--------------------------------------------------------------------------

--------------------------------------------------------------------------
R3 fix.
Launch Notepad, and copy/paste the bold below into a new text file. Save it as URLRepair.reg (Change the 'Save As Type' to 'All Files'). Save it in C:\ (or on the desktop)

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"=""

Locate it (in C:\) and double-click on it (launch it). You'll recieve a prompt similar to: "Do you wish to merge the information into the registry?". Answer yes and wait for a message to appear similar to "Merged Succesfully".

I must be doing something wrong on this part, because I can't get it to ask me the Merge question. I created the Text Document, copied everything above into it, then clicked save as All files. When I clicked save as All Files, it asked me if I wanted to replace the existing one, so I said yes. However, when I moved the URLRepair.reg file to C:\ and opened it, nothing happened. It just opened like any other text document file.
I didn't want to do anything below this, I wasn't sure if all these needed to be done in this specific order. So, that's where I am...I made the file, copied the info, opened it, and nothing happened, didn't ask me to merge. What did I do wrong?

SH

I dont know if I can help but I had a problem close to yours and I tried Spybot Search and Destroy and it fixed my computer perfectly.

Yes, that and Ad-Aware were the first things I tried, but they couldn't get rid of the problems. A lot of the things that Crunchie has told me have already helped a lot. Thanks anyways, STP72!

SH

Oh..just try to reformat you HDD. then it will work ;D

I still don't understand about the Merging URLRepair, but I checked the boxes you told me to in the Hijackthis. I deleted the files in Safe Mode, and here is what I have now:

Logfile of HijackThis v1.97.7
Scan saved at 5:16:08 PM, on 5/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
F:\Program Files\Hijack This\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

This any better? Thanks so much again!

SH

Oh, and I still have those 8 viruses when I scan my computer on Trend Micro. Evil buggers :evil:

Thats a lot better. With that R3 entry try this:

Download Registrar Lite from here:
http://www.resplendence.com/download/reglite.exe

Put it in its own folder. You may want to keep this program. It is an excellent free, registry editor.

Copy and paste the follow text into the address bar, then hit 'Go':
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

In the pane on the right are the values associated with that key.
We want to remove this one & any others with that underscore at the end or beginning>

{CFBFAE00-17A6-11D0-99CB-00C04FD64497}_
Notice the underscore at the end.

Right click on each, and select delete.
If you get a confirmation question, respond OK then close out of the program.

Let me know if this fixes it, it should do.

Hey Crunchie, I did what you said and ran Hijack again, here is what it came up with:

Logfile of HijackThis v1.97.7
Scan saved at 9:19:05 AM, on 5/13/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\AvidSDMService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Avant Browser\iexplore.exe
C:\Program Files\Kazaa Lite K++\KazaaLite.kpp
F:\Program Files\Hijack This\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSL Connection Tool] C:\Program Files\MSN\MSNIA\dslmon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~2\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O9 - Extra 'Tools' menuitem: MaxSpeed (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...947.7328819444
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab

However, I ran the free virus scan again from your link, and it says I still have these viruses on my computer:

TROJ REVOP.A C:/Documents and settings/BRD/Local settings/Temporary Internet Files/content.IE5/PR7BLHWE/bdl14025(1).exe

TROJ ISTBAR.DW C:/Windows/Downloaded Program Files/ISTactivex.dll

TROJ REVOP.A C:/Windows/System32/0021-bdl94126.EXE

TROJ BRISS.H C:/Windws/System32/a.exe

TROJ BRISS.H C:/Windows/System32/bridge.dll

TROJ SMALL.GO C:/Windows/System32/CS4P028.exe

BKDR SANDBOX.A C:/Windows/System32/Lkyqfy.exe

TROJ STILEN.A C:/Windows/System32/silent.exe

Thanks so much again! Your help has already fixed my Windows Media Player, and I have a lot less pop ups. The only major problem that I can see is my Photoshop files I have on my desktop keep randomly changing icons, and my Adobe Photoshop still crashes when I try and open it. :o

For those viruses, do I just go in safe mode and find and delete them? I was looking in my System32 folder, and I found silent.exe and a.exe, so I wasn't sure if that's what I'm supposed to do. Thought I'd wait for the expert to tell me!

Thanks again!

SH

Hi. Those virus' that the scan show usually show in the hjt log (or at least some of them do).

Clean out all those in your last post by going into safe mode. Reboot back in to normal mode & then disable system restore temporarily.
Post a new hjt log then we can enable system restore again. Just note that all previous restore points will be lost.
Check how photoshop is after removing those virus', although it may be necessary to uninstall it & then reinstall.
The log you posted looks clean now, but I wnt to be sure after you remove those items.

How to disable system restore: Here.