Greetings programs.

I do have spy sweeper active and protecting my start page. I keep getting a message about switching my start page to
res://wqzaa.dll/index.html#96676

Ran CWShredder and let it remove everything. Ran hijackthis and deleted all the search references.

They keep coming back. Any google search I do also pops up another search page to http://search-to-find.com/sec.php?qq=testing&pin=96676

Here is my log

Logfile of HijackThis v1.97.7
Scan saved at 9:01:14 AM, on 6/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\gearsec.exe
C:\PROGRA~1\NORTON~2\NORTON~2\GHOSTS~2.EXE
C:\MSSQL7\binn\sqlservr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\PROGRA~1\NORTON~2\SPEEDD~1\nopdb.exe
C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\50\bin\OWSTIMER.EXE
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\iVasion\WinPoET\WrOS.EXE
C:\WINDOWS\System32\mspmspsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\winem.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\netku.exe
C:\Program Files\instant messenger\aim.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\York\York_Devmon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\utils\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wqzaa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\wqzaa.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://wqzaa.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\wqzaa.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.excite.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {3764A70B-08CA-A3C8-9F8B-1BABB4D566F5} - C:\WINDOWS\apiat32.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinPoET] C:\Program Files\iVasion\WinPoET\WinPPPoverEthernet.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] C:\Program Files\Norton SystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\SymTray.exe SetReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [netku.exe] C:\WINDOWS\system32\netku.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\instant messenger\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [YORKPW] C:\Program Files\York\York_Devmon.exe C:\Program Files\York\York Photo Wizard.exe
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKLM\..\RunOnce: [SymTray - Norton SystemWorks] C:\Program Files\Common Files\Symantec Shared\Symtrdr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Create Mobile Favorite (HKLM)
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O16 - DPF: ChatSpace Full Java Client 3.0.0.207 - http://surechat.com:9000/Java/cfs3207.cab
O16 - DPF: ChatSpace Full Java Client 3.1.0.229 - http://surechat.com:9000/Java/cfs31229.cab
O16 - DPF: ChatSpace Java Client 2.0.0.66 - http://208.240.218.240:8000/Java/cs4ms066.cab
O16 - DPF: ChatSpace Java Client 2.1.0.84 - http://216.0.106.14:9000/Java/cs4ms084.cab
O16 - DPF: ChatSpace Java Client 2.1.0.89 - http://64.85.10.126:8192/Java/cs4ms089.cab
O16 - DPF: ChatSpace Java Client 2.1.0.90 - http://64.85.10.126:8192/Java/cs4ms090.cab
O16 - DPF: ChatSpace Java Client 3.0.0.204 - http://surechat.com:9000/Java/cms3204.cab
O16 - DPF: ChatSpace Java Client 3.0.0.207 - http://surechat.com:9000/Java/cms3207.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com.../c381/chat.cab
O16 - DPF: YExplorer1_7US.CAB - http://photos.yahoo.com/ocx/us/yexplorer1_7us.cab
O16 - DPF: {0D3983A9-4E29-4F33-8313-DA22B29D3F87} (QuickBooks Online Edition Utilities Class v6) - https://accounting.quickbooks.com/v9.050/qboax6.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com...43/yacscom.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeup...ntent/opuc.cab
O16 - DPF: {5763F8E8-0DD7-4A0F-ADB0-9F64C8F2C349} (Pixami/Snapfish Upload UI Control) - http://www.snapfish.com/SnapfishUploader.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {72C23FEC-3AF9-48FC-9597-241A8EBDFE0A} (InstallShield International Setup Player) - http://ftp.hp.com/pub/automatic/player/isetupML.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {814EA0DA-E0D9-4AA4-833C-A1A6D38E79E9} (DASWebDownload Class) - http://das.microsoft.com/activate/ca...ail/DASAct.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...879.6520949074
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/tech...a/SymAData.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite...ITDetector.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.192/qboax7.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/Te...loads/outc.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab


The netku.exe running on startup keeps coming back. Even after deleting it and the wqzaa.dll

Suggestions?
Thanks and I must say this place is the best..
Mark

Download dllfix from the following link.
http://tools.zerosrealm.com/dllfix.exe

Create a folder on your desktop, doubleclick on the dllfix and install it into the folder you just created.
1.Run start.bat and press option 1. 'output.txt' will be created in the folder. Post the results of the log here.

Thanks for the reply.

I want to add that this does not happen if I log on as administrator and the only differences I can see is the BHO api something is not there.

O2 - BHO: (no name) - {E7065518-0E66-202A-4EB4-121DBCBCE4D0} - C:\WINDOWS\apibi.dll

Here is the other output log.

--==***@@@ FIND-ALL' VERSION MODIFIED -6/14 @@@***==--
--==***@@@ ORIGINAL BY FREEATLAST @@@***==--

Thu 06/17/2004
10:45a

System Info:

Microsoft Windows 2000 [Version 5.00.2195]


*IE version and Service packs:
*Notepad version :
*Media Player version :


Locked or 'Suspect' file(s) found...
These may be other files that Dllfix doesnt target.
If not file is listed than Dllfix may not Help.
in this case please post the contents of Windows.txt to the appinit
entry can be checked. You will find it in the dllfix folder after findall completes.
The system cannot find the path specified.
The system cannot find the path specified.


