non of the proccess seem out of place.... but what is cc manager?

Not sure but when I ran the online virus scan it found 5 things and got rid of all but one of them that said it was in use...

TROJ NARRATOR.A Can not access C:\WINNTOLD\System32\lygool.dll

Anyone know the best way to get rif of at least this trojan? Maybe safe boot?

After running Spybot S&D it found about 15 item's and a few it could not fix because of this message "Date:''C:\WINNTOLD\System32\drivers\etc\hosts" kann nicht erstellt warden. The process cannot access another file because it is being used by another process"..Some of the things it could not remove were CoolWWWsearch.Bootconf and CoolWWWsearch.Svchost32

I then proceeded to run it in safe boot and it did not find but two items and it says it fixed them.

I then downloaded CWShredder and it says it find's and removes these two item's but they keep coming back everytime I rescan and if I uncheck the send to recycle bin and just delete them it says I need to restart CWShredder because it encountered errors.

I am going to post another Hijack this log later.

Ok I went ahead and followed the advice I saw in some previous threads on this subject. Keep in mind I have already ran SB S&D, Adaware SE, Hijackthis, CWShredder, and Webroot spysweeper over 10 times each in the past two weeks yet the same pop up's etc. keep coming back :cry: ... On a sidenote. everytime I restart theres 3 icons that will appear on the desktop ( Online dating, Holiday travel, and free online music)... As well as the same damn IE windows that open up to the same page. Ad-w-a-r-e.com and Inqwire.com etc..

1. I configured Adaware SE for the setting's recommended and performed a full system scan which found 49 critical objects and then I got a message that says "Some objects could not be removed, Try closing all open browser windows prior to the removal. If this does not help reboot and run adaware again. C:\WINNTOLD\system32\irjol5131.dll"

2. I ran SB S&D and it find's (CoolWWWSearch.tapicfg, CWS.Bootconf, CWS.Loadbat, CWS.msconfd, CWS.oslogo, and CWS.xmlmimefilter) as well as Igetnet which these things which seem to keep coming back no matter how many times I run SB S&D, sometimes it gives me a error saying it needs to attempt to repair these things on next reboot because the process is already running and access is denied etc..

3. I rebooted into safe mode and deleted all of the files in all of the temp folders, and emptied the recycle bin. (I made sure I deleted all temp files as I even did a search for *.tmp, and also got the C:\Windows\Temp folder and DocSettings\Thom\Localsetting\temp)

4. Ran Adaware again - (While running IE opened up with some crap advertisment http://inqwire.com/homepage ), and an online casino pop up, that was generated from a tmp file that appeared on the screen. Anyway this time it found 95 critical objects!!! more then the last time! (Alot of VX2's, CoolWebSearch's, and Redirects located in the Doc Settings/Favorites folder , along with the 69.20.16.183 host file's which say auto.search.msn.com and ieautosearch.com and search.netscape.com. When I tried to remove all objects this time it says the same thing as last time except it says these files C:\WINNTOLD\system32\ktn4175q1.dll, and C:\WINNTOLD\system32\guard.tmp

As far as it saying where these VX2 files are located it's showing C:\WINNTOLD\system32\(ktn4175q1.dll, iozbbi.dll, viyrrv.exe, iozbbi.dll, and guard.tmp)

5. Ran SB S&D again - CoolWWWsearch.oslogo, CWS.Bootconf, CWS.Loadbat, CWS.Msconfd, CWS.XmImimefiler and CWS.Tapicfg with 1 entry each which are all redirected host's, along with the Igetnet, and common Hijacker, but NOW we have even more entry's such as Network Essentials.WindowsEnhancer( All registry keys) with 13 entry's and Network Essentials.Search-Exe(C:\Program Files\se\v11\se.DLL and se.exe) with 7 entries, and now even Virtual Bouncer( C:\Program Files\VBOUNCER\, and C:\Documents and settings\Thom\Start menu\Programs\Virtual bouncer, aloong with 5 reg keys.) came back with 6 entries. When cleaning it says "some problems couldnt be fixed the reason could be that the associated files are still in use (in memory) this could be fixed after a restart blah blah blah sure" 26 problems fixed... 18 could not be fixed..

