Posts by dlh6213

Go to:
http://www.silentrunners.org/
Download and run Silent Runners.vbs. It generates a log, please post the information back in this thread.

Do you have this set as your start page? http://login1.telia.com

Scan with HJT and have it fix the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rl.webtracer.cc/-/?bayzm
O1 - Hosts: 1159680172 auto.search.msn.com
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Be sure all windows, other then hijackthis, are closed before hitting the Fix button.

Go to C:\WINDOWS and delete stsheets.dat

Reboot, scan with HJT, and post a new log please.

Here are instructions from Winferno on removing SecureIE:

"Removal of SecureIE

Please follow these instructions to fully uninstall the program completely.

To uninstall Secure IE, please follow these steps:

1. Open the CONTROL PANEL. To do this, click START, then SETTINGS, then CONTROL PANEL.
2. Double-click on the icon labeled ADD/REMOVE PROGRAMS.
3. Find SECURE IE in the list of programs. Click on it. You'll also see information such as
size, how often it's used, and a link to support.
4. Click on REMOVE. You will see a pop-up window that reads "Are you sure you want to completely
remove Secure IE and all of its components?"
5. Click YES. Secure IE, Private IE, and all associated files and folders will then be removed from your computer.
6. Make sure you complete these steps for both Secure IE 2003 and Secure IE 2004.

Next, make sure that your browser is closed and go to start/run, type in regedit. You will then have the registry editor. Proceed to back up your registry by clicking on file and export, at which time you will be prompted to save the file. Save it to your desktop by the name of "backup".

Once you are done, look for the Secure IE folder entitled "Secure IE 2004" and remove it. If you still see a folder entitled "Secure IE", remove that also.

If you have any further questions, please do not …

See post #19

HijackThis is still being run directly from your desktop (C:\Documents and Settings\a\Desktop\HijackThis.exe); please right-clicking in an open area of your desktop, select New, Folder; give the new folder a name (something like HJT or HijackThis would be good), and then drag the hijackthis.exe icon that is on your desktop into this new folder. After you've moved it, your log should show it as "C:\Documents and Settings\a\Desktop\HJT\HijackThis.exe" (HJT being whatever name you gave the folder).

You can go ahead and have HJT fix these entries, but you shouldn't go any further until we have established that HJT is in it's own folder:

O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.telia.se/sdccommon/download/tgctlcm.cab
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {11111111-1111-1111-1111-511111113457} - file://c:\x.cab
O16 - DPF: {11111111-1111-1111-1111-511111113458} - file://c:\x.cab
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\test\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by10fd.bay10.hotmail.msn.com...es/MsnPUpld.cab
O16 - DPF: {6A7B6E02-D39C-411C-80DE-487888881584} (OpenOffice.OpenOfficeDocument) - http://w03.signform.com/Viewers/OpenOffice.CAB
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/...all/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptem...iveSecurity.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/pr...ctor/WebSWK.cab

Be sure all windows are closed, other then hijackthis, before hitting the Fix button.

Scan with HJt and post a new log please.

Try a 'repair' installation, instructions here (Method 2):
http://support.microsoft.com/default.aspx?scid=kb;en-us;315341&Product=winxp

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zillafind.com/getPageRes...g=true&query=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
O2 - BHO: ZILLAbar BHO - {2F19BBE7-D050-4C39-829E-C2F9E15C90F0} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll
O4 - HKLM\..\Run: [MSNSysRestore] C:\WINDOWS\system32\pc32.exe bg
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://help.bellsouth.net/sdccommon...oad/tgctlcm.cab
O16 - DPF: {4E7BD74F-2B8D-469E-9ABF-BF78B598A832} - http://toolbar.information.com/tool...information.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/s...84/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/s...,21/mcgdmgr.cab
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/...ller/dwnldr.cab
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - http://activex.microsoft.com/active...ate/sdkinst.cab
O19 - User stylesheet: (file missing)

Be sure all windows, other then hijackthis, are closed before hitting the Fix button.

Go to the following locations and delete the highlighted file or folder:

C:\Program Files\ISSS
C:\WINDOWS\system32\pc32.exe

I would not recommend connecting your Pocket PC to this computer until it gets cleaned up.

