Posts by DMR

1. C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. Once you've taken care of the above, run HJT again and have it fix:

O4 - HKLM\..\Run: [Windows_Protect] wincontrol32.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [ITUNES] itunes.exe
O4 - HKLM\..\Run: [Anti-Virus Update Scheduler V1.39.12R] C:\WINDOWS\gah32.exe
O4 - HKLM\..\RunServices: [Windows_Protect] wincontrol32.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [ITUNES] itunes.exe

3. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide …

1. C:\Arquivos de programas\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

2. Although not associated with the "hotoffers" infection as far as I know, you need to have HijackThis fix:

O4 - HKLM\..\Run: [second] C:\WINDOWS\system32\second.bat

Once HJT has finished the fix (and yes, your question: " After I run the FIX the HJT pane gets clear, is this right" is correct.) close HJT, open Windows Explorer, navigate to the C:\WINDOWS\system32\second.bat file, and delete it. Empty your recycle Bin after oyu have done so.

A few things:

1. That log looks very short; were you running in Safe Mode when the HijackThis scan? If so, please try to post a log generated while booted into Windows normally.

2. C:\Program Files\Internet Explorer\IEXPLORE.EXE

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser! HijackThis cannot fully perform its fixes while browsers are running.

3. C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else!
Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

4. Please post the specific information from AVG's reports concerning the exact name of the trojan it detects and the location(s) of …

...Turns out it was one of those "Internet Accellerators" asking me if I wanted to install it.

Word to the wise: don't go places you don't trust, and read everything before you click it.

Absolutely.
They often word those pop-ups in a purpously misleading way, making it very easy to click the wrong button and end up installing the programs.

Also- you should stay away from all of those free accellerators, search toolbars, etc.; almost all of them come bundled with adware or spyware. The caveat "there's no free ride" probably applies to the Net more than it's ever applied to anything else...

Thanks for following up on this one, Chris! :)

O23 - Service: Avid SDM Service (AvidSDMService) - Avid Technology, Inc. - C:\WINDOWS\system32\AvidSDMService.exe
O23 - Service: Avid Startup (AvidStartup) - Unknown owner - C:\WINDOWS\system32\AvidStartup.exe

Those entries were actually probably valid; they're components of some of the the digital audio/video editing and multimedia storage packages made by Avid Technologies/DigiDesign.
However, if I recall correctly, they don't need to run as start-up services unless you're using certain types of Avid storage solutions.

Aebeyes,

1. Judging from your latest log, it looks as though the nasties are gone. How does the system appear to be working now?

2. There are viruses known to either infect or replace notepad.exe; you may be infected by one. One quick thing to check is the file's size- on XP, C:\Windows\System32\notepad.exe should be 65KB; if it's some other size, that's a good indication that you're infected. Even f the size is correct, you should still run a couple of anti-virus scans to be sure:

- Get the most current updates for your McAfee anti-virus and run a full scan with that.

- Do at least a couple of these free online scans as well:

http://housecall.trendmicro.com/housecall/start_corp.asp
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm
http://www.kaspersky.com/scanforvirus.html
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php

Hello Aebeyes- welcome to our forums. :)

Your log definitely does show indications of a few different infections, but I can't give you a full response right now due to the fact that it's dinner time in my end of the world.

I'll pass a message on to a few of our other spyware experts and ask if they can help until I'm able to return tomorrow.

Thanks for that link sukiyaki99. :)

I found the original thread (at Geeks To Go) that the instructions in your link were distilled from, but now I don't have to go through that thread and re-distill the instructions myself.

jackolos,

If you have any questions about the procedure sukiyaki99 linked to, please ask us for help; if you accidentally delete the wrong file or make some other such mistake you could cause more problems than you have now.

Have (obviously) gotten PM. Thanks again Chris.

First of all, please uninstall Spyware Begone. The program is bogus in that is known to "warn" you of infections that may not even be present on your system in an attempt to scare you into paying $$ for their full package. More on that and other bogus "anti-spyware" programs can be found here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

I have more info on your original problem also, but I won't have time to post that until tomorrow- please hang in there until then.