6. Ran Hijack this and attempted to fix some things which says it cannot fix (O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll) etc.. because it needs to be done with a program like LSPFix, which I then downloaded and fixed the registry so they seem to be gone from the Hijackthis log now. Also these 4 things seem to come back into the Hijack log every single time no matter what I do

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch

Some things I notice that sometimes run's in the task manager is something called drwtsn.exe which I have seen a fatal error message come up one the screen about it before when running Adaware. I will post a new Hijack log soon as I am done running other diagnostics on it. Anyway it's late and it seems the more I try the worse it get's and the more it comes back. Seems like after rebooting in safe mode and getting rid of all the temp files is when it really started to show more things in Spybot and Adaware... Im lost if anyone has any idea what has got to this machine please help.

Before posting another HJT log, try running all your scans while in Safe Mode. Then reboot into Normal Mode, close all browser windows, scan with HJT, and post a new log.

Doesn't seem to find much with Spybot S&D Adaware or Hijack this when in safe boot... So I don't know what that can accomplish.. But I will do what you say.

Ok I enabled all services and startup items after running all apps in safe boot. Here is the log... But again let me remind you this log changes everytime I run one of the spyware cleaners.

Logfile of HijackThis v1.99.0
Scan saved at 2:52:25 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNTOLD\System32\svchost.exe
C:\Documents and Settings\All Users.WINNTOLD\Start Menu\Programs\Startup\kuyttk.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [SStb.exe] SStb.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [kalvsys] C:\winntold\system32\kalvgva32.exe
O4 - HKLM\..\Run: [abu] abu.exe
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\CACHEMAN\Cacheman.exe
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54CFG.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\interMute\SpySubtract\SpySub.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service - VERITAS Software Corp. - C:\WINNTOLD\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe
O23 - Service: NICSer_WPC54G - Unknown - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

I just noticed when looking at this log that iexplorer.exe is a running process yet there were no browser window's open... I think this problem is deep and I can't find it.

OK will do that now, while I was browsing around in these forums I sae a thread and decided to create a log file for vxfinder.exe and dllcompare.exe... I really think my registry is infected.

