Having problems w/programs, homepage redirected [Hijackthis log & Getlog xp listed]

I am having problems opening my antispyware software, I can't even get into Adaware to update it. I think my computer might have picked up some virus or other malicious software, because everytime I try to close down my computer I get an error that a program Win Min is not responding. Here is my Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 1:31:39 PM, on 5/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\WINDOWS\System32\nwprt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Documents and Settings\Jim\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\CxtPls\cxtpls.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\Run: [t38S38i] nwprt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [c0r2RUGmU] nvihst3g.exe
O4 - HKCU\..\Run: [vqsaijo] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [vsnitex] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [cngqmvt] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [sjanbmu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [fxgqvpu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [mcwippr] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [mqcgyda] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [gnuhwqe] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [grikwbb] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [vwdpnsk] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [haptkfu] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [lytjcev] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [jigkjwq] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [gmfgkiw] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [nxwaikg] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [xpsbeod] c:\windows\jrqlrhr.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1114213473575
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.overpro.com/WildApp.cab
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)


Here is the getlogxp


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
MSMSGS REG_SZ "C:\Program Files\Messenger\msmsgs.exe" /background
NvMediaCenter REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
c0r2RUGmU REG_SZ nvihst3g.exe
vqsaijo REG_SZ c:\windows\kexdlki.exe
vsnitex REG_SZ c:\windows\kexdlki.exe
cngqmvt REG_SZ c:\windows\kpvxgji.exe
sjanbmu REG_SZ c:\windows\kpvxgji.exe
fxgqvpu REG_SZ c:\windows\kpvxgji.exe
mcwippr REG_SZ c:\windows\gxkuajq.exe
mqcgyda REG_SZ c:\windows\gxkuajq.exe
gnuhwqe REG_SZ c:\windows\gxkuajq.exe
grikwbb REG_SZ c:\windows\gxkuajq.exe
vwdpnsk REG_SZ c:\windows\gxkuajq.exe
haptkfu REG_SZ c:\windows\kuhapqd.exe
lytjcev REG_SZ c:\windows\kuhapqd.exe
jigkjwq REG_SZ c:\windows\kuhapqd.exe
gmfgkiw REG_SZ c:\windows\kuhapqd.exe
nxwaikg REG_SZ c:\windows\jrqlrhr.exe
xpsbeod REG_SZ c:\windows\jrqlrhr.exe

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
RealTray REG_SZ C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
NvCplDaemon REG_SZ RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
nwiz REG_SZ nwiz.exe /install
BJCFD REG_SZ C:\Program Files\BroadJump\Client Foundation\CFD.exe
Motive SmartBridge REG_SZ C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
YBrowser REG_SZ C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightLAN 02 REG_SZ "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
IPInSightMonitor 02 REG_SZ "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
Security Shedule REG_SZ C:\WINDOWS\System32\pentstrm.exe
t38S38i REG_SZ nwprt.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BroadJump Client Foundation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB810243

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB817778

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB820291

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB821253

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB822603

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB823182

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB824105

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB824141

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB825119

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB826939

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB826942

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB828035

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB829558

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB842773

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveReg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveUpdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft NetShow Player 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Norton CleanSweep

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Norton Speed Disk

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Norton Utilities

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NVIDIA

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\oeupdate

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PROSet

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q322011

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q327979

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q814995

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q819696

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Q828026

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RealPlayer 6.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Self Support Tool

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Applications

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Base Components

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Dial Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! DSL

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Messenger

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! UMUninstaller

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC.MCCInstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webshots

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webster's World Encyclopedia 2001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows XP Service Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Anti-Spy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YInstHelper

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00030409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{00040409-78E1-11D2-B60F-006097C998E7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{097346E0-6A51-11D1-AD16-00A0C95E0503}(SBC)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{11B569C2-4BF6-4ED0-9D17-A4273943CB24}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{17AF6086-77CC-4598-9332-7E71591C41CA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{43C3D832-AC96-463A-2003-1B8D1BFA252F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{43DCF766-6838-4F9A-8C91-D92DA586DFA7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{56364334-9530-11D2-BFFC-00C04FA329AA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{58DD5143-4417-4F43-A7DD-5B8B29CEDBEA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5A0C892E-FD1C-4203-941E-0956AED20A6A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-1033-7B44-A70000000000}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C8D79874-7F2B-4346-99F1-DAA8AABF9DCA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}

 

Whatever is causing my problems with my computer, has even gone so far as to change my background to what looks like a giant pop up. This is getting annoying now. Anyone have any tips ?