Chris- could you give me an update on this new QL strain when you get a chance if possible; I haven't had time to keep up.

Thanks.

Thanks Chris ;)

My apologies- I submitted a respose to your question, but it doesn't seem to have gone through.

The basic gist of that response was this: It's the end of the day in my end of the world (California) and I need to log off and start thinking about dinner and other real life matters. However- I've sent a request to our other troubleshooters (who live in other areas of the world) asking them if they can follow up with this until I come back online tomorrow. If crunchie, dlh6213, or caperjack respond to you before I get back, please follow any instructions they give you and let us know the results.

<EDIT>:

Well that was quick- I see that caperjack is on it already....:mrgreen:

Thanks cj!

</EDIT>

1.

...when deleting my temp files and cookies I couldn’t delete Index.dat as it just wouldn’t delete! Should I delete the folder that it is in?

Note what I mentioned earlier regarding the index.dat (and desktop.ini) file:

Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

2.

BTW (fingers crossed) this seems to have eradicated the hotoffers problem.

Yes, but you are still infected with other nasties; see below:

3.

I'll have to wait til moro nite to try the KVS DL for Bube as its late now (11pm here) to start, but I take it that should be my next port of call??

Absolutely; do that as soon as you can. Entries in your last log still do indicate the bube.d infection. Also submit the netcheck.exe file for scanning as crunchie adivsed and give us the feedback on that once you've had a chance to do so.

- Believe it or not, people are reporting Good Things about Microsoft's new Anti-Spyware utility. It's only a beta release right now, but you might want to give it a try.

- There are couple of anti-virus programs out there which are keeping a few steps ahead of Norton/Symantec and McAfee in terms of "spyware" detection and removal:

KAV: http://www.kaspersky.com/products
AVG: http://www.grisoft.com/doc/1

- Tighten up some of Internet Explorer's default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php

- Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.

- In addition to SpywareGuard & SpywareBlaster, install IE-SPYAD as an addtitional measure of protection.

- Obviously, make sure to keep your system current on all of the latest Windows critical fixes by using Windows' Automatic Update feature.

In terms of the Viewpoint software: you might find that it returns at some point in the future. The software is used with online multimedia content, so if you visit a site which uses that type of content, the program may get reinstalled.

That's a very clean log, but I do see one "nasty" there.

1. Have HJT fix:

O4 - HKLM\..\Run: [KavSvc] C:\WINNT\System32\pvvirz.exe

2. Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types". Locate the C:\WINNT\System32\pvvirz.exe file, delete it, and then empty your Recycle Bin.

3. Run HJT again and gives us a new log.

Alright, here we go. And yes- it will be messy, especially given that you're on dial-up and the "nasties" are mucking with your ability to download.

First of all- Do you have access to a (non-infected) computer with a faster Net connection and the ability to burn a CD? If so, we can give you the download links for the utilities that might be helpful in your case and you could install them on the infected machine that way.

Whether or not you do, let's start with some of manual removal and see where that gets us. Please print out the following instructions and then physically disconnect your phone/modem line from the computer during the course of this unless we specifically ask you to go online.

1. Have HijackThis fix:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.hzimiaeqdiepbmogecdfa.co...UJFKrntDyD.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/271/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://search.usefulware.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.ulead.com/register/reg.htm
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
R3 - URLSearchHook: transURL Class - {C7EDAB2E-D7F9-11D8-BA48-C79B0C409D70} - C:\WINDOWS\SYSTEM32\SEARCH~1.DLL (file missing)
F1 - win.ini: run=C:\WINDOWS\SYSTEM\msoffice.exe
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: (no …

...and we will attempt to clean up what we can...

*Groan* Just give me a moment to remember where I put that pair of surgical gloves first, OK? :D

Dial-up eh? Yes, that can make things more tedious, but try to bear with us. Unfortunately, some of these infections are very difficult to remove, hence the need use multiple utilities in the cleaning process.

