Check this new log out after simply changing msconfig back to selective startup with not so many services and startup items.. Even more things appear and most of the stuff in the Hijack log you told me to clean isn't even there anymore w/o a normal boot from msconfig

Logfile of HijackThis v1.99.0
Scan saved at 4:32:52 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\installer.exe
C:\WINNTOLD\system32\viyrrv.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-sea...=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-sea...ook=stmpl1&fw=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNTOLD\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe

Go to Start, point to Programs, point to Startup, delete kuyttk, if it's there.

Reboot into Safe Mode

Do a search for WToolsA.exe, and delete it, if found
Do a search for SStb.exe, and delete it, if found
Do a search for abu.exe, and delete it, if found
Go to C:\winntold\system32 and delete kalvgva32.exe, if found

When booted into safe mode the only one of these files I could successfully find was SStb.exe ....Did not find any of the other files doing a search or in the winntold\system32 folder.

Did you fix the things I suggested? You'll have to wait for one of the mods to look at the rest because it appears to be beyond my capability (for now...)

Hi. First up we need to get rid of some crap before having a go at VX2.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

Go to c:\winntold\system32 and delete that file manually. What's with the WINNTold?

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-se...k=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-se...look=stmpl1&fw=

O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H

Reboot and delete the C:\Program Files\se<----folder. May have to boot into safe mode if it will not go.

Post back another log when done.

Do you have the killbox? If not, download it here=
http://www.downloads.subratam.org/KillBox.exe

Hi. First up we need to get rid of some crap before having a go at VX2.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

I have already fixed those files with LSPfix numerous times and they keep coming back


I have checked and removed these same things over and over and over along with the se.exe as well as removing it in safe mode and it keeps coming back as well...

Post back another log when done.

Do you have the killbox? If not, download it here=
http://www.downloads.subratam.org/KillBox.exe

Yes I recently downloaded killbox, but am having trouble trying to find the files that need to be killed. Because everything seems to disappear and reappear when it wants.




PS... This is getting frustrating.. trust me I have been on here all day reading through all the posts in this forum trying to find something but nothing is working.

Info about winntold:
WinNTNew (Windows NT 4.0 or higher), WinNTOld (Windows NT 3.51) found here:
http://www.bris.ac.uk/is/services/co...cpydoc.ini.txt

Here's a new log.. But at this point it means the same exact thing to me, because as soon as I run SB S&D or Adaware everything will be back and when I run Hijack this it will have tons of things in there again.


Logfile of HijackThis v1.99.0
Scan saved at 5:25:32 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNTOLD\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe


Viyrrv.exe worry's me and I tried to kill it with killbot.exe in safeboot and it was not able to remove it. I know even though it seems like this log is pretty clean I still keep getting the same pop ups over and over as well as the same 3 icons on my desktop everytime the computer is rebooted. Also I notice that I keep deleting that SE folder along with a few others from my program files folder but it keeps reappearing.

Thanks for the help so far guys you are great.. I just need some powerfull suggestions now.

It is important that you only follow the instructions given. If not, all the infected files will morph and we will be back at the start point again.

Apart from that one file, the log looks ok. Now, please post a log from VX2Finder, dllcompare and Find_it. Do not reboot!

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Working on it now, sorry for the delay I had to get some sleep I was up for 24 hours straight.

When I am running find.bat it never seems to generate a log file...