 

I have tried to install some new antivirus software, in safe mode, but nothing I have tried has been allowed to install in safe mode. I have tried to install in standard mode and each time, I double click on the software to install, the installation wizard starts and I am able to click on the "I agree" box , and shortly after the application stops it's installation without any warning or error message, and my screen goes back to the desktop view. I am having no luck on my own with anything.

 

Try running Panda ActiveScan and/or Bit-Defender to see if it can cleanup anything then post a new HijackThis log.

I'm away from home so have little access and time, but will check back in on you.

 

I used the Panda scanner and was not allowed to transmit, 2 suspected files to them. I was prompted to check my internet connection and to press "OK" each time I did as instructed I was told to check my connection. I did both scans and here is the new Hijackthis log.


Logfile of HijackThis v1.99.1
Scan saved at 11:37:30 AM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\tsardssp.exe
C:\windows\kexdlki.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Documents and Settings\Jim\Start Menu\Programs\Startup\winupdate10761038[1].exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\tmpF.tmp
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\lvshftla.exe
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [c0r2RUGmU] tsardssp.exe
O4 - HKCU\..\Run: [vqsaijo] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [vsnitex] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [cngqmvt] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [sjanbmu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [fxgqvpu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [mcwippr] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [mqcgyda] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [gnuhwqe] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [grikwbb] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [vwdpnsk] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [haptkfu] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [lytjcev] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [jigkjwq] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [gmfgkiw] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [nxwaikg] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [xpsbeod] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [yxmkqga] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [nffnsel] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [dyumloo] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [njiiusg] c:\windows\rmpkuim.exe
O4 - HKCU\..\Run: [tpwfclu] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [mlnjjpy] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [hupjidg] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [nuckuoi] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [iqosktl] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [ounsuvd] c:\windows\awkadbr.exe
O4 - HKCU\..\Run: [ecviqno] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [ppnhlls] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [sjnicjf] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [hjjcqhm] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [xolkirh] c:\windows\ugbunew.exe
O4 - HKCU\..\Run: [ukbspcj] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [ftigavj] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [qrrklqi] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [equcloa] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [gyhrame] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [ydxmfvr] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [qonasgj] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [xopiggf] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [oylbddy] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [pqjgsyv] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [dvcdrjb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [kjwkpww] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [eykkbsj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [ysrwjfj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [vflfvgb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [mpufhvx] c:\windows\kkiaifr.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Startup: winupdate10761038[1].exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\flsmngr.dll
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

 

After looking over the Hijackthis log, I used Hijackthis to fix these files.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1


So far it has fixed the problem of the hijacked start page on internet explorer. But I am still concerned about the "Trojans" that the scanners could not disinfect, or clean. Also, I am not able to install any of the new antispyware software that I have downloaded . The same problem I have been having since the start. Plus I do not have the "pop-up" style background anymore. It has reverted to what was there prior.

 

Ignore that part about using Hijackthis to "fix" my hijacked homepage. I rebooted into safe mode and ran adaware and spybot, I then rebooted into normal mode and when I opened up internet explorer, I was back to my new hijacked homepage.

 

You have multiple infections here, and we'll attempt to get them all at once. You should print this out and/or save it to text. Saving to text will allow you to copy/paste the filepaths below when using the Killbox.

Before trying to proceed, download the HostsFileReader and unzip, then open. Click the Reset Default button.

Download the Symantec W32.Beagle@mm Removal Tool. Save it to your desktop.

Download the stand-alone CWShredder 2.14 from here. Save it to the desktop.

Download LSPFix.exe, saving it to your desktop.

Download and install SpywareBlaster. Enable all protections, check for updates and enable them too. Then download IESpyad.exe, double click to extract (it extracts to C:\IESpyad by default), open the folder, double click the ie-ads.reg file and allow it to merge into the registry.

Please download the attachment smitfraud1.zip. Save it to your desktop. If it saves as attachment.php, right click and rename to smitfraud1.zip You may need to enable viewing extensions for known file types to see the zip and php extensions. To do that, open My Computer and click Tools on the menu, then folder options. Click the view tab of the window that opens, uncheck the box to Hide extensions...... and click OK. Now right click the zip and extract the smitfraud1 folder to your desktop.

Download Pocket Killbox from here: http://www.downloads.subratam.org/KillBox.zip

Extract the file to a folder, then open and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\tsardssp.exe

Check the box to delete on reboot and click the red X to the right. Click Yes, then NO to the reboot now prompt. Copy the next filepath, paste it in the box, and repeat the above steps. When all of the below filepaths are done, allow it to reboot.