Do the bube removal process when you get a chance and give us a fresh log after that. When you do go through the removal steps, make sure to run both programs (Kaspersky's and Microsoft's) mentioned in the article crunchie linked to; neither one alone seems to fully take care of the infection.

That still looks pretty ugly. :(

Did you have a chance to follow (exactly and completely) the bube infection removal procedures in the link that crunchie gave earlier?

If not, you need to do that now. While you definitely have other "unwanted guests" on your system, the bube infection is probably the most persistent of all, and it should be dealt with first.

I gathered from the past dealings with this problem, that the idea of fixing the problem was to empty all of my temporary files and not to increase the size of them.

That is correct.

No offence meant to macseyco, but please do not follow his/her advice about increasing the size of your TIF cache; the smaller that folder is, the better.

I need to log off and start thinking about dinner at the moment, but these entries in your HJT log indicate that you do still have some unresolved problems; hopefully one of our other anti-spyware experts will come online shortly to assist you:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.coolsearch.biz/
O19 - User stylesheet: (file missing)

Hi mnh00002- welcome to DaniWeb. :)

One of our guidelines for posting in these forums is that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Given that, I've split your post into its own thread, which you can find here:

http://www.daniweb.com/techtalkforums/showthread.php?t=21716

Thanks for the details. Information on the "MRxSmb" log entry and possible fixes for the problem can be found in some of the following links:

http://www.google.com/search?hl=en&lr=&q=MRxSmb+%22The+redirector+failed+to+determine+the+connection+type%22&btnG=Search

Messages #2 - #4 are cascading results of the error indicated in the initial MRxSmb message, messages 5 & 6 are the result of your system trying to recover fron the initial error and reconnect to the DHCP server (the router in this case), and message 7 indicates that the router is rejecting that request.

Earlier, you posted:

we tried assigning a static IP, no luck, or we did it wrong.

You should try that again, and this time also disable the DHCP client service on the machine in question when you do. I can post details on that later (I don't have time right now), but unless your network card or perhaps the router have gotten confuzzled (yes, "confuzzled" is a valid technical term), this really sounds like a DHCP issue.

You might want to have a look in your application and system logs to see if whatever is causing this is also logging some indication of its activity there.

Use the Event Viewer utility in your Administrative Tools folder to display the logs and let us know if you find any possibly relevant messages in them.

Thanks for the L2M log; it (unfortunately) shows a lot of "nasties". We're going to run L2mFix again, but this time we'll actually have it performs its fixes:

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

1. C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\Temporary Directory 3 for hijackthis.zip\HijackThis.exe

The log entry above indicates that you are running HJT from within a Temp/Temporary folder. Please do the following:

Create a folder outside of any Temp/Temporary folders for HJT and move it there now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.

One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if HijackThis (and other data that you care about) is living in those Temp folders, it will be erased along with everything else. Temp/Temporary folders are just that- Temporary. They are not meant for permanent storage, as their contents are often delete in the course of troubleshooting, by running disk clean-up utilities, etc.

2. Remove the MyWay/MyBar and WeatherBug programs via your Add/Remove Programs control panel; both programs are parasites.

3. Once you've moved HJT into a folder such as I specified above, run it again and have it fix:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - (no file)
O2 - BHO: (no name) - {4FF56F7F-C145-509C-DE02-65550DD82014} - C:\WINDOWS\System32\puk.dll (file missing)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKCU\..\Run: [Idue] C:\Documents and Settings\Administrator\Application Data\umbs.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
…

OK- I know it's probably a hassle, but please do that. The newer version scans more areas of your system, so it will give us a better idea of where all of the "nasties" are hiding.

Ok, it looks like my thread merged worked, but unfortunately the log you posted indicates that you used/ran a rather outdated version (1.98.2) of HijackThis.

I'm sorry to have to put you through this again, but you need to get the most current version (1.99.1) of HijackThis and post the log that version generates.