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINNTOLD\SYSTEM32\uleg.dll Thu Dec 23 2004 2:32:48p ..S.R 224,283 219.02 K
C:\WINNTOLD\SYSTEM32\sxorprop.dll Thu Dec 23 2004 12:43:24p ..S.R 226,060 220.76 K
C:\WINNTOLD\SYSTEM32\dhsbase.dll Thu Dec 23 2004 1:41:18p ..S.R 222,523 217.30 K
C:\WINNTOLD\SYSTEM32\mwprivs.dll Wed Dec 29 2004 3:54:08a ..S.R 222,920 217.70 K
C:\WINNTOLD\SYSTEM32\kcdda.dll Wed Dec 29 2004 12:49:30a ..S.R 222,920 217.70 K
C:\WINNTOLD\SYSTEM32\q4psle~1.dll Mon Dec 20 2004 11:35:18a ..S.R 224,128 218.88 K
C:\WINNTOLD\SYSTEM32\gpnml3~1.dll Wed Dec 15 2004 7:35:32a ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\mrxlegih.dll Mon Dec 20 2004 1:07:18p ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\irlsl5~1.dll Wed Dec 15 2004 7:36:10p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\jtjm07~1.dll Wed Dec 22 2004 9:32:06a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\j8j60i~1.dll Mon Dec 20 2004 5:05:10p ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\hr8405~1.dll Wed Dec 22 2004 10:07:34a ..S.R 222,450 217.23 K
C:\WINNTOLD\SYSTEM32\ir2sl5~1.dll Thu Dec 23 2004 6:05:54p ..S.R 226,008 220.71 K
C:\WINNTOLD\SYSTEM32\r6r60g~1.dll Tue Dec 28 2004 4:09:02p ..S.R 224,283 219.02 K
C:\WINNTOLD\SYSTEM32\fp2403~1.dll Wed Dec 29 2004 3:54:06a ..S.R 223,343 218.11 K
C:\WINNTOLD\SYSTEM32\j0j6la~1.dll Wed Dec 22 2004 9:41:58a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\ir6ql5~1.dll Tue Dec 28 2004 4:41:16p ..S.R 224,701 219.43 K
C:\WINNTOLD\SYSTEM32\lvpq09~1.dll Tue Dec 28 2004 6:36:14p ..S.R 225,600 220.31 K
C:\WINNTOLD\SYSTEM32\c2000c~1.dll Wed Dec 22 2004 10:29:36a ..S.R 225,982 220.68 K
C:\WINNTOLD\SYSTEM32\k4jsle~1.dll Tue Dec 14 2004 9:36:48p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\l4n4le~1.dll Tue Dec 14 2004 5:31:56p ..S.R 224,826 219.55 K
C:\WINNTOLD\SYSTEM32\fp2m03~1.dll Tue Dec 28 2004 7:22:46p ..S.R 225,035 219.76 K
C:\WINNTOLD\SYSTEM32\jtno07~1.dll Thu Dec 9 2004 8:10:58p ..S.R 223,589 218.35 K
C:\WINNTOLD\SYSTEM32\m0jula~1.dll Fri Dec 17 2004 5:45:14p ..S.R 225,655 220.36 K
C:\WINNTOLD\SYSTEM32\irr8l5~1.dll Wed Dec 15 2004 6:29:18p ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\j4p0le~1.dll Wed Dec 15 2004 7:51:26a ..S.R 223,745 218.50 K
C:\WINNTOLD\SYSTEM32\dn6001~1.dll Mon Dec 20 2004 11:04:44a ..S.R 225,414 220.13 K
C:\WINNTOLD\SYSTEM32\jt6m07~1.dll Sat Dec 18 2004 7:42:42p ..S.R 224,295 219.04 K
C:\WINNTOLD\SYSTEM32\p46s0e~1.dll Tue Dec 28 2004 6:49:04p ..S.R 225,676 220.39 K
C:\WINNTOLD\SYSTEM32\k826li~1.dll Mon Dec 20 2004 12:38:14p ..S.R 223,022 217.79 K
C:\WINNTOLD\SYSTEM32\lvr209~1.dll Mon Dec 20 2004 1:07:14p ..S.R 226,279 220.97 K
C:\WINNTOLD\SYSTEM32\en88l1~1.dll Thu Dec 23 2004 8:47:22a ..S.R 225,980 220.68 K
C:\WINNTOLD\SYSTEM32\f6l02g~1.dll Tue Dec 28 2004 7:03:28p ..S.R 223,226 217.99 K
C:\WINNTOLD\SYSTEM32\l4r0le~1.dll Tue Dec 28 2004 7:36:08p ..S.R 226,006 220.71 K
C:\WINNTOLD\SYSTEM32\s2880c~1.dll Wed Dec 29 2004 3:08:44a ..S.R 222,920 217.70 K
________________________________________________

1,889 items found: 1,889 files (35 H/S), 0 directories.
Total of file sizes: 328,177,531 bytes 312.97 M

Administrator Account = True

--------------------End log---------------------

Log for VX2.BetterInternet File Finder

Files Found---

Guardian Key--- is called:

User Agent String---
{DAA3E4A0-5393-4F08-A055-D63C309DCC7B}

Check this new log out after simply changing msconfig back to selective startup with not so many services and startup items.. Even more things appear and most of the stuff in the Hijack log you told me to clean isn't even there anymore w/o a normal boot from msconfig

Logfile of HijackThis v1.99.0
Scan saved at 4:32:52 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\wuauclt.exe
C:\WINNTOLD\system32\installer.exe
C:\WINNTOLD\system32\viyrrv.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.search-exe.com/nph-search.cgi?tcode=exebar1&look=sbar1_srchbtn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.search-exe.com/nph-search.cgi?tcode=exesrch1&look=stmpl1&fw=
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNTOLD\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Search-Exe] "C:\Program Files\se\v11\se.EXE" /H
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O10 - Unknown file in Winsock LSP: c:\winntold\system32\calsp.dll
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe

Go to Start, point to Programs, point to Startup, delete kuyttk, if it's there.

