><><><>theres the online scan info <><><>><

[RichDodge]

Logfile of HijackThis v1.99.1
Scan saved at 11:56:33 PM, on 5/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\shnlog.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
C:\WINDOWS\system32\picsvr\picsvr.exe
C:\WINDOWS\system32\jencs\gooe.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dciayx.exe
C:\WINDOWS\system32\winnook.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Rich\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp74E1.tmp
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [nekxq] C:\WINDOWS\System32\qxdllqly\nekxq.exe
O4 - HKLM\..\Run: [jddcup] C:\WINDOWS\System32\ptmha\jddcup.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [axkx] C:\WINDOWS\system32\hlkaf\axkx.exe
O4 - HKLM\..\Run: [wiqyyh] C:\WINDOWS\system32\udyewih\wiqyyh.exe
O4 - HKLM\..\Run: [yhow] C:\WINDOWS\system32\twogwkki\yhow.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [vqvyq] C:\WINDOWS\system32\myhm\vqvyq.exe
O4 - HKLM\..\Run: [ewqtlqk] C:\WINDOWS\system32\grfjtcj\ewqtlqk.exe
O4 - HKLM\..\Run: [jrllcngf] C:\WINDOWS\system32\agfdr\jrllcngf.exe
O4 - HKLM\..\Run: [tieh] C:\WINDOWS\system32\akobisp\tieh.exe
O4 - HKLM\..\Run: [uwiqn] C:\WINDOWS\system32\lwyjhli\uwiqn.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [ctvqdmhb] C:\WINDOWS\system32\bvamtqmk\ctvqdmhb.exe
O4 - HKLM\..\Run: [hvvus] C:\WINDOWS\system32\bnpd\hvvus.exe
O4 - HKLM\..\Run: [exgc] C:\WINDOWS\system32\cbefdfjg\exgc.exe
O4 - HKLM\..\Run: [cryvrf] C:\WINDOWS\system32\hityvftk\cryvrf.exe
O4 - HKLM\..\Run: [nfiago] C:\WINDOWS\system32\lqsftiwg\nfiago.exe
O4 - HKLM\..\Run: [yadpiagr] C:\WINDOWS\system32\edrjclbs\yadpiagr.exe
O4 - HKLM\..\Run: [evnrlv] C:\WINDOWS\system32\ruoc\evnrlv.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\system32\LogFiles\A5281300.so
O4 - HKLM\..\Run: [gooe] C:\WINDOWS\system32\jencs\gooe.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [awq8RijEe] dciayx.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\winnook.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: lnbpiukcxwehsqi - Unknown owner - C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe (file missing)
O23 - Service: lwqugxmscr - Unknown owner - C:\WINDOWS\system32\xmscr\lwqug.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
O23 - Service: pnaqgjwindrknq - Unknown owner - C:\WINDOWS\system32\windrknq\pnaqgj.exe (file missing)
O23 - Service: rmlypjoidfgs - Unknown owner - C:\WINDOWS\System32\oidfgs\rmlypj.exe (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: terwsgtbs - Unknown owner - C:\WINDOWS\system32\gtbs\terws.exe (file missing)
O23 - Service: vmshdurqnr - Unknown owner - C:\WINDOWS\system32\durqnr\vmsh.exe (file missing)
O23 - Service: wuumkmqtkcgvq - Unknown owner - C:\WINDOWS\system32\mqtkcgvq\wuumk.exe (file missing)

........ ok this is fresh log after online scan and a reboot... .....

[njustice]

RichD,

-

You may wish to print out a copy of these instructions to follow while you complete this procedure.


===============

Go to www.trendmicro.com, and then:

1. Click "Free Online Scan".
2. Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.
2. Check(tick) "Auto Clean".
3. Click "Scan".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.


===============

Download, unzip to your desktop CWShredder and run it, then:

1. Click "Check For Update"

(If an update isn't available, skip to step #4.)