Did you install MagicKey on your computer?

You do have Crypkey software by Kenonic Controls installed on your computer, if it's not something you use, you should consider removing it.

How well do you know the person that put XP on your machine?

(You can find some info on Zilla here, if you're interested: http://research.sunbelt-software.com/threat_display.cfm?name=ZillaFind/ZillaBar)

Reboot, close any open browser windows, scan with HJT, and post a new …

This particular thread has been 'Solved,' anyone (besides Pleasehelpme) who has a similar problem should start a new thread so they can get individual assistance. Thanks :)

Still need the Windows Updates

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Scan with HJT and post a new log please.

The first thing you need to do is go to Windows Update and get the Critical Updates for your system (SP1a, hold off on SP2, at least until your system gets cleaned up).

The second thing you should do is move hijackthis into it's own folder before fixing anything with it. You can do this by right-clicking in an open area of your desktop, select New, Folder; give the new folder a name (something like HJT or HijackThis would be good), and then drag the hijackthis.exe icon that is on your desktop into this new folder.

After you've done that, close all browser windows, scan with HJT, and post a new log please.

I dont know how I ended up here on the second page without any other pages showing. I hope you guys get this post.

You accidently posted this in your original thread in the Browser forum, so I copied it over to here.

My computer froze up completely last night. I tried to do a systems restore and it froze up worst. I was finally able to do a ctrl alt delete and get the keyboard to functioning and do another systems restore and get it back to working status. I went through all the steps on the instructions yall gave me and redeleted all original files that you listed. I have done about all i can and the xxxthing stil wont dawnload a thng. I included some things listed in my adaware log I found that you had ask me if i had. Please take a look at the most recent logs and let me know. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:20:37 PM, on 4/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zillafind.com/getPageRes...g=true&query=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr …

Although I don't think Winferno is one of them, there are actually anti-spyware vendors out there that 'throw nails in the road' in order to get business. SpyHunter used to fall into this category and I would suggest removing it. You can read a bit about it here: http://www.spywarewarrior.com/rogue_anti-spyware.htm#sh_note

(Always check this site before getting any anti-spyware products: http://www.spywarewarrior.com/rogue_anti-spyware.htm)

Winferno does make it surprisingly difficult to remove their product.

Do you have Crypkey software by Kenonic Controls installed on your computer?

Do you have any 'free trial' software installed?

Do you use a handheld PC that you sync with this one?

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

Winferno (also look for SecureIE, SIEPIE, or SIEPulse)

Scan with HJT, and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.zillafind.com/getPageRes...g=true&query=%s
O2 - BHO: ZILLAbar BHO - {2F19BBE7-D050-4C39-829E-C2F9E15C90F0} - C:\Program Files\ISSS\ZILLAbar\ZILLAbar.dll (file missing)
O4 - HKLM\..\Run: [SIE2004] "C:\Program Files\Winferno\SIEPIE\SIEPulse.exe"

Be sure all windows, other then hijackthis, are closed before hitting the fix button

Go to C:\Program Files and delete the Winferno folder

Go to C:\Documents and Settings\Administrator\Application Data and find umbs.exe, right-click on it, choose Properties, and give us whatever info you can find on it (Company, version, etc.). I think it's okay, just want to make sure.

Reboot, close all browser windows, scan with HJT, and post a new log …

SecureIE may be causing part of your problems (including why hijackthis can't determine your IE version). Read the last couple of paragraphs in this review:
http://netsecurity.about.com/cs/productreviews/fr/aafpr080303_2.htm

Check the following settings in IE:

Click on Tools, and then Internet Options; click on the Security tab, and then on the Custom Level button. Scroll down the list to Downloads (past the part involving ActiveX); under Downloads you should see two options -- File download and Font download, make sure both are Enabled, and then click OK, and OK again.

After you do that, try downloading IEFix from here:
http://www.majorgeeks.com/download4467.html

Keep us posted...

PS: I'm trying to find out how to completely remove SecureIE... anyone here have any suggestions?

