Posts by dlh6213

Scan with HJT and have it fix:

O4 - HKLM\..\RunServices: [NTKM.EXE] C:\WINDOWS\NTKM.EXE /s

Close any open windows and hit Fix checked.

Go to C:\WINDOWS and delete NTKM.EXE.

Reboot, close any open browser windows, scan with HJT, and post a new log... and let us know if you're still having problems.

Follow the instructions in the 'Cleanup' link below.

A HijackThis log would be helpful ;).

Make sure your system is set to 'Show hidden files and folders' -- Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

Update, and run these utilities again:

CWShredder
about:Buster
PurityScan uninstaller

Repeat the instructions in my last post (#14), and then post a new HJT log.

Please follow the instructions here to remove newdotnet -- http://www.newdotnet.com/removal.html

Delete the entire contents of the C:\Windows\Temp folder.

Delete the entire contents of the C:\Temp folder.

Do a search for *.tmp and delete all entries found.

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):
Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Scan with HJT and have it fix:

O4 - HKLM\..\Run: [Visual Element FX5] C:\DOCUME~1\JESSIC~1.EIS\LOCALS~1\Temp\See04152005.exe
O4 - HKLM\..\Run: [tplier] C:\WINDOWS\System32\tplier.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
If the IP addresses below are not related to her ISP, have HJT fix both of these O17 entries --
O17 - HKLM\System\CCS\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56
O17 - HKLM\System\CS1\Services\Tcpip\..\{5A12CAA3-3DAE-4A7F-9CB8-C0E23DE07F01}: NameServer = 192.206.29.2,166.66.44.56

Close any open windows and hit Fix checked.

Reboot, close any open browser windows, scan with HJT and post a new log please.

What is the exact error message you get from Norton?

I don't either, so why is Norton coming up with it???

Glad to hear things are back to normal :)

Marking this thread as 'Solved' -- if you have any more trouble, let us know.

'Nasties' are almost always what causes popups. But in your case, at least some of them are courtesy of your ISP...

Check this link for some info on Bartshel.exe --
http://www.pcpitstop.com/spycheck/SWDetail.asp?fn=bartshel.exe

There are a couple of things you can fix with HijackThis, but first, right-click in an open area of your desktop and select New, Folder; give the new folder a name (something like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

Now, scan with HJT and have it fix the following entries:

O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm

Close any open windows, other then HijackThis, and hit Fix checked.

Go to C:\WINNT\web and delete related.htm

Empty your Recycle bin.

I also suggest dowloading and updating Ewido --
http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1 -- but don't scan with it yet.

Reboot into Safe Mode first, and then scan with Ewido, allowing it to fix whatever it finds. Please post the log in your next reply.

Reboot normally, close any open browser windows, scan with HJT, and post a new log along with the Ewido log.

Crunchie! What are you doing here? I just checked and you were looking at a different thread!

For future reference, have a look at this thread:
http://www.daniweb.com/techtalkforums/showthread.php?t=16365&highlight=christmas+crackers

For now, please follow the recommendations and instructions in the links below, and then post a HijackThis log in this thread so we can see what's going on.

I don't see anything else in your HijackThis log, but looking at that Ewido log it looks like you need to follow the instructions in the 'Cleanup' link below and run CCleaner again.

Are you still having any problems?

Where's the new Ewido log? :)

Download Killbox -- http://www.downloads.subratam.org/KillBox.zip -- and unzip the file to your Desktop.

Scan with HJT and have it fix the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ads2.revenue.net/r?site_id=1...ative_id=209716
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\ppdx5032.dll

Close any open windows and hit Fix checked.

Go to C:\Program Files and delete the entire WildTangent folder.

Do a search for the following files and delete any instances found:

qbet.exe
GameChannel.exe
kbdsp.exe
atrivs.exe
ppdx5032.dll

If any of the noted files could not be deleted, open KILLBOX, type (or copy and paste) the path of the file into the box; then check the Delete on Reboot box, and click the red X. You will get a message saying File will be deleted on next reboot, Process and Reboot now? Click Yes to reboot. Note: the file path will be something like C:\WINDOWS\System32\kbdsp.exe

Reboot, close any open browser windows, scan with HJT, and post a new log along with the new Ewido log.