Reboot into Safe Mode

Do a search for WToolsA.exe, and delete it, if found
Do a search for SStb.exe, and delete it, if found
Do a search for abu.exe, and delete it, if found
Go to C:\winntold\system32 and delete kalvgva32.exe, if found

When booted into safe mode the only one of these files I could successfully find was SStb.exe ....Did not find any of the other files doing a search or in the winntold\system32 folder.

Hi. First up we need to get rid of some crap before having a go at VX2.

Download LSPfix from here
On the opening screen, click the "I know what I'm doing" checkbox. Check all instances of "calsp.dll" (and nothing else), and move them to the "Remove" pane. Then click Finish.

I have already fixed those files with LSPfix numerous times and they keep coming back

I have checked and removed these same things over and over and over along with the se.exe as well as removing it in safe mode and it keeps coming back as well...

Post back another log when done.

Do you have the killbox? If not, download it here=
http://www.downloads.subratam.org/KillBox.exe

Yes I recently downloaded killbox, but am having trouble trying to find the files that need to be killed. Because everything seems to disappear and reappear when it wants.

PS... This is getting frustrating.. trust me I have been on here all day reading through all the posts in this forum trying to find something but nothing is working.

Here's a new log.. But at this point it means the same exact thing to me, because as soon as I run SB S&D or Adaware everything will be back and when I run Hijack this it will have tons of things in there again.

Logfile of HijackThis v1.99.0
Scan saved at 5:25:32 AM, on 12/29/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNTOLD\System32\smss.exe
C:\WINNTOLD\system32\winlogon.exe
C:\WINNTOLD\system32\services.exe
C:\WINNTOLD\system32\lsass.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\spoolsv.exe
C:\WINNTOLD\System32\svchost.exe
C:\WINNTOLD\system32\regsvc.exe
C:\WINNTOLD\system32\MSTask.exe
C:\WINNTOLD\System32\WBEM\WinMgmt.exe
C:\WINNTOLD\system32\svchost.exe
C:\WINNTOLD\system32\rundll32.exe
C:\WINNTOLD\Explorer.EXE
C:\WINNTOLD\system32\viyrrv.exe
C:\WINNTOLD\system32\wuauclt.exe
C:\Documents and Settings\Thom\Desktop\Hijack backup\HijackThis.exe

O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINNTOLD\msconfig.exe /auto
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: NICSer_WPC11 - Unknown - C:\Program Files\Linksys\Wireless-B Notebook Adapter\NICServ.exe

Viyrrv.exe worry's me and I tried to kill it with killbot.exe in safeboot and it was not able to remove it. I know even though it seems like this log is pretty clean I still keep getting the same pop ups over and over as well as the same 3 icons on my desktop everytime the computer is rebooted. Also I notice that I keep deleting that SE folder along with a few others from my program files folder but it keeps reappearing.

Thanks for the help so far guys you are great.. I just need some powerfull suggestions now.

It is important that you only follow the instructions given. If not, all the infected files will morph and we will be back at the start point again.

Apart from that one file, the log looks ok. Now, please post a log from VX2Finder, dllcompare and Find_it. Do not reboot!

Go here and download FindIt.zip to your Desktop, unzip it and open the FindIt folder and doubleclick on find.bat. Let it run (please be patient, it will take a few minutes) and when it has finished gathering info, it will generate a file called Output.txt. Please copy it and paste it back in this thread.

Working on it now, sorry for the delay I had to get some sleep I was up for 24 hours straight.

Working on it now, sorry for the delay I had to get some sleep I was up for 24 hours straight.

When I am running find.bat it never seems to generate a log file...