Hey guys and gals, just ofund this place and from reading alot on here, sounds like I may have found the right people to help me out. I'm running winnt and had a bad case of trojan the other day. Actually still do have it. I run semantac virus scan and says I don;t have any BUT everytim I reboot, well, something called QBTOOLS.EXE in my winnt\systems directory comes up, gets quarinteened thats it. Next time I boot up, SAME THING and to top it off, the ONLY way I can get onto the internet is to boot up in Safe Mode. Hummmm, driving me nuts , course that wouldn't take much LOL It also has messed up my Autocad, I have cg survey incorporated into acad and says it won;t work. Go fugure, ust my luck I guess. Anyone have any ideas on whats doing this? Here's a listing of files that were added to my puter around the time of my infection. THANKS so much guys.
D Don
ersdef.bin
V.GRD
V.SIG
redit.cpl
supdate.dll
Sskknwrd.ddl
Checks.050908-0826.log and in it was
08.09.2005 08:26:47 - ##### check started #####
08.09.2005 08:26:47 - ### Version: 1.3
08.09.2005 08:26:47 - ### Date: 9/8/2005 8:26:47 AM
08.09.2005 08:26:47 - ##### checking bots #####
wmsetup.log
I'm uslually pretty good at figuring things out, well not this time, had me ready for a drink to early in the morning, LOL
THANKS again guys and gals, have a feeling someone on here can help

Here's the highjackthis log file
Logfile of HijackThis v1.99.1
Scan saved at 8:52:39 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\CGr13\win\acad.exe
C:\CGr13\win\acadapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\Rar$EX01.625\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ampmsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteptl32.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\System32\pzdadn.exe reg_run
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ajkevnx] C:\WINNT\ajkevnx.EXE
O4 - HKLM\..\Run: [krnsgyi] C:\WINNT\krnsgyi.exe
O4 - HKLM\..\Run: [ziusffc] C:\WINNT\ziusffc.EXE
O4 - HKLM\..\Run: [fidosvh] C:\WINNT\fidosvh.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [rpbrybw] C:\WINNT\rpbrybw.EXE
O4 - HKLM\..\Run: [wbgvtzl] C:\WINNT\wbgvtzl.exe
O4 - HKLM\..\Run: [kpuhcqr] C:\WINNT\kpuhcqr.exe
O4 - HKLM\..\Run: [hmzwcka] C:\WINNT\hmzwcka.exe
O4 - HKLM\..\Run: [puvcahp] C:\WINNT\puvcahp.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ao34RifsU] abeps11n.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\System32\sysmonnt
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: kcrn.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\System32\supdate.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\System32\supdate.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Map 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Map 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HDLANG.com
O17 - HKLM\Software\..\Telephony: DomainName = HDLANG.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A925B626-AE1D-43D6-A745-F0D171EAC246}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HDLANG.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\ZG9uLm1jZG9uYWxk\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\xzqydmf.exe (file missing)
O23 - Service: Wintab32 - Unknown owner - C:\WINNT\System32\Wintab32.exe

I noticed that you were still running your browser. Make sure that you have all your browsers closed when you run HijackThis.

Run HijackThis again, select "Do a system scan only", and put a check next to the following lines: I assume that you have set up your computer to be part of the hdlang.com domain. If you have not, put checks next to the following lines as well: After you have selected these lines, select "Fix checked".

Once the fix is done, reboot, create a HijackThis log again, and post the log here.

OK, here's the logfile. MAN, this is all driving me nuts
THANKS

Logfile of HijackThis v1.99.1
Scan saved at 10:27:36 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\Rar$EX00.000\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ampmsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteptl32.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\System32\pzdadn.exe reg_run
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ajkevnx] C:\WINNT\ajkevnx.EXE
O4 - HKLM\..\Run: [krnsgyi] C:\WINNT\krnsgyi.exe
O4 - HKLM\..\Run: [ziusffc] C:\WINNT\ziusffc.EXE
O4 - HKLM\..\Run: [fidosvh] C:\WINNT\fidosvh.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [rpbrybw] C:\WINNT\rpbrybw.EXE
O4 - HKLM\..\Run: [wbgvtzl] C:\WINNT\wbgvtzl.exe
O4 - HKLM\..\Run: [kpuhcqr] C:\WINNT\kpuhcqr.exe
O4 - HKLM\..\Run: [hmzwcka] C:\WINNT\hmzwcka.exe
O4 - HKLM\..\Run: [puvcahp] C:\WINNT\puvcahp.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ao34RifsU] abeps11n.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\System32\sysmonnt
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\System32\supdate.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\System32\supdate.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Map 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Map 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HDLANG.com
O17 - HKLM\Software\..\Telephony: DomainName = HDLANG.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A925B626-AE1D-43D6-A745-F0D171EAC246}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HDLANG.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\ZG9uLm1jZG9uYWxk\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\xzqydmf.exe (file missing)
O23 - Service: Wintab32 - Unknown owner - C:\WINNT\System32\Wintab32.exe

Looks like most of that isn't wanting to go away.

Make sure that you are running HijackThis outside of a temp folder. It looks like you are running HijackThis from WinRAR, unzip the program into its own folder (like c:\hijackthis) and run it from there.

This time, reboot into safe mode and try the process again.