Remove Newdotnet either from Add/Remove Programs, or by following the instructions here:
http://www.newdotnet.com/removal.html

Also in Add/Remove Programs, remove Viewpoint (or Viewpoint Manager, ViewMgr, or something similar).

Scan with HijackThis and have it fix:

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing

Close any open windows, other then HijackThis, and hit Fix checked.

Go to the following locations and delete the highlighted folders:

C:\Program Files\Viewpoint
C:\program files\newdotnet

Do a search for these files and delete any instances found:

commandd.exe
conversions.ini
d2gfz.dll
diablo ii.exe
dinst.exe
grab.exe

If any of these files are found, but cannot be deleted, reboot into Safe Mode and try it from there.

Download and run CCleaner – http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html

Reboot, close any open browser windows, scan with HijackThis, and post a new log please.

NOW you can celebrate; your log looks clean to me :)

Glad we could help... Happy (and safe) computing!

No problem :)

Open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Copy & paste C:\WINDOWS\DownloadedProgramFiles\CONFLICT.1\GainPlugin.dll into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

You have the latest Windows & IE Updates already -- Windows XP SP2, and Internet Explorer v6.00 SP2 :)

Go to Add/Remove Programs and remove (if present):

Media Gateway
Viewpoint (or Viewpoint Manager, ViewMgr, Viewpoint Toolbar, or anything similar)
180Solutions
SearchMiracle

Download and update these utilities, but don't scan with them yet:

Ewido -- http://www.download.com/Ewido-Security-Suite/3000-8022_4-10326287.html?tag=lst-0-1
CCleaner -- http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html

Reboot into Safe Mode.

Scan with Ewido, allowing it to fix whatever it finds (note - you will be posting the results from this log in your next reply).

Still in Safe Mode, scan with HijackThis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?T...ario&pf=desktop
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter …

How do you know you still have it?

Scan with HJT and have it fix the following:

O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)

Close any open windows and hit Fix checked.

Update both your AV program and Ewido.

Reboot into Safe Mode and do a full system scan with each.

Reboot normally and post a new HJT log and the new Ewido log please.

Hi Michael, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below.

When you've finished, and have HijackThis in a permanent folder, please post a new log.

Go to Add/Remove Programs and make sure WildTangent has been removed.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchmiracle.com/sp.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.shopnav.com/sidese...6235&id=1.20030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.shopnav.com/sidese...6235&id=1.20030
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O20 - Winlogon Notify: RunOnce - C:\WINDOWS\system32\kqdhu.dll

Remember to close any open windows and hit Fix checked.

Be sure your system is set to 'Show hidden files and folders':
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Now, go to the following locations and delete the highlighted files and folder:

C:\WINDOWS\qbet.exe
C:\WINDOWS\system32\kqdhu.dll

C:\Program Files\WildTangent

Do a search for atrivs.exe and delete any instances found.

If any of these could not be deleted, open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the …

Glad to hear things are getting better, but there's still a bit more to do.

Scan with HJT and have it fix:

O4 - HKLM\..\Run: [rmmon] C:\WINDOWS\SYSTEM\m1rmmon.exe

Then go to C:\WINDOWS\SYSTEM and delete m1rmmon.exe

That's all I see in your log, but to be sure your system is clean, I recommend getting CCleaner and the free trial version of CounterSpy; links to both can be found in the 'Cleanup' link below.

Hi Wild Bill, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below. When you get to the end of the third one (Infection removal), go to post #5 and follow the instructions there carefully.

When you've finished, please post a new HijackThis log along with the Ewido log.

Hi yaduks, welcome to DaniWeb :D

I believe GGLIB.EXE is adware; McAfee should be able to clean up QLowZones-15, are you sure it's up to date?

Please follow the recommendations and instructions in the links below, and then post your HijackThis log in this thread.