Here are some links that may help:

http://support.microsoft.com/default.aspx?scid=kb;en-us;315323&Product=winxp

http://support.microsoft.com/default.aspx?scid=kb;en-us;822967&Product=winxp

please tell me step by step how to create a permanate file to store hjt from a temp file in

Right-click in an open area on your desktop and select New, and then Folder; give the new folder a name (something like HJT or HijackThis would be good), and then drag the hijackthis.exe icon that is on your desktop into this new folder. You can then open the folder and double-click on hijackthis.exe to run it.

Try this:

Go to Start, Run, and type in msconfig. When the new window comes up, click on the Startup tab and look for BigFix in the list; if it's there, remove the checkmark from the box.

If it's not there, click on the Services tab and see if it's in there.

Close msconfig; you will probably need to reboot.

To set BigFix to start manually:

Open your Control Panel, go to Administrative Tools, and open Services. Maximize the size of the Services window that pops up and scroll down the list to BigFix; right-click on it and choose Properties. About the middle of the window that comes up, you should see Startup type: Use the drop-down arrow to select Manual.

In addition to getting a firewall, asap, get SpywareBlaster (link in Crunchie's sig) and keep it updated.

Hi buckhuckle, welcome to DaniWeb :) and welcome to the world of broadband (DSL) :) :(

As soon as possible, you should protect yourself by installing a hardware firewall router such as one made by Linksys, SMC, or Netgear.

Before fixing anything in your hijackthis log, you should put it into it's own folder; to do this, right-click on your desktop, select New, Folder, and give the new folder a name of your choosing (HJT or HijackThis would be good). Then, drag the hijackthis.exe icon that is on your desktop into this new folder.

After you've moved it, close all browser windows, scan with HJT, and post a new log please. If you have anything disabled in msconfig, enable it before you scan.

FYI -- BigFix should be set to start manually as it's a resource hog.

I don't know how you got Xoftspy from the link I gave you, but try going here:
http://www.spywareinfo.com/~merijn/downloads.html
Scroll down to Official downloads, and then down to HijackThis. Choose any one of the seven sites listed to download it from.

Do you have any messenger services (like Yahoo, AIM, MSN, etc.)? We may be able to transfer the HJT file that way if you still can't get it onto a floppy.

I sent dlh6213 an address of a friend that will download hjt and save it to a floppy for me to run on my machine. Hopefully this will be the beginning of my computer recovery. Thanks

I tried sending it to her twice, and both times I got a message saying it couldn't be delivered because it was a bad address. Can you just have her download it for you and put it on a floppy? Here's the website:
http://www.spywareinfo.com/~merijn/

I'm waiting for the opinions of a couple other mods here as what the best direction to go would be. If a reinstall is deemed the best solution, we will help you with backing up and reloading.

If you had access to another computer where you could download some utilities, it would be very helpful... maybe a library or friend?

Edit -- what Caperjack said might work, I don't know much about OE.

Hey Dave, he had another thread going on this ( http://www.daniweb.com/techtalkforums/thread20949.html ), but couldn't download HJT; I tried to email it to him, but his Outlook Express wouldn't allow him to open it, saying it was a harmful file.

He doesn't have access to another computer to download to, so I suggested he post the above log so we could see what's going on (and it's not pretty!).

I'm open to some suggestions here; should we try to attack the bad files manually, email him some tools (if OE will let even let him open them), or is it time for a reinstall?

Don't remove alg.exe! More info on it here:
http://www.liutilities.com/products/wintaskspro/processlibrary/alg/

Read this thread, it may help:
http://www.daniweb.com/techtalkforums/thread16365.html

Get HijackThis from here so we can help with whatever the real problem is:
http://www.spywareinfo.com/~merijn/

Close all browser windows, 'Scan and Save Log' with hijackthis, copy and paste the entire log here in this thread.

You should post another log for a final check :)

When you ran it in Safe Mode, even though it took so long, was it successful? If you can't even run it in Safe Mode, or if it finds errors it can't fix, your drive may be failing. If it did finish, and fixed any errors (or didn't find any), you should be able to defrag from Safe Mode as well.

You have a lot of similarities to this thread:
http://www.daniweb.com/techtalkforums/showthread.php?p=106786#post106786

Try the suggestions there and then post a new log. If you have questions about anything, feel free to ask.

