[silence0105]

Computer is ranomly rebooting with error messages from windows. I have run adaware and spybot and have cleaned everything they have come up with. I am very confused when it comes to the science of computers, but I think that drpmon and aurora have something to do with the rebooting considering that they keep coming up and wont leave. If anyone can help me, I would be greatful! Heres my HijackThis log....


Logfile of HijackThis v1.99.1
Scan saved at 12:05:00 AM, on 1/1/2002
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
c:\windows\system32\gwkhsz.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\HijackThis.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Kate\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [escvis] c:\windows\system32\gwkhsz.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[Advertisements]

Hi silence0105

Please read through the instructions before you start (you may want to print this out).

You are running HijackThis from the Desktop; please create a new folder for it and move the program into the new folder

Download Pocket Killbox and unzip it; save it to your Desktop.

Please set your system to show all files; please see here if you're unsure how to do this.

a.) Copy the contents in the Code box below to Notepad. Not (wordpad)
b.) Save the file as nailfix.cmd
c.) Change the Save as Type to All Files.
d.) Save this file to the desktop.

@ECHO OFF
REM Originally by Swandog46 and miekiemoes from SpywareInfo.Com.
REM Modified by RACooper to combine 2K and XP routines to one file.

if exist process.exe ( 
    process -k explorer.exe
  ) ELSE (
    cmd /c "echo Process.exe missing.  Please unzip completely and rerun this file.&&pause&&exit"
  )

cd %windir%
Nail.exe /fullremove

del /a /f nail.exe svcproc.exe
cd %windir%\system32
del /a /f DrPMon.dll

echo REGEDIT4 > nailfix.reg
echo. >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\SvcProc] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Enum\Root\LEGACY_SvcProc] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\_rtneg3] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\aurora] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{0962DA67-DB64-465C-8CD7-CBB357CAF825}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{356B2BD0-D206-4E21-8C85-C6F49409C6A9}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{52ADD86D-9561-4C40-B561-4204DBC139D1}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{999A06FF-10EF-4A29-8640-69E99882C26B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{018C5406-AEE6-4A68-980F-2CEB1E9416FB}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{0A7FC040-F84A-4AD7-9439-798B6C0F861E}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{32A9D21F-F510-44DC-9EA6-0456EDA04668}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{4562B6F3-DAF8-464E-87B7-5464575F0D6A}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{C93CC79D-02D5-45B0-BE39-7F5B0E5DDA31}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{DA4B919F-B757-4E32-8D79-DEC5C2704C4B}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.amo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.iiittt] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.momo] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\trfdsk.ohb] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{DA15C9A2-C30A-4761-922A-5DFE7C9A1F67}] >> nailfix.reg
echo [-HKEY_CURRENT_USER\Software\Bolger] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\Interface\{BB0D5ADC-028D-4185-9288-722DDCE2C757}] >> nailfix.reg
echo [-HKEY_CLASSES_ROOT\TypeLib\{92DAF5C1-2135-4E0C-B7A0-259ABFCD3904}] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon] >> nailfix.reg
echo [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon] >> nailfix.reg

regedit /s nailfix.reg
del nailfix.reg

start explorer.exe
exit

e.) Double-click on nailfix.cmd
f.) When it asks you to merge the information to the registry click Yes.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - HKLM\..\Run: [regsync] C:\WINDOWS\system32\regsync.exe
O4 - HKLM\..\Run: [richup] C:\WINDOWS\system32\richup.exe
O4 - HKLM\..\Run: [escvis] c:\windows\system32\gwkhsz.exe r
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
Click on Fix Checked when finished and exit HijackThis.

Run killbox and click the radio button that says Delete a file on reboot. Paste the file's one at a time into the full path of file to delete box and click the red circle with a white cross in it.
The program will ask you if you want to reboot; say No each time until the last one has been pasted in whereupon you should answer Yes.
c:\windows\system32\gwkhsz.exe
C:\WINDOWS\systb.dll
C:\WINDOWS\system32\vbrundll.dll
C:\WINDOWS\system32\nsb25.dll
C:\WINDOWS\system32\richedtr.dll
C:\WINDOWS\system32\regsync.exe
C:\WINDOWS\system32\richup.exe
C:\WINDOWS\wupdt.exe
C:\WINDOWS\svcproc.exe
Let the system reboot.


Please run the following free, online virus scans.
http://www.pandasoft...n_principal.htm
http://housecall.tre.../start_corp.asp
Please post the logs From Panda virus scan and HJT.logWe will need them to remove previous infections that have left files on your system.

Kc

[silence0105]

Hmm. When i go to double click on nailfix.cmd, the file says that there is something missing (process i think) and that I have to unzip the intire file and rerun the program.

[silence0105]

ok. I have done all that, and here's the outcome.....

