lets start with this .
Download then unzip and run CWShredder to clean up clicking "FIX" to have it remove all it finds.

CWShredder available from these places :-


http://www.aluriasoftware.com/tools/cwshredder.zip
Or this as a full download without any unzipping required
http://www.downloads.subratam.org/CWShredder.exe
http://www.spywareinfo.com/downloads...CWShredder.exe

We have found that some of the CWS infections can be removed better from safe mode, rather than normal mode.
To get to safe mode use the F8 key while booting the machine. Detailed instructions from HERE

Then it’s time for Ad-Aware
Ad-Aware
Install and update by using the globe icon. Restart your computer and run Ad-Aware.
Press scan now and select drives and/or partitions to be scanned. When done select all and click next. Remove all checked items and then reboot your computer.

Please go to this page and read the instructions for how to configure Spybot S&D & Ad-Aware
How To Setup Spybot SD and Ad-Aware

caperjack, thank you for your response to my problem. I did as you said ..ran ad-aware and cws shedder in safe mode (in addition I ran spybot)..CWS shredder found no instances of CWS.Ad-aware did and removed them but they were back once I rebooted. Please help..thank you again..


Bruce

can you please post a new hijackthis log .

caperjack..here is my new log..thank you again..Bruce

http://www.intermute.com/spysubtract..._download.html
Logfile of HijackThis v1.99.1
Scan saved at 10:39:01 AM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\bruce\Start Menu\Programs\Startup\winupdate18321236[1].exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\bruce\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)
O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?link...38&clcid=0x409
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/sh...3/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f58...p/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109286076031
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/sh...20/mcgdmgr.cab
O21 - SSODL: IntegrityChecker - {C58EAF23-6553-4D99-8D67-E3F0BA9C3EFA} - C:\WINDOWS\System32\udhi_500.ax
O21 - SSODL: IntegrityMonitor - {9B0291C7-3ED9-4E31-A8DF-ACBE9E3CA157} - C:\WINDOWS\System32\statbdsw.dll
O21 - SSODL: MSSQLMonitor - {2A6EFD49-5AB4-4700-BBD0-27336A08544F} - C:\WINDOWS\System32\kbdkmain.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

I have to go to work for a bit but will check back later and do some looking

Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. Since Temporary folders are emptied now and then (the files are DELETED), it would not be a good idea to have your backups there. Those backups would be VITAL to restoring your system if something went wrong in the FIX process!


1. Please go to you're 'My Documents' folder, right-click and select 'New > Folder' then name the folder 'HJT'.

2. Copy and paste HijackThis.exe to the new folder.



,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked. Make sure all browser and all Windows Explorer windows are closed before fixing.
You might want to print out or copy & paste to notePad , these instructions as you will need to close this browser window to fix with hijackthis !

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com
O1 - Hosts: 69.50.173.3 lycos.com www.lycos.com

O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)

O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing)

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {6223D5F5-FDA9-407B-A68B-5DC8FAE03341} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {702BF161-6050-417E-BBB0-3632346C81E4} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {9B3A72D3-6568-45C1-A215-88DE6B24891B} - (no file) (HKCU)

O9 - Extra button: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B9CB63B2-6F71-4F9C-A4A2-4A321BDEE54C} - C:\WINDOWS\System32\wldr.dll (file missing) (HKCU)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f5...ip/RdxIE601.cab
-Netster


O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?lin...738&clcid=0x409

O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab

O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aol.com/molbin/s...83/mcinsctl.cab

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/07ca3f5...ip/RdxIE601.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...b?1109286076031

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aol.com/molbin/s...,20/mcgdmgr.cab

O21 - SSODL: IntegrityChecker - {C58EAF23-6553-4D99-8D67-E3F0BA9C3EFA} - C:\WINDOWS\System32\udhi_500.ax

O21 - SSODL: IntegrityMonitor - {9B0291C7-3ED9-4E31-A8DF-ACBE9E3CA157} - C:\WINDOWS\System32\statbdsw.dll

O21 - SSODL: MSSQLMonitor - {2A6EFD49-5AB4-4700-BBD0-27336A08544F} - C:\WINDOWS\System32\kbdkmain.dll




Now reboot into safe mode and delete the following files and folders if found .

C:\WINDOWS\System32\udhi_500.ax,,,,,,,,delete file

C:\WINDOWS\System32\statbdsw.dll,,,,,,delete file
C:\WINDOWS\System32\kbdkmain.dll,,,,,,,,,delete file

to delete the above files and folder you will need to do the following
go to
Show hidden files & folders

"Fix Checked"...Reboot to SAFE mode to delete files
How to start computer in safe mode

reboot computer and post a new log

Caperjack..(this post may be a dupe,last post might not have worked)..I did as you instructed..i checked and fixed the lines and then deleted the 3 files in safe mode..i rebooted and ran hijack this..I still have hotoffers..I saw the some of the fixed lines were gone but others remained..hope I did it right..here's the new log..thanks again for your help and for this site..Bruce

Logfile of HijackThis v1.99.1
Scan saved at 10:50:14 PM, on 3/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Nhksrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
C:\Program Files\WinAntiVirus 2004\AVSvc.exe
C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
C:\WINDOWS\DELLMMKB.EXE
C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\WinAntiVirus 2004\AVTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\WinAntiVirus 2004\Quar.exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLHOS~1.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\WinAntiVirus 2004\VAPFM.exe
C:\Documents and Settings\bruce\Start Menu\Programs\Startup\winupdate18321236[1].exe
C:\PROGRA~1\COMMON~1\AOL\110203~1\EE\AOLServiceHost.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\bruce\Desktop\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\Wkfud.exe
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [Picture Easy Download] C:\Program Files\Kodak Digital Science\Picture Easy Software\Program\PezDownload.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [AVTray] C:\Program Files\WinAntiVirus 2004\AVTray.exe
O4 - HKLM\..\Run: [PCDRealtime] C:\WINDOWS\realtime.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1102038803\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [Pure Networks Port Magic] "C:\PROGRA~1\PURENE~1\PORTMA~1\PortAOL.exe" -Run
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\CarlinGroupVPN\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partypoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2004\mailscan.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSchSvc.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\CarlinGroupVPN\VPN Client\cvpnd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2004\AVSvc.exe

Ok lets follow the direction in this thread seems to be working .
Unistall hotoffers

Scuse me Caperjack. galtg has the horse server infection.
Can you do the following please.

First, download HSFix from here.

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into safe mode following the instructions here

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Then run HijackThis again, close any open windows and browsers and fix these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/

F2 - REG:system.ini: Shell=explorer.exe C:\WINDOWS\System32\netdc.exe

O4 - Startup: winupdate18321236[1].exe
O4 - Startup: winupdate32876478[1].exe
O4 - Startup: winupdate61212303[1].exe
O4 - Startup: winupdate66832721[1].exe
O4 - Startup: winupdate74039026[1].exe
O4 - Startup: winupdate75170288[1].exe
O4 - Startup: winupdate75766931[1].exe
O4 - Startup: winupdate81230581[1].exe
O4 - Startup: winupdate85093701[1].exe
O4 - Startup: winupdate96862678[1].exe

Restart your computer into normal mode and run at least one of the following free, online virus scans:

http://housecall.trendmicro.com/hou.../start_corp.asp
http://www.pandasoftware.com/activescan...ncipal.htm
http://www3.ca.com/threatinfo/virusinfo/scan.aspx

Restart your computer one last time and post a new HijackThis log, as well as the HSFix log which is located at C:/hslog.txt