C:\windows\kexdlki.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\tmpF.tmp
C:\WINDOWS\System32\lvshftla.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\DOCUME~1\Jim\Start Menu\Programs\Startup\winupdate10761038[1].exe



After reboot, scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [c0r2RUGmU] tsardssp.exe
O4 - HKCU\..\Run: [vqsaijo] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [vsnitex] c:\windows\kexdlki.exe
O4 - HKCU\..\Run: [cngqmvt] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [sjanbmu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [fxgqvpu] c:\windows\kpvxgji.exe
O4 - HKCU\..\Run: [mcwippr] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [mqcgyda] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [gnuhwqe] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [grikwbb] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [vwdpnsk] c:\windows\gxkuajq.exe
O4 - HKCU\..\Run: [haptkfu] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [lytjcev] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [jigkjwq] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [gmfgkiw] c:\windows\kuhapqd.exe
O4 - HKCU\..\Run: [nxwaikg] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [xpsbeod] c:\windows\jrqlrhr.exe
O4 - HKCU\..\Run: [yxmkqga] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [nffnsel] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [dyumloo] c:\windows\wuyfowg.exe
O4 - HKCU\..\Run: [njiiusg] c:\windows\rmpkuim.exe
O4 - HKCU\..\Run: [tpwfclu] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [mlnjjpy] c:\windows\omhuxfb.exe
O4 - HKCU\..\Run: [hupjidg] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [nuckuoi] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [iqosktl] c:\windows\vfrrjvd.exe
O4 - HKCU\..\Run: [ounsuvd] c:\windows\awkadbr.exe
O4 - HKCU\..\Run: [ecviqno] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [ppnhlls] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [sjnicjf] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [hjjcqhm] c:\windows\qbwdhuw.exe
O4 - HKCU\..\Run: [xolkirh] c:\windows\ugbunew.exe
O4 - HKCU\..\Run: [ukbspcj] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [ftigavj] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [qrrklqi] c:\windows\rcehlcy.exe
O4 - HKCU\..\Run: [equcloa] c:\windows\irarkau.exe
O4 - HKCU\..\Run: [gyhrame] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [ydxmfvr] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [qonasgj] c:\windows\obssiqc.exe
O4 - HKCU\..\Run: [xopiggf] c:\windows\wielicn.exe
O4 - HKCU\..\Run: [oylbddy] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [pqjgsyv] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [dvcdrjb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [kjwkpww] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [eykkbsj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [ysrwjfj] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [vflfvgb] c:\windows\ipihqwp.exe
O4 - HKCU\..\Run: [mpufhvx] c:\windows\kkiaifr.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - Startup: winupdate10761038[1].exe
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {330DBEE9-5A6F-471E-A574-3D6BC2A086E1} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

Either reboot and repeatedly tap F8 to enable the start menu and select safe mode, or go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and click OK. Click yes to restart. This will restart your computer in safe mode. Logon to your user account.

Open CWShredder, close ALL other windows and click fix. Exit.

Open HijackThis to the Misc Tools section, then click the Delete an NT Service button. Type in ZESOFT and click OK. Close HijackThis.

Open the smitfraud1 folder and double click the RunThis.bat file to start the tool. Follow the prompts. When the tool completes, if you used msconfig, uncheck the /safeboot box and click ok to reboot. Upon reboot you will be greeted with a message window from the System Configuration Utility. Check the box not to use and don't show, then click OK. If you used F8, just reboot back into Windows.

Double click the LSPFix.exe to run. If the file flsmngr.dll is present, make sure it is in the remove column, check the box I know what I'm doing and click finish.

Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and click OK.

Now run the Symantec W32.Beagle@mm Removal Tool.

Reboot, scan again with HijackThis and post the new log.

I would also like you to download MWAV. Save it to your desktop and double click to open. Check the boxes for Memory, Registry, Startup Folders, System Folders, Services, Drive, All Local Drives and Scan All Files, then click scan. When it completes, copy the lower window labled Virus Log Information and post it here.

smitfraud.zip

 

I followed your instructions . Here is the Hijackthis log. It looks like some of the entries are still there. I will post the virus log when it is finished running. Thanks for the help so far.