Thanks. I've moved the RAR file to my conputer and unzipped it and also ran it again, here's the latest logfile.
I was in safe mode the other times because something won;t let me open up my internet explorer on a regular bootup so I have to boot up in safe mode to even get online AAAHHHHHH LOL
THANKS so much


Logfile of HijackThis v1.99.1
Scan saved at 1:04:21 PM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ampmsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [checkrun] C:\winnt\system32\eliteptl32.exe
O4 - HKLM\..\Run: [winsync] C:\WINNT\System32\pzdadn.exe reg_run
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [System service63] C:\WINNT\etb\pokapoka63.exe
O4 - HKLM\..\Run: [ajkevnx] C:\WINNT\ajkevnx.EXE
O4 - HKLM\..\Run: [krnsgyi] C:\WINNT\krnsgyi.exe
O4 - HKLM\..\Run: [ziusffc] C:\WINNT\ziusffc.EXE
O4 - HKLM\..\Run: [fidosvh] C:\WINNT\fidosvh.exe
O4 - HKLM\..\Run: [PSof1] C:\WINNT\System32\PSof1.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe
O4 - HKLM\..\Run: [MedGS] C:\WINNT\System32\medgs1.exe
O4 - HKLM\..\Run: [opr] C:\WINNT\System32\opr.exe
O4 - HKLM\..\Run: [Windows Incontext] C:\DOCUME~1\DON~1.MCD\LOCALS~1\Temp\InSearch.exe
O4 - HKLM\..\Run: [rpbrybw] C:\WINNT\rpbrybw.EXE
O4 - HKLM\..\Run: [wbgvtzl] C:\WINNT\wbgvtzl.exe
O4 - HKLM\..\Run: [kpuhcqr] C:\WINNT\kpuhcqr.exe
O4 - HKLM\..\Run: [hmzwcka] C:\WINNT\hmzwcka.exe
O4 - HKLM\..\Run: [puvcahp] C:\WINNT\puvcahp.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [ao34RifsU] abeps11n.exe
O4 - HKCU\..\Run: [PrivacyScanner] C:\Program Files\Privacy Champion\pscan.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINNT\System32\sysmonnt
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\System32\supdate.dll
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINNT\System32\supdate.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - ms-its:mhtml:file://c:\nosunel.mht!http://daemonlinks.net/script/lc.chm::/bridge-c46.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon.com/ct/pm3/iwonpm_8_1,0,2,5.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Map 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Map 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HDLANG.com
O17 - HKLM\Software\..\Telephony: DomainName = HDLANG.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A925B626-AE1D-43D6-A745-F0D171EAC246}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HDLANG.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\ZG9uLm1jZG9uYWxk\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\xzqydmf.exe (file missing)
O23 - Service: Wintab32 - Unknown owner - C:\WINNT\System32\Wintab32.exe

Are you doing all the steps that I listed: running HijackThis from its own folder, clicking "Do a system scan only", checking the checkbox next to each item that I listed, and clicking "Fix checked"? Do you click the "Yes" button on the dialog that pops up asking if you are sure you want to remove the items?

The reason I ask is because items that should be disappearing are not. Make sure that you follow the instructions step by step.

I must be missing something as I haven't seen a list of things to fis with highjackthis from you yet AAAHHHH
THANKS

OK, I found what you had written about what lines to check. I did this with the exception of 2 mines (unless I missed something) Those lines were about acad2000i as we have an excripted code with it so that only one machine can used the license, thought that may screw it up. Thanks and let me kno what else I can do
Don
Here';s the new highjackthis log file

Scan saved at 2:04:48 PM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ampmsearch.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winsync] C:\WINNT\System32\pzdadn.exe reg_run
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia.com/install/pcs_0009.exe
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Map 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Map 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HDLANG.com
O17 - HKLM\Software\..\Telephony: DomainName = HDLANG.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A925B626-AE1D-43D6-A745-F0D171EAC246}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HDLANG.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\ZG9uLm1jZG9uYWxk\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINNT\System32\Wintab32.exe

You're getting really close. These are the only lines that remain: Follow the instructions here to remove the pacimedia program. After running this program, try to do another run with HijackThis and remove the above lines. If we can get rid of those, you will have a clean system.

Once you have finished another scan, irregardless of whether or not it removed everything, install and run full scans with Adaware and Spybot S&D. Doing this will help clean up any remains on the system.

OK, THINK I have everything you asked me to fix with highjackthis. Here's the latest logfile. MAYBE this will all fix it to wherer I can get online without being in safe mode and even more importantly, where I can use my surveying program that keeps giving me the exception handler message in acad whcich is something about cgsurvey has a problem, and then something about the exception handler? Course after that it just askes do I want to send an error message but I guess I'm fixing to find out THANKS BUD and if you ever need anything, elt me know
Logfile of HijackThis v1.99.1
Scan saved at 2:44:03 PM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\YPAGER.EXE
C:\Program Files\hijackthis\HijackThis.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -turbo
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred Control) - file://C:\Program Files\AutoCAD Map 2000i\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD Map 2000i\AcPreview.ocx
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HDLANG.com
O17 - HKLM\Software\..\Telephony: DomainName = HDLANG.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{A925B626-AE1D-43D6-A745-F0D171EAC246}: NameServer = 192.168.1.100
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HDLANG.com
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\ZG9uLm1jZG9uYWxk\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Wintab32 - Unknown owner - C:\WINNT\System32\Wintab32.exe