C:\PROGRA~1\COMMON~1\LOGITECH\QCDRIVER\LVCA.SYS

I do not know about LVCA.SYS. It does not look like a virus to me considering its place in the system.

This is a Dexxa USB Webcam driver for win98.

I'm glad we finally got everything cleaned out, that was quite a workout!

I thought that having AVG was enough...

Unfortunately, no one program is enough to protect you from everything out there nowadays. In this thread you've seen just a few of the tools we use to remove malware, there are many more for different infections.

To help protect your system, I suggest you get (if you don't already have them):
Ad-Aware SE
SpyBot Search and Destroy
SpywareBlaster
SpywareGaurd
They're all free and help a lot! But don't let yourself be fooled into thinking you're completely protected!

I'm going to mark this thread as solved, but if any problems come back in the near future, PM one of the moderators to reopen it.

If you haven't done so already, have a look through the other forums here, like the Geeks Lounge, there's more to this site than just computer stuff :)

You also appear to have a CWS infection.

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Then, post a new HJT log

I deleted the file on safe mode, anyways i rebooted and it appeared again..
"Locate.bat" only worked in safe mode as well, still the "Report.txt" only have this: C:\WINDOWS\SYSTEM32\DRIVERS\FASTFATS.SYS

That's most likely the file that's causing problems; I did a Google search for it and found nothing -- most legit files will have some info on them somewhere. If you have any doubts, set a System Restore point before deleting it.

After you delete it, reboot and post another HJT log.

Something else detected...

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Then post a new HJT log.

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Then post a new HJT log

Download CWShredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

Unzip to your desktop, run it, and then:

1. Click "Check For Update"
(If an update isn't available, skip to step 4)

2. Click "Click here to Download the upate"

3. When the new version has been downloaded, click "Save"

4. Click "Fix"

If it asks you to verify any files to be deleted, either do a Google search for it/them or ask us here before deleting.

Post a new HJT log after running CWShredder

Have HJT fix this entry:
O19 - User stylesheet: C:\WINDOWS\stsheets.dat

Download and run Locate.zip from http://www.atribune.org/downloads/locate.zip

Unzip it and double click on locate.bat

Post the log here for review.

(Thanks DMR)

Ok, it did the same thing that is has been doing, but after the tenth or so box, it stopped. I don't think that it is fixed, however.

I'm not sure what you mean by this, can you please clarify? Are you having trouble with anything other than MS updates?

Hi Jayboy, welcome to DaniWeb :)

Since a virus is suspected, I've moved this thread to the appropriate forum.

Get HijackThis from here:
http://www.spywareinfo.com/~merijn/

Close all browser windows, 'Scan and Save Log' with hijackthis, copy and paste the log into this thread.

Scan with hijackthis and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cus...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?T...lion&pf=desktop

Be sure all windows are closed, other than hijackthis, before hitting the Fix button.

Reboot. You'll probably get a message to send an error report, choose either option if you do.

Try going to Windows Update again and let us know what happens.

Close all browser window, scan with HJT, and post a new log please.

Go to Add/Remove Programs in your Control Panel and remove the following (if found):

MyWay (or myBar)
PartyPoker
Windows ServeAd (or WinServAd)

Scan with HJT and have it fix the following entries:
(Note: some entries may no longer be here after using Add/Remove Programs)

O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {9BED3AC7-E6D4-43E7-B8A1-1FA502F639E1} (XTools Control) - http://player.bugs.co.kr/install/mv/XTools.cab
O16 - DPF: {BF628973-1E86-4D0E-B42C-EDDECFFABDBC} (Bugs AoD Class) - http://player.bugs.co.kr/install/BugsLoader20041018.cab

Be sure all windows are closed, other the HJT, before hitting the Fix button

Go to the following location and remove the highlighted folder (if found):

C:\Program Files\Windows ServeAd\WinServAd.exe
C:\Program Files\PartyPoker

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot

You …

Well, these probably aren't going to be on your system, but you can do a search for them and see what you come up with. From what I can find out, it seems the problem is going to be in this DRIVERS folder, but the name can be different.

