Hi, there are still a few infections. Please run HJT again and select the following entries.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;

O4 - HKLM\..\Run: [w11699f5.dll] RUNDLL32.EXE w11699f5.dll,I2 00098cde011699f5

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe

O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm

O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/229?135359440f944edb4aeaa8ad6553af a

O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-gb\msntabres.dll/230?135359440f944edb4aeaa8ad6553af a

O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yaho...1/yregucfg.cab

O20 - Winlogon Notify: Applets - C:\WINDOWS\system32\ir26l5fs1.dll



Click Fix Checked

-------------------------------------------------------------------

Please download Look2Me-Destroyer.exe to your desktop.
--Close all windows before continuing.
--Double-click Look2Me-Destroyer.exe to run it.
--Put a check next to Run this program as a task.
--You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
--When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
--Once it's done scanning, click the Remove L2M button.
--You will receive a Done Scanning message, click OK.
--When completed, you will receive this message: Done removing infected files! --Look2Me-Destroyer will now shutdown your computer, click OK.
--Your computer will then shutdown.
--Turn your computer back on.


If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/ne...ib/MSWINSCK.OCX

-----------------------------------------------------------------------

Then please download ewido - www.ewido.net - Install. Update. Scan. Remove anything it finds (Save log)


Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log, and the ewido log

Thanks so much for your quick repsonse.

All done. Here you go...


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 28/04/2006 15:22:10

Infected! C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484744.dll

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484744.dll
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484744.dll Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D32C7C86-95AB-4945-AAD2-326F8574A27F}"
HKCR\Clsid\{D32C7C86-95AB-4945-AAD2-326F8574A27F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3E631C91-DBF5-47A8-B2A4-5BA988CC53B2}"
HKCR\Clsid\{3E631C91-DBF5-47A8-B2A4-5BA988CC53B2}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Logfile of HijackThis v1.99.1
Scan saved at 20:55:14, on 28/04/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Apps\ActivBoard\MMKeybd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Apps\ActivBoard\TrayMon.exe
C:\Apps\ActivBoard\OSD.exe
C:\Apps\ActivBoard\nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\spss_lmd.exe
C:\WINDOWS\System32\svchost.exe
C:\ewido anti-malware\ewidoguard.exe
C:\ewido anti-malware\ewidoctrl.exe
C:\Documents and Settings\Oliver\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/intl/en/options/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer brought to you by Planetis
F1 - win.ini: run= C:\GAMES\RA\INSTICON.EXE
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: MSN Search Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [ACTIVBOARD] C:\Apps\ActivBoard\MMKeybd.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [Update Service] C:\PROGRA~1\COMMON~1\TEKNUM~1\update.exe /startup
O4 - HKCU\..\Run: [ares] "C:\Ares\Ares.exe" -h
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &MSN Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-gb\msntb.dll/search.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097490625655
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Unknown owner - C:\iPod\bin\iPodService.exe (file missing)
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Apps\ActivBoard\nhksrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Spss License Manager (SpssLM) - Unknown owner - C:\WINDOWS\System32\spss_lmd.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 20:54:25, 28/04/2006
+ Report-Checksum: 52EF649E

+ Scan result:

HKLM\SOFTWARE\Classes\Interface\{06CA2DA3-3A44-4FC7-8FD9-246C0F53407C} -> Adware.CoolWebSearch : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@banner.paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@h.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@hotlog[1].txt -> TrackingCookie.Hotlog : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@project2.realtracker[1].txt -> TrackingCookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@reduxads.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@spylog[2].txt -> TrackingCookie.Spylog : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@trafic[1].txt -> TrackingCookie.Trafic : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\Documents and Settings\Oliver\Cookies\oliver@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Oliver\Local Settings\Temporary Internet Files\Content.IE5\3YMX7GRH\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\Oliver\Local Settings\Temporary Internet Files\Content.IE5\4XER0PEV\loader[1].cab/loader.exe -> Downloader.Small.on : Cleaned with backup
C:\Documents and Settings\Oliver\Local Settings\Temporary Internet Files\Content.IE5\8TCZOJ4J\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\Oliver\Local Settings\Temporary Internet Files\Content.IE5\8TCZOJ4J\AppWrap[2].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\Oliver\Local Settings\Temporary Internet Files\Content.IE5\8TCZOJ4J\AppWrap[3].exe -> Adware.Zestyfind : Cleaned with backup
C:\Program Files\BTopenworld\btwebcontrol.dll -> Dialer.BT.b : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484713.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484714.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484715.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484718.dll -> Adware.Softomate : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484721.exe -> Dropper.Agent.aac : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484723.exe -> Dropper.Agent.aac : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484724.dll -> Adware.TargetServer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484727.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484730.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484732.exe -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484745.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484746.dll -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484747.exe -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{93F1A46B-AE17-413D-AB01-FAE51B19FAD7}\RP684\A0484748.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\WINDOWS\icont.exe -> Adware.AdURL : Cleaned with backup
C:\WINDOWS\system32\aqnkw.dll -> Adware.WurldMedia : Cleaned with backup
C:\WINDOWS\system32\mocupd.exe -> Adware.WurldMedia : Cleaned with backup
C:\WINDOWS\Temp\bw2.com -> Adware.Zestyfind : Cleaned with backup


::Report End


so how did I do? Problem solved?

Ja, log's clean

Let's finish up by flushing out your System Restore points, as they seem pretty infected:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis

Lastly, are ya having any more problems? If so, post back here.

If not, mark this thread as solved, and we wish ya luck keeping clean.

Thanks again

hey that's all cool. To be honest, ever since I ran Look2Me destroyer, there has been nothing noticeable.

Just one last question... in terms of keeping my computer protected in future, which program should I be using? AVG or Evidos, or neither, or both? I was using Norton before, but it expired and it never seemed to do much...

thanks for all your help! Love live Daniweb.

Haha awsome.

Ok, for protection, I would recommend:

1) Antivirus - AVG (free)
2) AntiSpyware 1 - Ewido (free)
3) AntiSpyware 2 - Microsoft Defender (free)
4) Software Firewall - Zone Alarm (free)

I would download and keep running all of these.

AVG
Microsoft Defender
Zone Alarm

If ya could mark this thread as solved, it'd be great.

Thanks.