Thanks Dave! I totally missed that Ewido entry (C:\WINDOWS\cxid.exe -> Spyware.180Solutions : Cleaned with backup) :o .

I don't think Ath has tried to fix it with HJT yet because I wasn't sure it was bad. Hopefully this will finally clear things up so Ath is no longer paranoid :).

By the way Ath, you can reset your homepage from 'hsremove' to whatever you prefer.

You may also want to check your Add/Remove Programs for 180Solutions.

You're quite welcome :D

Couldn't scan the file as it really doesn't seem to actually be there in the directory. I googled the file name and it appears to be some part of either Bios or drivers - so I don't think it's entirely evil (just rather shy)...

(info [in English!] here: http://www.bios-drivers.com/drivers/51/51964.htm)

That's why I wanted you to have the file scanned (or get info via Properties)... it could be a legit file from Cyrix, but if it were, it seems more likely to me it should be in a 'drivers' folder, not running directly from the Windows folder. Also, the part in brackets in your log, [cxid] C:\WINDOWS\cxid.exe, should have the manufacturers name, Cyrix.

Now, if that entry looked more like this -- [Cyrix] C:\WINDOWS\System32\Drivers\cxid.exe -- I would have no problem believing it is indeed a legit file.

It also strikes me as very odd that you can't see the file even with having your system set to 'Show hidden files and folders.'

I'll see if I can get someone else to have a look at this for a second opinion.

Hi Clagoo, welcome to DaniWeb :D

I've split your post (from http://www.daniweb.com/techtalkforums/thread28035.html) into its own thread per forum rules -- http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Please follow the recommendations and instructions in the three links from my signature below.

Then, when you have HJT in its own permanent folder, please post a new log.

Also, do a search for lsvchost.exe; delete any instances found and let us know in your next post if you actually found any.

Hi Dano69, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below.

Then go to post #6 in the last one (Infection removal...).

In addition to the instructions in those posts, when you next scan with HijackThis, have it fix these entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qhuwh.dll/sp.html#63796
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {5A1B061E-B088-9A88-3986-A4314318D27D} - C:\WINDOWS\SDKOL32.DLL

Close any open windows, other then HijackThis, before hitting Fix checked.

Go to C:\WINDOWS and delete SDKOL32.DLL

Please post a new HJT log when you've completed all of the above.

Hi-ho Heho, welcome to DaniWeb :D

Did you try WinsockXPFix? WinsockXPFix

Run it, and click the Fix button; choose YES when asked if you want to proceed.

If it still doesn't work, try IEFix -- http://windowsxp.mvps.org/IEFIX.htm

Download CCleaner --
http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html -- but don't run it yet.

Go to Add/Remove Programs and remove any of the following found:

BargainBuddy
Look2Me
WildTangent

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus9.hpwis.com/
O3 - Toolbar: (no name) - {12EE7A5E-0674-42f9-A76B-000000004D00} - (no file)
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [qbet] C:\WINDOWS\qbet.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKCU\..\Run: [Io02RRM3V] atrivs.exe
O4 - HKCU\..\Run: [kbdsp] C:\WINDOWS\System32\kbdsp.exe
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\kqdhu.dll

Go to the following locations and delete the highlighted files and folders:

C:\WINDOWS\qbet.exe
C:\WINDOWS\System32\kbdsp.exe
C:\WINDOWS\system32\kqdhu.dll

C:\Program Files\WildTangent
C:\Program Files\BargainBuddy
C:\Program Files\Look2Me

Do a search for atrivs.exe and delete any instances found.

If any of these files cannot be deleted, try booting into Safe Mode first, and then delete them.

Now run CCleaner.

Reboot, close any open browser windows, scan with HJT, and post a new log please.

Hi Hagar, welcome to DaniWeb :D

I've moved your thread to the Virus forum as I feel this is a more appropriate place for it.

I suggest you first use System Restore to return your system to a time before you deleted the file you seem to be having trouble with.

Then, follow the recommendations and instructions in the links below. When you've finished that, post your HijackThis log in this thread and we'll (hopefully) get this problem sorted out :).