2. Click "Click here to Download the update".
3. When the new version has been downloaded, click "Save".
4. Click "Fix ->"


===============


Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/

F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp74E1.tmp


O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [nekxq] C:\WINDOWS\System32\qxdllqly\nekxq.exe
O4 - HKLM\..\Run: [jddcup] C:\WINDOWS\System32\ptmha\jddcup.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [axkx] C:\WINDOWS\system32\hlkaf\axkx.exe
O4 - HKLM\..\Run: [wiqyyh] C:\WINDOWS\system32\udyewih\wiqyyh.exe
O4 - HKLM\..\Run: [yhow] C:\WINDOWS\system32\twogwkki\yhow.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\system32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\system32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [vqvyq] C:\WINDOWS\system32\myhm\vqvyq.exe
O4 - HKLM\..\Run: [ewqtlqk] C:\WINDOWS\system32\grfjtcj\ewqtlqk.exe
O4 - HKLM\..\Run: [jrllcngf] C:\WINDOWS\system32\agfdr\jrllcngf.exe
O4 - HKLM\..\Run: [tieh] C:\WINDOWS\system32\akobisp\tieh.exe
O4 - HKLM\..\Run: [uwiqn] C:\WINDOWS\system32\lwyjhli\uwiqn.exe
O4 - HKLM\..\Run: [ctvqdmhb] C:\WINDOWS\system32\bvamtqmk\ctvqdmhb.exe
O4 - HKLM\..\Run: [hvvus] C:\WINDOWS\system32\bnpd\hvvus.exe
O4 - HKLM\..\Run: [exgc] C:\WINDOWS\system32\cbefdfjg\exgc.exe
O4 - HKLM\..\Run: [cryvrf] C:\WINDOWS\system32\hityvftk\cryvrf.exe
O4 - HKLM\..\Run: [nfiago] C:\WINDOWS\system32\lqsftiwg\nfiago.exe
O4 - HKLM\..\Run: [yadpiagr] C:\WINDOWS\system32\edrjclbs\yadpiagr.exe
O4 - HKLM\..\Run: [evnrlv] C:\WINDOWS\system32\ruoc\evnrlv.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\system32\LogFiles\A5281300.so
O4 - HKLM\..\Run: [gooe] C:\WINDOWS\system32\jencs\gooe.exe
O4 - HKCU\..\Run: [awq8RijEe] dciayx.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\winnook.exe

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c18.cab

O23 - Service: lnbpiukcxwehsqi - Unknown owner - C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe (file missing)
O23 - Service: lwqugxmscr - Unknown owner - C:\WINDOWS\system32\xmscr\lwqug.exe (file missing)
O23 - Service: pnaqgjwindrknq - Unknown owner - C:\WINDOWS\system32\windrknq\pnaqgj.exe (file missing)
O23 - Service: rmlypjoidfgs - Unknown owner - C:\WINDOWS\System32\oidfgs\rmlypj.exe (file missing)
O23 - Service: terwsgtbs - Unknown owner - C:\WINDOWS\system32\gtbs\terws.exe (file missing)
O23 - Service: vmshdurqnr - Unknown owner - C:\WINDOWS\system32\durqnr\vmsh.exe (file missing)
O23 - Service: wuumkmqtkcgvq - Unknown owner - C:\WINDOWS\system32\mqtkcgvq\wuumk.exe (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

folders...

C:\WINDOWS\system32\nsvsvc
C:\WINDOWS\system32\picsvr
C:\WINDOWS\system32\jencs
C:\WINDOWS\System32\qxdllqly
C:\WINDOWS\System32\ptmha
C:\WINDOWS\system32\hlkaf
C:\WINDOWS\system32\udyewih
C:\WINDOWS\system32\twogwkki
C:\WINDOWS\system32\myhm
C:\WINDOWS\system32\grfjtcj
C:\WINDOWS\system32\agfdr
C:\WINDOWS\system32\akobisp
C:\WINDOWS\system32\lwyjhli
C:\WINDOWS\system32\bvamtqmk
C:\WINDOWS\system32\bnpd
C:\WINDOWS\system32\cbefdfjg
C:\WINDOWS\system32\hityvftk
C:\WINDOWS\system32\lqsftiwg
C:\WINDOWS\system32\edrjclbs
C:\WINDOWS\system32\ruoc

files...