Scanning for main Hijacker:


Dllfix must have the Hijackerfiles in system32 to fix properly.
If there are no protocal keys text/html and text/plain
then dllfix may not work. This fix targets this type Hijack Entry.
that keeps reoccuring with different filenames.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page
= res://C:\WINDOWS\System32\xxxxxx.dll/sp.html (obfuscated)
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}]
@="NAV Helper"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7065518-0E66-202A-4EB4-121DBCBCE4D0}]
@=""

REGEDIT4

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter]

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/octet-stream]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-complus]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\application/x-msdownload]
"CLSID"="{1E66F26B-79EE-11D2-8710-00C04F79ED0D}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\Class Install Handler]
@="AP Class Install Handler filter"
"CLSID"="{32B533BB-EDAE-11d0-BD5A-00AA00B92AF1}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\deflate]
@="AP Deflate Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\gzip]
@="AP GZIP Encoding/Decoding Filter "
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\lzdhtml]
@="AP lzdhtml encoding/decoding Filter"
"CLSID"="{8f6b0360-b80d-11d0-a9b3-006097942311}"

[HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/webviewhtml]
@="WebView MIME Filter"
"CLSID"="{733AC4CB-F1A4-11d0-B951-00A0C90312E1}"

*Security settings for 'Windows' key:

If error than registry may need to be restored from option 4.


I am also now getting different start page redirect messages. Here is the first few lines from the hijack log

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\belpw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://belpw.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://belpw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\belpw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://belpw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\belpw.dll/sp.html#96676

What a pain this stuff is.

Thanks
Mark

You do not appear to have the reinstaller, good news .
Boot into safe mode & delete those R0,R1 & 02 entries that relate to that dll. Go to C:\WINDOWS\*****.dll & delete that file also.
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Reboot normally after doing the above then post a fresh log plz.

Hello again.
Removed all the search references and dll's and an exe of the same name.
Everything runs fine until I go to google and do a search.

I get a popup for a search at lookfor.cc that is the same thing I searched google for.
And now my start page is trying to set itself to another dll with a different name but the same 5 digit code. When it does the lookfor.cc it also has the same code at the end.
All the references I see about lookfor.cc relate it to the iefeats trojan. I have searched for all the listed files and keys and none are on my system.

I do keep getting a BHO called api*.dll

When I get back to my machine tonight I'm going to scan the reg for that repeating 5 digit code and see if I can find it.

take care
Mark

by the way. I'm a senior techie volunteer at a Philadelphia area project called teamchildren.com. I have a 28,000 square foot warehouse with thousands of computer parts. If you need any 5+ year old computer parts let me know We are clearing stuff out. AS an example I threw out over 350 modems yesterday all 14.4 or slower

Download CWShredder from here & run it. Select the fix button & it will get rid of everything related to CoolWebSearch that is stored in it's database. Close ALL windows, including IE, before running CWShredder. Reboot.

To help prevent this from happening again, install the patches for the vulnerabilities that this hijacker exploits by going here for your critical updates.

Reboot after doing this & post another log please.

Worth trying this I think.

Hi again

I have run cwshredder and it does not find anything.

There is a random exe file showing up in the registry run section. I am starting to keep track of the names.
Also there is an unknown BHO that also keeps coming back. Starting to track these names also.

looks like more and more people are reporting this now.

Thanks
Mark

Greetings.

Not sure where I should pass this along but there was a ad-aware update available today that took care of the problem. Here is the coolwebsearch part of what it found.

COOLWEBSEARCH
¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
obj[2]=RegKey : CLSID\{E7065518-0E66-202A-4EB4-121DBCBCE4D0}
obj[3]=RegKey : SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7065518-0E66-202A-4EB4-121DBCBCE4D0}
obj[6]=File : c:\windows\apibi.dll
obj[85]=File : c:\utils\backup-20040617-101142-555.dll
obj[86]=File : c:\utils\backup-20040617-101740-830.dll
obj[87]=File : c:\utils\backup-20040617-101828-604.dll
obj[88]=File : c:\utils\backup-20040617-110118-815.dll
obj[89]=File : c:\utils\backup-20040617-115936-270.dll
obj[90]=File : c:\utils\backup-20040618-183426-585.dll
obj[91]=File : c:\utils\backup-20040619-091408-544.dll
obj[92]=File : c:\utils\backup-20040619-114359-506.dll
obj[93]=File : c:\utils\backup-20040619-115129-947.dll
obj[94]=File : c:\utils\backup-20040619-120031-351.dll
obj[95]=File : c:\utils\backup-20040619-132101-349.dll
obj[96]=File : c:\utils\backup-20040619-133120-281.dll
obj[97]=File : c:\utils\backup-20040619-134133-568.dll
obj[98]=File : c:\utils\backup-20040619-140852-563.dll
obj[100]=File : c:\windows\system32\knfmi.dat
obj[101]=File : c:\windows\system32\lbdyc.dll
obj[102]=File : c:\windows\system32\mmxuh.dll
obj[103]=File : c:\windows\system32\orbie.dll
obj[104]=File : c:\windows\system32\oxabh.dat
obj[105]=File : c:\windows\system32\rzoac.dat
obj[106]=File : c:\windows\system32\zlxpt.dat
obj[108]=File : c:\windows\apibi.exe
obj[110]=File : c:\windows\javaro32.exe
obj[111]=File : c:\windows\lbyal.dll
obj[112]=File : c:\windows\nbiei.dll
obj[113]=File : c:\windows\nzlop.dat
obj[114]=File : c:\windows\n_jrecyw.dat
obj[115]=File : c:\windows\rqroy.dat
obj[116]=File : c:\windows\uewayh.dat
obj[117]=File : c:\windows\upajq.dll
obj[118]=File : c:\windows\vhpwl.dat
obj[119]=File : c:\windows\vhpwlo.dat

the c:\utils is where I have my hijackthis.
Finally.

Thanks for all your help
Mark

Cool...........

I must have the Reinstaller of this.... how do i get rid of it? becuase i keep doing a scan with ad-aware 6 and it finds it and gets rid of it for about 3 min then it is back! UHHH please help thanks!
Bryan