Logfile of HijackThis v1.99.1
Scan saved at 12:59:07 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\Jim\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Jim\LOCALS~1\Temp\kavss.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yowctkp] c:\windows\kkiaifr.exe
O4 - HKCU\..\Run: [iubykis] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [vmkwfbm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tvpreci] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rtmjbqt] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pqkhigo] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [lgonbkb] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [dbxuhjl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [bvghhht] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [voukwjn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [xslssnr] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [mppgrdx] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pbgdqkm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [qgtgqwa] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [utbhnsi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ygfkwfl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [fyrimdn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tlnpkgy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rapqihi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [jgrhskm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ytgefwp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wuirdaf] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [gifeqjw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tbsqdop] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wusyjkc] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [plxcxgw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [erdklmp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [svejevy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [emagrgl] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [kvoxcyg] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [fsdygja] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [dbxvkmu] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gikquny] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gevjqga] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [guyfeui] c:\windows\wsfroko.exe
O4 - HKCU\..\Run: [kixviui] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [gnajrmu] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ggmvfeq] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [drcojxs] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [nagefca] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ithyacd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [hxsyspr] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xnelcum] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [miloeqw] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qstasbi] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [fkfscqk] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [pxhonql] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [jjhlskt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [baofpgy] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [vfjaejm] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qfflthj] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [yohnakd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qlipbkf] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nppvqto] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [ffqteyd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [etnrchd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [oqglgeb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nbjahfb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [opyojce] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [bktyevt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xugkkpe] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nvqsenm] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [exwhpfq] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [vkadgsu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [mdfbwdu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [ktjjeum] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [pikikgc] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [xqaykop] c:\windows\tamrcmc.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7774FB30-AF13-5454-B967-732E52AC5811} - http://69.50.182.94/1/rdgUS1882.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Here is the virus log.



File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\brown32k.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\brown32k.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SYSTEM\Loader.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\thun32.dll infected by "Trojan-Proxy.Win32.Small.bk" Virus. Action Taken: No Action Taken.
File System Found infected by "mxoaldr Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cxtpls_loader.exe.tcf infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shop1004.exe.tcf infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\c_93rint.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\djrhbaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\glskaaaa.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\xehgyudv.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ybnqworg.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\AOL Instant Messenger\AIM95.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cxtpls_loader.exe.tcf infected by "not-a-virus:AdWare.Apropos.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\shop1004.exe.tcf infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\c_93rint.dll infected by "Backdoor.Win32.PPdoor.j" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\djrhbaaa.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\glskaaaa.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\srpcsrv32.dll infected by "Trojan-Downloader.Win32.Adload.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\xehgyudv.exe infected by "Trojan-Dropper.Win32.Agent.ii" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ybnqworg.exe infected by "Trojan-Dropper.Win32.Small.wv" Virus. Action Taken: No Action Taken.

 

Highlight and copy the entire following list of filepaths in bold, open Killbox and check delete on reboot, then click File>copy from clipboard, then click the red X. Close all other windows then click yes to process and reboot.

C:\WINDOWS\System32\thun32.dll
C:\WINDOWS\system32\brown32k.dll
C:\WINDOWS\system32\brown32k.dll
C:\WINDOWS\SYSTEM\Loader.dll
C:\WINDOWS\System32\thun32.dll
C:\WINDOWS\cxtpls_loader.exe.tcf
C:\WINDOWS\shop1004.exe.tcf
C:\WINDOWS\system32\c_93rint.dll
C:\WINDOWS\system32\djrhbaaa.exe
C:\WINDOWS\system32\glskaaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\xehgyudv.exe
C:\WINDOWS\system32\ybnqworg.exe
C:\WINDOWS\cxtpls_loader.exe.tcf
C:\WINDOWS\shop1004.exe.tcf
C:\WINDOWS\system32\c_93rint.dll
C:\WINDOWS\system32\djrhbaaa.exe
C:\WINDOWS\system32\glskaaaa.exe
C:\WINDOWS\system32\srpcsrv32.dll
C:\WINDOWS\system32\xehgyudv.exe
C:\WINDOWS\system32\ybnqworg.exe