C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmon.exe
C:\WINDOWS\system32\dciayx.exe
C:\WINDOWS\system32\winnook.exe
C:\WINDOWS\system32\hp74E1.tmp
C:\WINDOWS\cfgmgr51.dll

Search for...

msmsgs.exe


...using "Start | Search...".

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

Post back a new log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

[RichDodge]

system32/winnook.exe was found by trendmicro scan and could not be deleted or repaired.

[njustice]

Continue with the fix, then post a new hijackthis log.

[RichDodge]

Logfile of HijackThis v1.99.1
Scan saved at 10:18:06 PM, on 6/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Rich\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natall.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp77DF.tmp
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [evnrlv] C:\WINDOWS\system32\ruoc\evnrlv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: lnbpiukcxwehsqi - Unknown owner - C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

[RichDodge]

The icons are missing from the bottom right corner of screen but my IE is still stuck on www.updatesearches.com. I can atleast chekc my email now. there were only 2 files that i had to go to safemode to delete. only a few from list werent there.

[njustice]

RichDodge,

-

You may wish to print out a copy of these instructions to follow while you complete this procedure.


===============

We'll need to unload (not uninstall) Intermute's SpySubtract, since it might interfere with other program(s) we might be using to 'clean' off your system.

===============

Go to BitDefender, and then:

1. Click "I Agree button".
2. Check "My Computer".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's done:

1. Select all available drives.
2. Check(tick) "All boxes in Scan Options".
3. Click "Start Scanning".

When it completes, copy the full filename of any files that cannot be cleaned or deleted and post them when your done with the following fix.


===============

Reboot to safe mode

===============

Go to Start->Run and type "Services.msc" (without quotes) then hit OK
Scroll down and find the service called.

lnbpiukcxwehsqi

Make sure it is selected in color. Right click on the service and click on stop. Right click on it again and go to Properties. In the Properties screen and under the General Tab, change the Startup Type to Disabled in the dropdown box. Click on Apply. Then OK. If the service isn't listed go ahead with the rest of these instructions anyway.

===============

Run HiJackThis and click "Scan", then check(tick) the following, if present:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\system32\hp77DF.tmp

O4 - HKLM\..\Run: [evnrlv] C:\WINDOWS\system32\ruoc\evnrlv.exe

O8 - Extra context menu item: ImTranslator - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html

O9 - Extra button: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)
O9 - Extra 'Tools' menuitem: ImTranslator - {AE436396-55E7-4ec4-AD6D-45E88A530A4C} - C:\PROGRA~1\SMARTL~1\IMTRAN~1\startup.html (HKCU)

O23 - Service: lnbpiukcxwehsqi - Unknown owner - C:\WINDOWS\system32\cxwehsqi\lnbpiuk.exe (file missing)


Now, with all windows closed except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure your able to"view system and hidden files/folders":

folders...

C:\WINDOWS\system32\ruoc
C:\WINDOWS\system32\cxwehsqi

files...

C:\WINDOWS\system32\hp77DF.tmp

-

Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

===============

Reboot your computer.

Post back a new log, report any problems and let me know how everything goes.

IMPORTANT! PLEASE do not restart your computer unless asked, restarting can reinfect your computer resulting in us starting the cleaning up process all over!

-

~Njustice~

Edited by njustice, 01 June 2005 - 09:51 PM.

[RichDodge]

Logfile of HijackThis v1.99.1
Scan saved at 12:31:34 AM, on 6/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Documents and Settings\Rich\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natall.com/
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





I seem to have IE back in working order. Thanks alot.... your guys rock.

[njustice]

CNGRATULATINS! at last, your system is clean and free of spyware! Want to keep it that way?