Panda...
Incident Status Location

Adware:Adware/Transponder No disinfected c:\windows\system32\anhlto.exe
Virus:Trj/Imiserv.D Disinfected Operating system
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\vbrundll.dll
Adware:Adware/Transponder No disinfected c:\windows\system32\anhlto.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Spyware:Spyware/BetterInet No disinfected Windows Registry
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\swin32.dll
Adware:Adware/SAHAgent No disinfected Windows Registry
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\InnerVBInstall.log
Adware:Adware/Sqwire No disinfected C:\Program Files\Common Files\tsa
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Kate\Application Data\Lycos
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/BlazeFind No disinfected Windows Registry
Adware:Adware/DealHelper No disinfected C:\WINDOWS\system32\newmsrdk
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\adupdmanager.xml
Adware:Adware/IEPlugin No disinfected C:\WINDOWS\systb.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Admilli Service
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\rk.bin
Adware:Adware/Kingporn No disinfected C:\DOCUME~1\Kate\LOCALS~1\Temp\ExtractDLL.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/SearchRelevancy No disinfected Windows Registry
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\vbrundll.dll
Adware:Adware/P2PNetworking No disinfected C:\DOCUME~1\Kate\LOCALS~1\Temp\p2psetup.exe
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Kate\Favorites\1111\1111.url
Adware:Adware/Aurora No disinfected C:\WINDOWS\nail.exe
Adware:Adware/BigTrafficNet No disinfected C:\WINDOWS\system32\nsb25.dll
Virus:Trj/Downloader.JM Disinfected C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20040214-131652-991.inf
Adware:Adware/QuickSearch No disinfected C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20040705-161353-197.dll
Spyware:Spyware/Relevancy No disinfected C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\backup-20041224-233155-250.dll
Adware:Adware/Pacimedia No disinfected C:\Documents and Settings\Kate\Favorites\1111\1111.url
Spyware:Spyware/SafeSurf No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\ExtractDLL.dll
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\temp.fr7AA6
Adware:Adware/WUpd No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\temp.fr9702
Spyware:Spyware/Altnet No disinfected C:\Documents and Settings\Kate\Local Settings\Temp\__unin__.exe
Adware:Adware/Trymedia No disinfected C:\Downloads\DinerDashSetup-dm[1].exe
Adware:Adware/WinAD No disinfected C:\Program Files\Admilli Service\AdmilliComm.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Admilli Service\AdmilliKeep.exe
Spyware:Spyware/New.net No disinfected C:\Program Files\FileSubmit\inuyasha.exe\NNEZTA388.exe
Adware:Adware/QuickSearch No disinfected C:\Program Files\FileSubmit\inuyasha.exe\TBEZA127Q.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows AdStatus\WinStatComm.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.ini
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.dll
Adware:Adware/PopCapLoader No disinfected C:\WINDOWS\Downloaded Program Files\popcaploader.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\glmrzvr.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\bi7.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biA.inf
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\inf\biF.inf
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\conscorr.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\inf\polall1r.inf
Adware:Adware/Transponder No disinfected C:\WINDOWS\Nail.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall5_48.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_22.exe
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe
Spyware:Spyware/Altnet No disinfected C:\WINDOWS\smdat32a.sys
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\systb.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\adupdmanager.xml
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\anhlto.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\biA.exe
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\c35b7s.dll
Adware:Adware/KeenValue No disinfected C:\WINDOWS\system32\drivers\etc\hosts.bho
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\fiz1
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERADINSTALL.LOG
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\INNERVBINSTALL.LOG
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/Dyfuca No disinfected C:\WINDOWS\system32\regsync.exe
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\retpdat32.xml
Spyware:Spyware/MarketScore No disinfected C:\WINDOWS\system32\rk.bin
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\SHAgentNew.dll
Adware:Adware/AdLogix No disinfected C:\WINDOWS\system32\sp32.xml
Adware:Adware/PortalScan No disinfected C:\WINDOWS\system32\SWin32.dll
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\system32\vbrundll.dll
Virus:Trj/Dropper.HG Disinfected C:\WINDOWS\system32\w1u.dll
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite.dll
Adware:Adware/MyWay No disinfected C:\WINDOWS\system32\Xcite2.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Virus:Trj/Imiserv.D Disinfected C:\WINDOWS\wupdt.exe
HijackThis.....

[silence0105]

Logfile of HijackThis v1.99.1
Scan saved at 7:27:10 PM, on 6/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\slserv.exe
c:\windows\system32\anhlto.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Kate\Desktop\Unused Desktop Shortcuts\hijack\HijackThis.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Documents and Settings\Kate\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497 - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll
O2 - BHO: VBRunDLL Class - {197B8CA4-E215-46DD-8F33-E0544A80E5C4} - C:\WINDOWS\system32\vbrundll.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsb25.dll
O2 - BHO: RichEditor Class - {F79A2C4B-8776-4ED7-8B2F-4786A4A3500A} - C:\WINDOWS\system32\richedtr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [huzkhsh] c:\windows\system32\anhlto.exe r
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\aim\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v6.cab
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[silence0105]

The only thing is that I still have pop-ups and Aurora is still around with their pop-up ads. ::sigh::