Scan with HijackThis, check the following entries and click fix. (all 04 HKCU entries)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O2 - BHO: Loader Class - {2E246FAE-8420-11D9-870D-000C2917DE7F} - C:\WINDOWS\SYSTEM\Loader.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [yowctkp] c:\windows\kkiaifr.exe
O4 - HKCU\..\Run: [iubykis] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [vmkwfbm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tvpreci] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rtmjbqt] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pqkhigo] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [lgonbkb] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [dbxuhjl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [bvghhht] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [voukwjn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [xslssnr] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [mppgrdx] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [pbgdqkm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [qgtgqwa] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [utbhnsi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ygfkwfl] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [fyrimdn] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tlnpkgy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [rapqihi] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [jgrhskm] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [ytgefwp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wuirdaf] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [gifeqjw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [tbsqdop] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [wusyjkc] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [plxcxgw] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [erdklmp] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [svejevy] c:\windows\alkntgw.exe
O4 - HKCU\..\Run: [emagrgl] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [kvoxcyg] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [fsdygja] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [dbxvkmu] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gikquny] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [gevjqga] c:\windows\xdofafm.exe
O4 - HKCU\..\Run: [guyfeui] c:\windows\wsfroko.exe
O4 - HKCU\..\Run: [kixviui] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [gnajrmu] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ggmvfeq] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [drcojxs] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [nagefca] c:\windows\dddupgg.exe
O4 - HKCU\..\Run: [ithyacd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [hxsyspr] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xnelcum] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [miloeqw] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qstasbi] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [fkfscqk] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [pxhonql] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [jjhlskt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [baofpgy] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [vfjaejm] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qfflthj] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [yohnakd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [qlipbkf] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nppvqto] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [ffqteyd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [etnrchd] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [oqglgeb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nbjahfb] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [opyojce] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [bktyevt] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [xugkkpe] c:\windows\kopktgt.exe
O4 - HKCU\..\Run: [nvqsenm] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [exwhpfq] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [vkadgsu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [mdfbwdu] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [ktjjeum] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [pikikgc] c:\windows\tamrcmc.exe
O4 - HKCU\..\Run: [xqaykop] c:\windows\tamrcmc.exe
O16 - DPF: {7774FB30-AF13-5454-B967-732E52AC5811} - http://69.50.182.94/1/rdgUS1882.exe

Update both Spybot and Ad-aware. Scan with Spybot and remove all it finds. Run Ad-aware in full scan mode and remove all it finds. Reboot and post a new HijackThis log.

 

Error when using Killbox

When I told Killbox to restart my computer I get a message stating "PendingFileRenameOperations Registry Data Has Been Removed By External Process ". Should I still follow through with the remainder of task?

 

I went ahead and did the hijack this scan again. I checked all items and told it to "fix" . After it was done, I rebooted and ran a hijack this scan again and some of the items were still there. Here is the new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 4:03:46 PM, on 5/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - HKCU\..\Run: [kiiegag] c:\windows\cnkcksx.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

Copy the contents of the quote box below to a blank notepad. Close it, saving to your desktop as

File name: delfiles.bat
Save As Type: All Files

Reboot to safe mode and double click the file to run. You should be prompted to delete each file. Type a Y and hit enter for each. Make note of any errors.

Scan again with HijackThis and fix the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
O4 - HKCU\..\Run: [kiiegag] c:\windows\cnkcksx.exe

Reboot back into Windows and scan again with HJT, then post the log and any errors with the bat file.

 

When I ran the bat file it opened up a window looking like dos and the file ran without prompting me to delete any files. I ran it twice, just to see what was being displayed, as it ran pretty fast, and after each file to be deleted it either said "can not find" or "file not found ". Here is the new Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 9:59:43 AM, on 5/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpySubtract\SpySub.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Jim\Desktop\HIJACK THIS\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe "
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

 

I am still not being allowed to open programs from my desktop, or start menu. I have gone into the start menu and clicked on Adaware to run and it will not start up at all. If I double click it from the desktop, the little hour glass starts up as if the program is about to open, but it never opens. This is the same for almost all of my anti-spyware software. I could never even get microsoft antispyware to load. It would start to load, but then it would just quit and take me back to the desktop, as if nothing ever started. Could this all be related to the trojan problems ? As it is right now, I can only run Adaware in safe mode.

 

My bad on the batch prompting you. Had it in my mind that not using a /q switch would force a prompt, but doesn't always work out that way. Using a /p switch would have, but it doesn't really matter that much in the end, as long as the files are deleted. Your second run showing all files not found suggests they were all successfully deleted on the first run. Run another MWAV scan and post the log so we can make sure nothing bad was left behind.

Please run CWShredder again. No need to go to safe mode, just close down all other programs and windows first. Let us know if anything is reported as fixed and what variant.

Your latest HJT log appears to be clean. Progress at least. Please try uninstalling/re-installing your security programs before we proceed with other steps.

 

Here's the new virus log.

File System Found infected by "mxoaldr Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "cws.therealsearch Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\AOL Instant Messenger\AIM95.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.

 

Just ran the CWShredder, and it found nothing. I am going to reinstall some antispyware and see if I can't get it to run.

 

I unistalled Microsoft antispyware beta, and Adaware. I downloaded both applications again, and I am still not able to install either. when I double click either program I get the hourglass icon for a few seconds, and nothing. Same thing happens if I right click and choose "open ".