**** Popups, Browser Hijacks

Please help! I dont know how, but somehow a virus got on my computer and whenever I open the internet I get repeated clicking sounds (You know, the sound when you click a link?) and then I get hit with about 30 **** sites in the span of 20 seconds. An icon keeps displaying itself on my desktop and it is a shortcut to some site.

I have ran every anti-spyware program I have, system restore wont work, and frankly, I have no idea what to do. The internet is incredibly slow, and I get messages saying "Dialing Failed" so my guess is I have a dialer hijacker some where. I have my HJT log below, but I dont know if it will help. But here it is anyway

Logfile of HijackThis v1.99.0
Scan saved at 9:08:28 PM, on 2/7/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\system32\appas.exe
C:\WINDOWS\XPsys.exe
C:\WINDOWS\winhost.exe
C:\WINDOWS\winhost.exe
C:\WINDOWS\winhost.exe
C:\WINDOWS\winhost.exe
C:\WINDOWS\winhost.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\miniport_mp.exe
C:\WINDOWS\ipxs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\surfmonkey\SMProxy.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2C1A5DA8-315A-58D1-573D-06F3C41DC9AD} - C:\WINDOWS\d3az.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [PP6100b] C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MiniPortRt] C:\WINDOWS\System32\miniport_mp.exe
O4 - HKLM\..\Run: [ipxs.exe] C:\WINDOWS\ipxs.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [appas.exe] C:\WINDOWS\system32\appas.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O21 - SSODL: eplrr - {E2E5B082-39B2-4C38-8D74-CF651E87776A} - C:\WINDOWS\System32\eplrr3.dll
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe




I have a research Paper due tomorrow, and cant finish typing it or doing research on the net, so please help as soon as you can!

Thank you!

 

Same instructions as here, but fix these entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\rpksw.dll/sp.html#12345
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {2C1A5DA8-315A-58D1-573D-06F3C41DC9AD} - C:\WINDOWS\d3az.dll
O4 - HKLM\..\Run: [ipxs.exe] C:\WINDOWS\ipxs.exe
O4 - HKLM\..\RunOnce: [appas.exe] C:\WINDOWS\system32\appas.exe
O21 - SSODL: eplrr - {E2E5B082-39B2-4C38-8D74-CF651E87776A} - C:\WINDOWS\System32\eplrr3.dll

and add these filepaths to the Killbox list there.

C:\WINDOWS\system32\appas.exe
C:\WINDOWS\XPsys.exe
C:\WINDOWS\winhost.exe
C:\WINDOWS\ipxs.exe
C:\WINDOWS\d3az.dll

VERY IMPORTANT that you get updated at Windows Update!

 

Thank you SO much! Heres my HJT log just in case

Logfile of HijackThis v1.99.0
Scan saved at 12:39:08 AM, on 2/8/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\ibs.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\miniport_mp.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\ElnIE.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FEF28766-EC07-9CC6-3DD6-241C5C156710} - C:\WINDOWS\system32\mfcgm32.dll
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [PP6100b] C:\WINDOWS\twain_32\paprport\6100b\flatbed.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MiniPortRt] C:\WINDOWS\System32\miniport_mp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: Norton Internet Security Service - Symantec Corporation - C:\Program Files\Norton Internet Security\NISSERV.EXE
O23 - Service: Norton Internet Security Accounts Manager - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Norton Internet Security Proxy Service - Symantec Corporation - C:\Program Files\Norton Internet Security\SymProxySvc.exe

 

You need to use the killbox on the following.
C:\WINDOWS\ibs.exe
This is something new to your system, and due to lack of windows updates I am not surprised. You are running XP, with NO installed service packs. Your computer is very vulnerable to anything out there.

 

OK so how would I fix that?

 

In Internet Explorer, go to the toolbar at Tools, then select Windows Update. or
http://v5.windowsupdate.microsoft.com.

To be up to date would require SP2 to be installed.

The below link has the location where you download the entire service pack, or order the free CD and get it via snail mail.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/winxpsp2.mspx

 

OK I requested the CD, but I can't figure out where to download the service pack. The link that should do it just takes you to Windows Update.

 

The link for single computers gets you windows update. The link for multiple computers takes you to the below link, the download page for it.
http://www.microsoft.com/downloads/...BE-3B8E-4F30-8245-9E368D3CDB5A&displaylang=en

 

OK i will go download that now, thanks!

 

OK I downloaded and Installed the update pcak, is there anything more I need to do with this program right now?

 

Since you have the CD on the way, you can delete the download now that you are done with it.
You should visit the windows update page, I am sure that there are some critical updates waiting there for you. If you choose Express, you only have the needed updates available to you.

 

When I go to the windows update site, it still dosent do anything.

 

That may be because you have ActiveX controls disabled in Internet Options, Security tab, in the the Internet Zone. Rather than change that, go to Control Panel\Internet Options, then click on the Security tab.
Now click on the Trusted Sites icon, then click on the Site button just below that. In the new window that opens, uncheck the box for 'Require Server verification [https] for all site in this zone'. Then click on Add, and enter *.windowsupdate.microsoft.com exactly as it appears. Then go to windows update, and answer Yes that you want to download and install windows update control when prompted.
Note, if you have the Trusted Sites security level set to the default setting, you will not get this prompt, it will just install on it's own.

 

OK did that, but STILL all it does is say

"Checking for the latest version of the Windows Update software...

Depending on your connection speed, this might take a minute. During this time, you may receive one or more security warnings. Review each security warning to ensure that the content is signed by Microsoft, and then click Install or Yes to install the software. "


and then sits there. It dosen't move!