* Download the Killbox utility and save it to any convenient location/folder.

* Reboot the computer into Safe Mode again; you get to the safe mode boot option by hitting the F8 key as your computer is starting up. Once in Safe Mode:

* Run the Killbox utility.

- In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\SYSTEM32\avload32.dll

- Select the "Replace on reboot", "Use Dummy", and "Unregister dll before deleting" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt. Click No when prompted to reboot now.

- In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\wnlogow.sys

- Select the "Replace on reboot" and "Use Dummy" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
This time, click Yes when prompted to reboot now.


* Let the computer reboot normally. Once it has rebooted, run another HiajckThis scan and post the new log.

HJT log after running Killbox:

Logfile of HijackThis v1.99.1
Scan saved at 10:37:02 PM, on 7/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\LiveUpdate\LiveUpdate.exe
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [BTCLiveUpdate] "C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/d.../dinerdash.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/T...llNetscape.exe
O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

OK- the infection is being extremely stubborn...

You will need to close/quit all web browser programs and disconnect from the Internet for much of the following, so you should print out these instructions or save them into a text file with Notepad.

Please download the following two rootkit detection tools and save them to new folders of their own:

RootKitRevealer
BlackLight

* Close all open/running programs now.

* Unzip the contents of the downloaded RootKitRevealer.zip file and:
- Click on the rootkitrevealer.exe file.
- Click on the Scan button and let the scan complete.
- When the scan is finished, click on the "Save..." option under the "File" menu; save the report file in the RootKit Revealer folder.
- Close the program.

* In the BlackLight folder:
- Double-click on the blbeta.exe file to start the program.
- Click "I accept the agreement", "next", "Scan"
- After the scan is finished, choose "Close"
- The scan will have created a report log named "fsbl-xxxxxxxx.log, where the "x"s are a string of numbers (a time and date stamp, specifically).

* Post the contents of log files that the two programs genrated.




=========================================
DMR's Note to Self:
C:\WINDOWS\system32\avload32.dll 12.31 KB
C:\WINDOWS\system32\wnlogow.sys 5.36 KB
=========================================

Blacklight did not find anything.
I downloaded AVG anti-virus and it did find something else.
Here's the Root Kit Revealer report file:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 7/2/2006 12:11 PM 80 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\SchedulingAgent\LastTaskRun 7/2/2006 12:07 PM 16 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\C78D6251559ABAF4FB8196B74A753E25\Usage\ccWebWindow 7/2/2006 12:11 PM 4 bytes Data mismatch between Windows API and raw hive data.
D: 0 bytes Error mounting volume

Here's the AVG Anti-virus report file:

Partition table (MBR)okQuick checkedBoot sector of disk C:okQuick checkedSystem registry Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadScannedSystem registry Software\Microsoft\Windows NT\CurrentVersion\Windows\RunScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceExScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceExScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\Winlogon\UserinitScannedSystem registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellScannedSystem registry exefile\shell\open\commandScannedSystem registry scrfile\shell\open\commandScannedSystem registry scrfile\shell\config\commandScannedSystem registry batfile\shell\open\commandScannedSystem registry cmdfile\shell\open\commandScannedSystem registry comfile\shell\open\commandScannedSystem registry piffile\shell\open\commandScannedSystem registry giffile\shell\open\commandScannedSystem registry htmlfile\shell\open\commandScannedSystem registry htafile\shell\open\commandScannedSystem registry jpegfile\shell\open\commandScannedSystem registry txtfile\shell\open\commandScannedSystem registry regfile\shell\open\commandScannedSystem registry cplfile\shell\cplopen\commandScannedSystem registry Word.Document.8\shell\open\commandScannedSystem registry WordPad.Document.1\shell\open\commandScannedSystem registry inffile\shell\open\commandScannedSystem registry vbsfile\shell\open\commandScannedSystem registry vbefile\shell\open\commandScannedC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeokQuick checkedC:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXEokQuick checkedC:\Program Files\Ahead\Nero BackItUp\NBJ.exeokQuick checkedC:\Program Files\Internet Explorer\iexplore.exeokQuick checkedC:\Program Files\LiveUpdate\LiveUpdate.exeokQuick checkedC:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exeokQuick checkedC:\Program Files\Microsoft Office\Office\WINWORD.EXEokQuick checkedC:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exeokQuick checkedC:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exeokQuick checkedC:\Program Files\Windows Defender\MSASCui.exeokQuick checkedC:\Program Files\ewido anti-spyware 4.0\ewido.exeokQuick checkedC:\WINDOWS\System32\mshta.exeokQuick checkedC:\WINDOWS\System32\shimgvw.dllokQuick checkedC:\WINDOWS\regedit.exeokQuick checkedC:\WINDOWS\system32\rundll32.exeokQuick checkedC:\WINDOWS\system32\shell32.dllokQuick checkedC:\WINDOWS\system32\kernel32.dllokQuick checkedC:\WINDOWS\system32\wsock32.dllokQuick checkedC:\WINDOWS\system32\user32.dllokQuick checkedC:\WINDOWS\system32\shell32.dllokQuick checkedC:\WINDOWS\system32\ntoskrnl.exeokQuick checkedC:\WINDOWS\system32\drivers\etc\hostsokQuick checkedC:\WINDOWS\system32\biU.exe:\bi.dllTrojan horse PSW.Bispy.AInfected, Embedded objectC:\WINDOWS\system32\biU.exe:\preInsBI.exeTrojan horse PSW.Bispy.CInfected, Embedded objectC:\WINDOWS\system32\biU.exeTrojan horse PSW.Bispy.AInfected, ArchiveSystem registry Software\Microsoft\Windows NT\CurrentVersion\Windows\LoadScannedSystem registry Software\Microsoft\Windows NT\CurrentVersion\Windows\RunScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceExScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunOnceExScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesScannedSystem registry Software\Microsoft\Windows\CurrentVersion\RunServicesOnceScannedSystem registry Software\Microsoft\Windows\CurrentVersion\Winlogon\UserinitScannedSystem registry SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShellScannedSystem registry exefile\shell\open\commandScannedSystem registry scrfile\shell\open\commandScannedSystem registry scrfile\shell\config\commandScannedSystem registry batfile\shell\open\commandScannedSystem registry cmdfile\shell\open\commandScannedSystem registry comfile\shell\open\commandScannedSystem registry piffile\shell\open\commandScannedSystem registry giffile\shell\open\commandScannedSystem registry htmlfile\shell\open\commandScannedSystem registry htafile\shell\open\commandScannedSystem registry jpegfile\shell\open\commandScannedSystem registry txtfile\shell\open\commandScannedSystem registry regfile\shell\open\commandScannedSystem registry cplfile\shell\cplopen\commandScannedSystem registry Word.Document.8\shell\open\commandScannedSystem registry WordPad.Document.1\shell\open\commandScannedSystem registry inffile\shell\open\commandScannedSystem registry vbsfile\shell\open\commandScannedSystem registry vbefile\shell\open\commandScannedC:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exeokQuick checkedC:\PROGRA~1\NORTON~1\NORTON~1\NAVAPW32.EXEokQuick checkedC:\Program Files\Ahead\Nero BackItUp\NBJ.exeokQuick checkedC:\Program Files\Internet Explorer\iexplore.exeokQuick checkedC:\Program Files\LiveUpdate\LiveUpdate.exeokQuick checkedC:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exeokQuick checkedC:\Program Files\Microsoft Office\Office\WINWORD.EXEokQuick checkedC:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exeokQuick checkedC:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exeokQuick checkedC:\Program Files\Windows Defender\MSASCui.exeokQuick checkedC:\Program Files\ewido anti-spyware 4.0\ewido.exeokQuick checkedC:\WINDOWS\System32\mshta.exeokQuick checkedC:\WINDOWS\System32\shimgvw.dllokQuick checkedC:\WINDOWS\regedit.exeokQuick checkedC:\WINDOWS\system32\rundll32.exeokQuick checkedC:\WINDOWS\system32\shell32.dllokQuick checked