C:\WINDOWS\SYSTEM32\DRIVERS\beepw.sys
C:\WINDOWS\System32\drivers\hidclasy.sys
C:\WINDOWS\SYSTEM32\DRIVERS\battcc.sys

I'll see what else I can find out, or maybe someone else will have some ideas.

This program can help locate it, but, unfortunately, I don't know how to use it:
http://www.niksoft.at/_data/startdreck.zip

Have HJT fix this entry:

O20 - Winlogon Notify: welcome - C:\WINDOWS\system32\s6rslg9716.dll (file missing)

Since you don't have internet access, you will probably need to download these from another computer.

Try IEFix from here:
http://www.majorgeeks.com/download4467.html

Winsockfix may also resolve the problem:
http://www.digitalminds.net/index.pl/downloads

And, you can try Hoster:
http://members.aol.com/toadbee/hoster.zip
Run Hoster and press Restore Original Hosts, OK, and Exit Program.
Note that if you have a custom host file, this will remove it. You can edit the host file with this program too.

Reboot

Close any open browser windows, scan with HJT, and post a new log please.

vx2,enjql1151.dll

You don't need to, nor should you, stop any processes that are running, just close any open windows.

From your log, it looks like you're running two antivirus programs (Nod32 and Norton); this can cause problems, you should decide which one you prefer (I'd recommend Nod32) and remove the other.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R3 - URLSearchHook: (no name) - _{C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - (no file)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6...e/bridge-c7.cab

Be sure all windows are closed, other the HJT, before hitting the Fix button

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

(Note: if any of these temporary files cannot be deleted while in ‘normal mode,’ try Safe Mode.

Empty your Recycle Bin.

Reboot, close any open browser windows, scan with HJT and post a new log please.

Well, after a bit of research, I think I've found a way to get rid of that nasty webtracer.

Get Find.zip from here:
http://www.atribune.org/downloads/find.zip

Download Find.zip into the same folder your HijackThis is in ('Files and Programs' in your case); make sure you Extract All Files

Double-click Find.bat and let it scan your computer (should only take a few seconds)

Look in the folder you have HijackThis in and find Report.txt

Double-click Report.txt, copy the entire contents of the log, and paste it here.

After running this program, do NOT shutdown or log off of your computer until after we have fixed the problem.

Sorry for answering so late, i've been checking for new answers everyday, but i just just realized that there was a page 2.

Don't feel bad, the same thing happened to me when I first came here :o

Something is causing this to be recreated but it's not showing in your HJT log (or if it is, I'm overlooking it). I'd like to suggest another program for you to try, I've found it can find things most other programs can't.

It's called CounterSpy and you can get it from here:

http://www.download.com/3000-8022_4-10337358.html

It has a 15-day free trial which will be plenty of time to get your system cleaned up, or you can purchase it for $20 (US). After you download it, install it; when asked for a registration number, just click next.

Before scanning the first time, make the following adjustments to the settings:

CounterSpy Settings

At the very top, click on File, and then Check for updates
When it’s finished updating, click the ‘Close’ button

Under ‘Spyware Scan’ on the left, click on ‘Run a spyware scan’
In the left pane, click on ‘Scan Options’
Mark ‘Full system scan’
Check all boxes under ‘Full system scan,’ including ‘Save these options’
In the right pane, near the bottom, click ‘Manage Schedule’
On the left side, select your preferred schedule options
On the right side, under ‘Scheduled Scan Options,’ check:
‘Always run a deep scan’
‘Automatically remove spyware cookies’
Click the ‘Update Schedule’ button

At the top, click on ‘System Tools’
Double-click on ‘History Cleaner’
Check the following options (if they are not grayed-out):
‘Internet Explorer …

Are you still having problems?

Your log looks pretty good now; you can have HJT clean up these entries:

O20 - Winlogon Notify: Run - C:\WINDOWS\system32\k8440ihqe84e0.dll (file missing)
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\f22mlcf11f2.dll (file missing)
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\pKutoenr.dll (file missing)

I only see a coulple of minor things there now.