Here's the link to the latest version of CCleaner -- http://www.filehippo.com/download/lixhbccfafpilfwflhddbjzbwcxefhrh/download.html

Scan with HJT and have it fix the following:

O4 - HKLM\..\Run: [abricd] c:\windows\system32\atgnfv.exe r

Remember to close any open windows before hitting Fix checked.

Do a search for the following files and delete any instances found:

Atgnfv.exe
Awvfehluwxk.exe

If either of these could not be deleted (or located), open HijackThis and click on the Config... button in the lower right corner of the main window. In the next window, click on the Misc Tools button at the top, and then click the Delete a file on reboot... button. Type (or copy & paste) the file into the box, and click Open. A new window will pop up asking if you want to restart your computer now; click Yes.

If you haven't done so already, go to C:\Program Files and delete the BearShare folder.

Run CCleaner.

Please go to http://virusscan.jotti.org/ and have this file scanned:
C:\WINDOWS\cxid.exe
Post the results back here.

Reboot, close any open browser windows, scan with HJT, and post a new log.

Hi Crevin, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below. This will:

1.) Prevent reinfections during and after the cleanup process;

2.) Remove some of your infections automatically, and;

3.) Clean up your log a bit so it's not so intimidating :)

Post a new HJT log when you've finished.

Open Task Manager (Ctrl-Alt-Del), and look for polall1p.exe; if found, highlight it and then hit the End Process button.

Go to the Start menu and select Run. In the box that pops up type in cmd; the command prompt will open.

Unregister these dll's by entering the following (hit Enter after each line):

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\drtemp\pynix.dll

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\thi1e71.tmp\pynix.dll

regsvr32 /u C:\Documents and Settings\Graham Archer\local settings\temp\thi4f81.tmp\pynix.dll

regsvr32 /u C:\WINDOWS\System32\lastgood\pynix.dll

regsvr32 /u C:\WINDOWS\System32\pynix.dll

Close the Command window.

Go to Start, Run, type regedit in the box, and hit Enter. When the Registry Editor opens, navigate to the following locations, right-click on the entry, and delete it:

HKEY_CLASSES_ROOT\clsid\{00000000-dd60-0064-6ec2-6e0100000000}

HKEY_CLASSES_ROOT\interface\{17973bd7-959c-4d8a-8b2f-ab200e20a75e}

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj.1\pynixobj class

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj\curver\pynixdll.pynixdllobj.1

HKEY_CLASSES_ROOT\pynixdll.pynixdllobj\pynix functional class

HKEY_CURRENT_USER\software\pynix

Close the Registry Editor.

Do a search for the following and delete any instances found:

Polall1p
Pynix

Run CCleaner again.

Scan with MS Antispyware and let us know the results.

Close any open browser windows, scan with HJT, and post a new log please.

What browser and operating system are you using?

Scan with HJT and have it fix the following:

O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll

Go to c:\windows\system and delete BHOmod.dll; empty your Recycle Bin.

That's about all I see. Follow the recommendations in the Protection link below to help prevent further intrusions.

Sorry, my mistake, neither HSRemove or Ewido will work with Windows Me. Try these:

CounterSpy -- http://www.download.com/CounterSpy/3000-8022_4-10375153.html?tag=lst-0-1

CCleaner -- http://www.ccleaner.com/

Post a new HijackThis log after running those.

Well, I don't see any signs of Aurora/Nail in your log :).

Did you look through that Ewido log? It looks like you had a lot more going on then you thought! (Probably from using file sharing programs.)

Before continuing, you should also follow the recommendations in the Protection and Cleaning threads (links below).

Then, go to Add/Remove Programs in your Control Panel and remove (if present):

Media Access
180searchassistant
BetterInternet
SAH
Cdmdownld

I would also recommend removing BearShare.

Download the removal tool for BetterInternet from here:
http://securityresponse.symantec.com/avcenter/FixBinet.exe

Open FixBinet.exe and click Start to begin the removal process.

