you have been hijacked ,download the hijackthis program in my signature , put it in a folder in the root of C:\ and not a temp folder and run it and copy/paste a log back here don't fix anything yet ,lets have a look in the log first .

Caperjack: Thanks for the tip. Here is the log you wanted.


Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\STOPzilla!\szntsvc.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\cisvc.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Belkin Bulldog\upsd.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\dtmonx.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\HPDESK\hppddir.exe
C:\WINNT\System32\cidaemon.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\America Online 8.0\aol.exe
C:\Program Files\America Online 8.0\waol.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\scott\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.findlaw.com/?lid=MYFL_button
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.findlaw.com/?lid=MYFL_button
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.findlaw.com/?lid=MYFL_button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://my.findlaw.com/?lid=MYFL_button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://my.findlaw.com/?lid=MYFL_button
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://my.findlaw.com/?lid=MYFL_button
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://my.findlaw.com/?lid=MYFL_button
F1 - win.ini: load=,DTMONX.EXE
O1 - Hosts: 66.40.16.131 livesexlist.com
O1 - Hosts: 66.40.16.131 lanasbigboobs.com
O1 - Hosts: 66.40.16.131 thumbnailpost.com
O1 - Hosts: 66.40.16.131 adult-series.com
O1 - Hosts: 66.40.16.131 www.livesexlist.com
O1 - Hosts: 66.40.16.131 www.lanasbigboobs.com
O1 - Hosts: 66.40.16.131 www.thumbnailpost.com
O1 - Hosts: 66.40.16.131 www.adult-series.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\WINNT\system32\StopzillaBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Soundmx] \soundmx.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [STOPzilla] "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKCU\..\Run: [iedll] c:\WINNT\iedll.exe
O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe
O4 - HKCU\..\Run: [LDM] \Program\BackWeb-8876480.exe
O4 - Global Startup: America Online 8.0 Tray Icon.lnk.disabled
O4 - Global Startup: Document Assistant.lnk = C:\HPDESK\hppddir.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/downlo...22/wmv9VCM.CAB
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productu...ntent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.co...972.3886342593
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - https://www.stopzilla.com/_download/...ler/dwnldr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...17/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{CF9984AB-F387-4A81-913C-CE9B4B7A9483}: NameServer = 152.163.241.134

First thing you should run hijack from its own folder on the c:\ drive ,so when it creates backups they don't get lost in a temp folder .iwill analize the log and get back to you later .it takes a while

dont forget to put the hijack exe in its own folder on the c: drive ,for when it backs up what it fixes .

Edit : ok hope you didn't do what i had posted earlier ,
You have a coolwebSearch hijack ,
download and run CWShredder ,hit fix /not scan .
http://www.spywareinfo.com/~merijn/files/CWShredder.exe

Run hijackthis and
Have Hijack This fix the following by placing a check in the appropriate boxes and selecting fix checked,Make sure all browser and all Windows Explorer windows are closed before fixing.


O1 - Hosts: 66.40.16.131 livesexlist.com

O1 - Hosts: 66.40.16.131 lanasbigboobs.com

O1 - Hosts: 66.40.16.131 thumbnailpost.com

O1 - Hosts: 66.40.16.131 adult-series.com

O1 - Hosts: 66.40.16.131 www.livesexlist.com

O1 - Hosts: 66.40.16.131 www.lanasbigboobs.com

O1 - Hosts: 66.40.16.131 www.thumbnailpost.com

O1 - Hosts: 66.40.16.131 www.adult-series.com



If these were not set on purpose you could also fix them , .

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present


post a new log and i 'll check some more .

thanks again. I am doing that now. Will post a new log soon.

Here is the latest on my logs after following your tips. The problem seems to stop (or at least is not as frequent) after running all these spyware, virus, and shredder programs, security updates, etc. But, then I reboot and open my task manager to see what's going on and its just a matter of seconds usually until exlorer opens up (in task manager) and then a bunch of porn sites. I even see it go to download.com for a second. (This is all in task manager. otherwise none of it is visible). you can hear the defaults sounds though when its starts up. I Can't seem to shake this thing! any other tips? also, the shredder fixed everything you told me to fix except the host sites. It said "permission denied" error #70. I don't know what that means!?