You may wish to consider disabling CTHELPER.EXE -- quote from sysinfo:

CTHELPER is a background task that is a plug-in manager for Creative drivers. The theory is that 3rd party manufacturers can use the CTHELPER plug-in interface to produce drivers, add-on features, and fixes that will integrate with a tighter fit with Creative’s sound drivers and utilities. Given its purpose CTHELPER would normally be classified as a "leave alone" background task. It also allows Creative speaker setup to be synchronized with Windows Control Panel speaker setting. Without it running that check box in Creative speaker setting is not functional (settings are not in sync). Unfortunately there are often problems with CTHELPER, most notably that it can use 100% of CPU time so it's best left disabled unless you need it.

And you can have HJT fix this entry:

R3 - Default URLSearchHook is missing

Let's try the Registry Editor again (regedit).

Before you manually edit the Registry, you should create a backup. At the top of the Registry window, click on the Registry menu, click Export Registry File. In the Export range panel, click All, then save your registry as Backup. This way, if the operating of your PC is affected, you have a way to restore it.

Also set a System Restore point.

In the Registry Editor, click on the + next to HKEY_CURRENT_USER, and then the + next to Software, the + next to Microsoft, and then the + next to Internet Explorer. Find the folder that says Main and click on it; in the right-hand pane, find Start Page; right-click on it and select Modify. In the Value data field, delete whatever is there and replace it with http://www.google.com/ (you can change this to whatever you wish now, or change it later).

Go to HKEY_LOCAL_MACHINE and follow the same path and make the same change.

Close the editor, close all browser windows, scan with HJT, and have it fix:

F2 - REG:system.ini: UserInit=userinit.exe,userinit32.exe
O1 - Hosts: 1159680172 auto.search.msn.com

Reboot, close all browser windows, scan with HJT, and post a new log please.

Before fixing anything with hijackthis, please put it into it's own folder by right-clicking on your desktop, select New, Folder; name the folder whatever you like (something like HJT or hijackthis would be best). Then, drag the hijackthis.exe icon that is on your desktop into the new folder.

Scan with HJT and have it fix the following entries:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\tiewm.dll/sp.html#44768
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {FE07DF8E-EB48-201C-AF54-67375F54D0FD} - C:\WINDOWS\system32\syskn32.dll
O4 - HKLM\..\Run: [sdkdf.exe] C:\WINDOWS\sdkdf.exe
O4 - HKLM\..\RunOnce: [netdm.exe] C:\WINDOWS\system32\netdm.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?lin...738&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/c...DC_1_0_0_44.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/...n/bin/cabsa.cab
O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) -
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) -
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) -
O23 - Service: Network Security Service (NSS) …

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Local Settings\Temp
Cookies
History
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Empty your Recycle Bin.

Follow the recommendations in this thread to remove HotOffers:
http://www.daniweb.com/techtalkforums/thread19959.html

Get HSFix from here:
http://www.atribune.org/downloads/HSFix.zip

After it is downloaded, create a new folder on your desktop called "HSFix" and extract all the files into the newly created folder.

Reboot into Safe Mode

Locate the HSFix folder on your desktop, open it, and double-click "hsfix.bat"

A log will be produced which you can close out of.

Right-click on your desktop, select New, Folder; give the New Folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon on your desktop into this new folder.

Close all browser windows, scan with HJT, and have it fix the following entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/192/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: (no name) - {05A6952D-72E5-0216-C37E-08157768E5C8} - C:\WINDOWS\system32\celhqle.dll
O2 - BHO: (no name) - {FC5BCA13-77EE-4495-AC06-A437596C1131} - C:\WINDOWS\system32\lkbj.dll (file missing)
O3 - Toolbar: (no name) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - (no file)
O4 …

Did you run the Hoster yet? Please post a new log after running it. Remember to close all browser windows before scanning with HJT or fixing anything with it.

I have a few suggestions you can try.

First of all, before you manually edit the Registry, you should create a backup. At the top of the Registry window, click on the Registry menu, click Export Registry File. In the Export range panel, click All, then save your registry as Backup. Then, if the operating of your PC is affected, you have a way to restore it. Did you try running regedit from Safe Mode?

Try CWShredder, you can get it here:
http://www.intermute.com/spysubtract/cwshredder_download.html

You can also try CounterSpy, link and instructions can be found in post #3 of this thread:
http://www.daniweb.com/techtalkforums/thread20434.html