Next, download, install, update, and run these utilities:

CWShredder -- http://www.intermute.com/spysubtract/cwshredder_download.html
about:Buster -- http://www.majorgeeks.com/download4289.html
HSRemove -- http://www.majorgeeks.com/download4286.html
PurityScan uninstaller -- http://www.purityscan.com/uninstall.html
CCleaner –- http://www.filehippo.com/download/Qi6RR0U86febzhqUrQQIBQ2/download.html (don't run this one yet)

After that, scan with HJT and have it fix the following entries:

R3 - Default URLSearchHook is missing
O2 - BHO: AuroraHandlerObj Class - {4AA870AC-8427-42a4-B92E-ECD956197489} - C:\WINDOWS\AuroraHandler.dll (file missing)
O2 - BHO: (no name) - {6988740F-2990-3160-7ED2-B86380211C8C} - C:\Program Files\cdmdownld\mqcsmdkmvs.dll (file missing)
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
O4 - HKLM\..\Run: [SAHBundle] C:\WINDOWS\TEMP\bundle_cdt1006.exe run
O4 - HKLM\..\Run: [lklzes] c:\windows\system32\arwdscm.exe r
O23 - Service: tsecure - Unknown owner - C:\WINDOWS\tsecure.exe (file missing)

Remember to close any open windows, other then HJT, before …

Here is a data recovery service that has been used and recommend by a couple of DaniWeb members:

http://www.gmdsolutions.net/index.htm

Follow the instructions here to get rid of the worm:

http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

I don't see anything else in your log, are you having any other problems?

Does Norton give you the location? Is it something like C:\System Volume Information\_restore\GainPlugin.dll?

Also, be sure your system is set to Show hidden files and folders:
Open Windows Explorer, go to Tools, and in Folder Options, select Show hidden files and folders, and uncheck Hide protected operating system files.

You should have everything I have listed there, with possible exception of Ewido & CounterSpy, one or the other of those two would be fine.

Not only is Nod32 lighter on the system, it is faster and detects more viruses then most others. Here is a comparison of just about every AV program there is:

http://www.virusbtn.com/library/files/4pg_reprint.pdf

Sometimes that's the best way to go; at least everything is working now.

Follow the instructions in the Protection link below to help keep it that way.

Glad to hear it!

I have had the exact same problem as of late... including the Start Menu popping up after I click Switch To.

What type of system are you running? I have a Asus A8N-E M/B w/ AMD64 3200+ / 512 MB ram / Win XP sp2.

I have run hijack and don't see any suspicious entries but I can upload if someone else is interested in having a look at it.

Hi Droogy, welcome to DaniWeb :D

We'll have a look at your HijackThis log, but please post it in a new thread (not this one).

Edit -- Never mind, I split the post you put in another thread into its own.

Glad to hear it :)

Happy computing!!

Hi Old Dominon, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below.

When you've finished (and moved HijackThis), please post a new log so we can clean up anything that's left.

Hi Akdraw, welcome to DaniWeb :D

Please follow the recommendations and instructions in the links below.

When you get to the end of the third one (Infection removal), go to post #4 and complete the instructions there.

When you've finished, please post a new HijackThis log so we can clean up what's left.

Best protective measures, in my opinion --

Nod32 (Antivirus)

Spybot

Ad-Aware

CounterSpy

Ewido

Any browser other then IE

Hardware firewall (if you have an internet connection that is not dial-up)

Software firewall

SpywareBlaster

Links to all of these, and more, can be found in the Protection link below.

Glad to hear everything is working properly :)

Go to Start, Run, type regedit in the box, and hit Enter.

At the top of the Registry Editor window, click on File, and then Export. In the Export range panel (at the bottom), click All, give the file a name, and then Save your registry as a backup to a location where you will be able to locate it easily if necessary.

Then click on Edit, Find; in the box, paste pynix, and then click on Find Next

Right-click on any entries found and click Delete.

Continue using the Find Next option until you get the Finished searching through registry message.

Repeat the above instructions using 00000000-DD60-0064-6EC2-6E0100000000

Close the Registry Editor.

Let us know the results and post a new HJT log please.