* Did Killbox give you any errors for either file when you ran it, or did it seem to do what it should (for both files)?

* Did you have AVG fix the BiSpy-infected file (C:\WINDOWS\system32\biU.exe)?

- Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for the infected C:\WINDOWS\system32\biU.exe file and delete it if it still exists.


* Run HijackThis again and have it fix this entry again:
O20 - Winlogon Notify: avload32 - C:\WINDOWS\SYSTEM32\avload32.dll

* Empty your Recycle Bin, reboot normally, run HijackThis again, and post the new log.

No errors by Killbox. It just ran as normal.
AVG says it could not fix the problem.

Here's the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:53 PM, on 7/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\LiveUpdate\LiveUpdate.exe
C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Webshots\WebshotsTray.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\svchost.exe
C:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_16_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BTCLiveUpdate] "C:\Program Files\LiveUpdate\LiveUpdate.exe" /autostart
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\2.5.10.17\PlaxoHelper.exe -a
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /Minimized
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Display All Images with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/228
O8 - Extra context menu item: Display Image with Full Quality - res://C:\Program Files\NetZero\qsacc\appres.dll/227
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcophotocenter.com/CostcoUpload.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.20.19/ttinst.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../installer.exe
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pu...sh/swflash.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game...nematycoon.cab
O16 - DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} (CPlayFirstDinerDashControl Object) - http://www.playfirst.com/play/game/d.../dinerdash.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/T...llNetscape.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Netscape Update Service (NCUpdateSvc) - Netscape Communications Corporation - C:\Program Files\Netscape Internet Service\ncupdatesvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Finally- the avload32.dll file is gone

Were you able to find the C:\WINDOWS\system32\biU.exe and delete it manually? If you found it but were unable to delete it, use the Killbox again as follows:

- In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\biU.exe

- Select the "Replace on reboot" and "Use Dummy" options.

- Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
This time, click Yes when prompted to reboot now.

Used Killbox as instructed. I received this message: PendingFileOperations Registry Data has been Removed by External Process!
I guess our PC's rid off all virus, thanks to you.
We still cannot get access to emails and other secure sites. We also get this annoying "Symantec Security Alert: Firewall Protection is turned off" message that does not go away.

Unfortunately, that message means that something (probably the infection) prevented Killbox from doing its job. Try the Killbox deletion while booted into Safe Mode:

* Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up).
* In the "Full Path of File to Delete" box, copy and paste the following:
C:\WINDOWS\system32\biU.exe
* Select the "Replace on reboot" and "Use Dummy" options.
* Click on the button with the red circle with the X in the middle and then click Yes at the "Replace on Reboot" confirmation prompt.
This time, click Yes when prompted to reboot now.


I'm not at all convinced of that yet


This could be related to the problem with Norton's firewall, but if not, there are a few possible fixes. The first fix to try is the free IEFix utility. Download and run the utility, and let us know the results.


Infections often disable and/or damage firewall and antivirus programs.
* If you open the Norton Internet Security program and attempt to turn the Firewall component back on, what happens?
* If it does turn on, make sure that the option to start the firewall automatically when Windows starts is selected, reboot, and make sure the firewall actually does start automatically.

I ran Killbox on Safe Mode as instructed but I still get the same "...Removed by External Process" message.
I ran AVG again and it did not find any virus.
I uninstalled Norton Firewall and we're now able to access emails and all secures websites.