COOLWEB SHREDDER STUFF - SCAN



AppData folder: C:\Documents and Settings\*****\Application Data

Username: ******



Found Hosts file: C:\WINNT\system32\drivers\etc\hosts (309412 bytes, -)

Hosts file: 66.40.16.131 livesexlist.com

Hosts file: 66.40.16.131 lanasbigboobs.com

Hosts file: 66.40.16.131 thumbnailpost.com

Hosts file: 66.40.16.131 adult-series.com

Hosts file: 66.40.16.131 www.livesexlist.com

Hosts file: 66.40.16.131 www.lanasbigboobs.com

Hosts file: 66.40.16.131 www.thumbnailpost.com

Hosts file: 66.40.16.131 www.adult-series.com

Shell Registry value: HKLM\..\WinLogon [Shell] Explorer.exe

UserInit Registry value: HKLM\..\WinLogon [UserInit] C:\WINNT\system32\userinit.exe,

Found Win.ini file: C:\WINNT\win.ini (1658 bytes, A)

Found line in Win.ini: run=

Found System.ini file: C:\WINNT\system.ini (231 bytes, A)



- END OF REPORT –



COOLWEB SHREDDER STUFF - FIX



Done!

Removed from your system:

- CWS affiliate: Tooncomics

- Hosts file redirections



Windows 2000 (5.00.2195 SP4)

CWShredder v1.47.1

Written by Merijn - merijn@spywareinfo.com



For any additional help with this program or removing CWS, visit http://forums.spywareinfo.com/



For information and documentation on the Coolwebsearch

trojan and its variants, visit

http://www.merijn.org/cwschronicles.html






START UP STUFF--



StartupList version: 1.52

Started from : C:\antihijacker.software\HijackThis.EXE

Detected: Windows 2000 SP4 (WinNT 5.00.2195)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================



Running processes:



C:\WINNT\System32\smss.exe

C:\WINNT\system32\winlogon.exe

C:\WINNT\system32\services.exe

C:\WINNT\system32\lsass.exe

C:\Program Files\STOPzilla!\szntsvc.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINNT\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\WINNT\System32\cisvc.exe

C:\WINNT\System32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton AntiVirus\navapsvc.exe

C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE

C:\WINNT\system32\regsvc.exe

C:\Program Files\Norton AntiVirus\SAVScan.exe

C:\WINNT\system32\MSTask.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Belkin Bulldog\upsd.exe

C:\WINNT\wanmpsvc.exe

C:\WINNT\System32\WBEM\WinMgmt.exe

C:\WINNT\system32\svchost.exe

C:\Program Files\Iomega\AutoDisk\ADService.exe

C:\WINNT\Explorer.EXE

C:\WINNT\system32\dtmonx.exe

C:\Program Files\Logitech\iTouch\iTouch.exe

C:\Program Files\ahead\InCD\InCD.exe

C:\Program Files\Logitech\MouseWare\system\em_exec.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\Program Files\Real\RealPlayer\RealPlay.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINNT\rundll32.exe

C:\HPDESK\hppddir.exe

C:\WINNT\system32\taskmgr.exe

C:\WINNT\System32\cidaemon.exe

C:\Program Files\Microsoft Office\Office\WINWORD.EXE

C:\antihijacker.software\HijackThis.exe



--------------------------------------------------



Listing of startup folders:



Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

America Online 8.0 Tray Icon.lnk.disabled

Document Assistant.lnk = C:\HPDESK\hppddir.exe

Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE



--------------------------------------------------



Checking Windows NT UserInit:



[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINNT\system32\userinit.exe,



--------------------------------------------------



Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run



Synchronization Manager = mobsync.exe /logon

NeroCheck = C:\WINNT\System32\NeroCheck.exe

zBrowser Launcher = C:\Program Files\Logitech\iTouch\iTouch.exe

Logitech Utility = Logi_MwX.Exe

InCD = C:\Program Files\ahead\InCD\InCD.exe

ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

Advanced Tools Check = C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE

RealTray = C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

STOPzilla = "C:\Program Files\STOPzilla!\Stopzilla.exe" /autorun

AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

AVG7_EMC = C:\PROGRA~1\Grisoft\AVG7\avgemc.exe



--------------------------------------------------



Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce



MigrateMMDrivers = rundll32.exe mmsys.cpl,mmseRunOnce



--------------------------------------------------



Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run



rundll32 = C:\WINNT\rundll32.exe

LDM = \Program\BackWeb-8876480.exe



--------------------------------------------------



Load/Run keys from C:\WINNT\WIN.INI:



load=

run=



Load/Run keys from Registry:



HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*

HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*

HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*

HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*

HKCU\..\Windows NT\CurrentVersion\Windows: load=,DTMONX.EXE

HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*

HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=



--------------------------------------------------



Shell & screensaver key from C:\WINNT\SYSTEM.INI:



Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*



Shell & screensaver key from Registry:



Shell=Explorer.exe

SCRNSAVE.EXE=(NONE)

drivers=*Registry value not found*



Policies Shell key:



HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*



--------------------------------------------------





Enumerating Browser Helper Objects:



(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

NAV Helper - C:\Program Files\Norton AntiVirus\NavShExt.dll - {BDF3E430-B101-42AD-A544-FADC6B084872}

(no name) - C:\WINNT\system32\StopzillaBHO.dll - {E3215F20-3212-11D6-9F8B-00D0B743919D}



--------------------------------------------------



Enumerating Task Scheduler jobs:



Norton AntiVirus - Scan my computer - Scott.job

Norton AntiVirus - Scan my computer.job

Symantec NetDetect.job



--------------------------------------------------



Enumerating Download Program Files:



[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/downlo...22/wmv9VCM.CAB



[OPUCatalog Class]

InProcServer32 = C:\WINNT\System32\opuc.dll

CODEBASE = http://office.microsoft.com/productu...ntent/opuc.cab



[Update Class]

InProcServer32 = C:\WINNT\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.co...972.3886342593



[Downloader Class]

InProcServer32 = C:\WINNT\DOWNLO~1\dwnldr.dll

CODEBASE = https://www.stopzilla.com/_download/...ler/dwnldr.cab



[{D27CDB6E-AE6D-11CF-96B8-444553540000}]

CODEBASE = http://download.macromedia.com/pub/s...sh/swflash.cab



[McFreeScan Class]

InProcServer32 = C:\WINNT\McAfee.com\FreeScan\mcfscan.dll

CODEBASE = http://download.mcafee.com/molbin/is...17/mcfscan.cab



--------------------------------------------------



Enumerating Windows NT logon/logoff scripts:

*No scripts set to run*



Windows NT checkdisk command:

BootExecute = autocheck autochk *



Windows NT 'Wininit.ini':

PendingFileRenameOperations: c:\documents and settings\scott\cookies\scott@bluestreak[2].txt||c:\documents and settings\scott\cookies\scott@doubleclick[1].txt||c:\documents and settings\scott\cookies\scott@ehg-findlaw.hitbox[2].txt||c:\documents and settings\scott\cookies\scott@ehg.hitbox[2].txt||c:\documents and settings\scott\cookies\scott@hitbox[2].txt||c:\documents and settings\scott\cookies\scott@paycounter[1].txt||c:\documents and settings\scott\cookies\scott@valueclick[1].txt||c:\documents and settings\scott\cookies\scott@z1.adserver[1].txt||c:\documents and settings\scott\cookies\scott@zedo[2].txt

--------------------------------------------------



Enumerating ShellServiceObjectDelayLoad items:



Network.ConnectionTray: C:\WINNT\system32\NETSHELL.dll

WebCheck: C:\WINNT\System32\webcheck.dll

SysTray: stobject.dll



--------------------------------------------------

End of report, 8,780 bytes

Report generated in 0.150 seconds



Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

/end/

OK this is what we need to get hijack to fix ,
O4 - HKCU\..\Run: [rundll32] C:\WINNT\rundll32.exe


then reboot into safe mode /hitting f8 on bootup to get to safe mode .and delete this file --C:\WINNT\rundll32.exe--- make sure it not the one in the C:\WINNT\System folder

These may be hidden files. click link below for how to show hidden files.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html


also a good Idea to check for updates of spyware programs like hijack and CWShreadder before running them

thanks so much for your time.....i will try that now.