Here are some simple steps you can take to reduce the chance of infection in the future. Please do these steps as soon as possible if you haven't already.

1. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
a. Windows Update: http://v5.windowsupd.../en/default.asp

2. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first option, 'Download signed controls', to 'Prompt; set the
second option, 'Download unsigned controls', to 'Disable'; and finally, set 'Initialize and Script ActiveX controls not marked as safe" to 'Disable'.

3. Download and install the following free programs
a. SpywareBlaster: http://www.javacools...areblaster.html
b. SpywareGuard: http://www.wildersse...ywareguard.html
c. IE/Spyad: https://netfiles.uiu...ww/resource.htm
d. Bugoff: http://www.majorgeek...wnload4308.html

4. Install Spyware Detection and Removal Programs:
You may also want to consider installing either or both of AdAware (free version) and Spybot S&D (freeware). Use these programs to regularly scan your system for and remove many forms of spyware/malware.
a. AdAware: http://www.lavasoft.de/
b. Spybot S&D: http://security.koll...n&page=download

Before adding any other Spyware Detection and Removal programs always check the Rogue Anti-Spyware List for programs known to be misleading, mistaken, or just outright "Foistware". You will find the list here: http://www.spywarewa...nti-spyware,htm

5. Install 'Spoofstick"
Spoofstick is a simple browser extension that helps users detect spoofed (fake) websites. This extension is free and installs in Internet Explorer and Mozilla Firefox.
a. http://www.corestreet.com/spoofstick

6. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. See the links below:
a. ZoneAlarm
b. Kerio

7. Reset System Restore
If you are using Windows ME or Windows XP, please reset your System Restore.
a. Turn off system restore by right clicking on "My Computer" and go to "Properties"->"System Restore" and check the box for "Turn off System Restore". Click "Apply" and then "OK". Restart your computer. Reverse these steps and turn "System Restore" back on and create a new restore point.

8. Use GoogleToolbar - It's free, blocks popups and takes seconds to install. Use the toolbar without the advanced features enabled(check this during install), the toolbar is completely inert--it doesn't send any information to Google whatsoever as you surf.
a. GoogleToolbar

9. RegScrubXP 3.25 - Safely cleans junk out of the Windows. 2000/XP system registry. All changes made to the registry are fully restorable to it's original condition.
a. RegScrubXP 3.25

10. Online Virus Scans - Run these on a regular basis(I usually do about once a month or suspect a problem):
a. http://www.pandasoft...n_principal.htm
b. http://www.windowsec...com/trojanscan/
c. http://housecall.trendmicro.com/
d. http://www.bitdefend...can/licence.php

11. Alternative Browsers - Using an alternative browser other than IE will IMMENSELY reduce the risk of infection:
a. Firefox<==my #1 choice
b. Avant
c. Opera


Good luck, and thanks for coming to our forums for help with your security and malware issues.

[RichDodge]

Logfile of HijackThis v1.99.1
Scan saved at 2:53:54 PM, on 6/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Rich\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.natall.com/
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Utilities\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




Is there anything here that would keep setting my desktop backround to blank?

[njustice]

RichDodge,


Open Notepad. Copy EVERYTHING in the box below and paste it into a new notepad file. Change the 'Save As Type' to "All Files" and save it as fix.reg on your desktop. Make sure there is NO blank line above REGEDIT4:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"notepad.exe"=-
"notepad2.exe"=-
"winlogon.exe"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=-
"Wallpaper"=-
"NoDispBackgroundPage"=-
"NoDispAppearancePage"=-

[HKEY_CURRENT_USER\Control Panel\Desktop]
"Wallpaper"=-
"WallpaperStyle"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=-
"NoActiveDesktop"=-
"NoSaveSettings"=-
"ClassicShell"=-
"NoThemesTab"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=-

Locate fix.reg on your desktop and doubleclick on it. When asked if you want to merge with the registry click YES. After you receive the prompt "merged successfully", reboot your computer.