Hang in there. It looks like you posted your log in a new thread; let me find that post and merge it in to this one.

Hi CiscoJP,

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.

Have you gone through the system and manually flushed out the contents of all of your Temp, Temporary, Cookies, etc. folders yet?

How long has this been happening?

What sort of network/Internet setup do you have?

The formatting of that last post makes the log a bit hard to follow, but as far as I can see it's clean.

Depending on exactly how you "shut down" Zone Alarm, it may still not be entirely disabled.

The following article at Zone Labs describes how to configure ZA to allow certain actions such as Adobe PDF viewing/downloading:

http://forums.zonelabs.com/zonelabs/board/message?board.id=AllowAccess&message.id=61

Give the suggestions in the article a try and see if they help.

DMR You are the greatest

Aww... cut it out now- you'll give me a complex or something. :o

I am but a lowly geek with an insatiable desire to help people fix their problems; glad I could help with yours.

:)

It sounds like you'll need to download HijackThis onto a different computer, copy it to a floppy, and install/run it on the infected computer that way.

Once the HJT scan is done, you'll need to save the logfile back to the floppy, take the floppy back to a computer with working Internet access, and post the log from there.

I have a copy of the current HJT program on my FTP site. If you need me to email it to you I can do that. Please don't post your email address in this thread though; send it to me privately via my email address or a PM.

That's a squeaky-clean log; what problems prompted your post?

Your welcome!

I don't know why, but we've recently had a few other members who've also had trouble with downloaded HJT zip files, so I'd already whacked a copy of the actual HJT executable up on my FTP site for just that reason. :)

Do you need us to review your HJT log? If so, post away....

I would suggest uninstalling WeatherBug, as it's adware at teh very least.

Other than that though, there are no obvious signs of infection in your log. Please give us some background/details on the reason why you posted the log.

Let's skip the automated log analyser; it's honestly better for us to work from your original log.

Please do the following:

Run HijackThis, but do not have HJT fix anything yet; only have it scan your system. Once the scan is complete, the "Scan" button will turn into an option to "Save log...". Save the log in the folder you created for HiajckThis, open the log in Windows Notepad, and cut-n-paste the entire contents of the log here.

Linkage to the current HJT .exe:

http://www.stevewolfonline.com/Downloads/DMR/DMRCA/Malware%20Utilities/

Give it a shot and keep us posted. :)

You should post another log for a final check :)

Good idea; it definitely can't hurt.

This is possible, on my lynksys the DHCP range of addresses starts at 192.168.1.100, the lynksys has IP 192.168.1.1, so 192.168.1.2 - 192.168.1.99 are available for static devices, choose any of these and that should be fine.

Right.
As long as you choose an IP address that is out of the DHCP scope of the router (but still within the same subnet, obviously), you shouldn't have an address conflict.

The above link mentions LSP's I had not heard of this term before, but it seems to relate to additions to winsock made by third party software and drivers you might have installed, that were not installed on the machine you exported winsock from.

Yes hollystiles- you've exactly and correctly grokked the concept of Microsoft's LSP (Layered Service Provider) extensions. :)

Additionally, what you stated is essentially true:

You said you were instructed to import winsock from another computer, that's fine but means you may need to re-install some things like the driver for your network card.

Importing the winsock entries from someone else's registry is not a recommendation I've ever seen suggested nor one that I would suggest, as the contents of those registry keys can definitely vary between different computers.

Quite honestly, it looks to me as though you aren't dealing with a winsock issue at all this time around, but more of a DHCP-related problem instead.I only gave the winsock repair instructions to be on the safe side.

If you've only got one or a few computers connected to the router, it's usually more reliable overall to turn off the router's DHCP server feature and just assign all of the computers a static address. That will eliminate DHCP-related problems such as lease renewal times, the inability of the computers to obtain correct IP info from the DHCP server, etc.

Excellent work mrZ- your log is clean now. :)

How are things working now? Did that seem to have fixed everything, or are you still experiencing some problems?

Why not just disable DHCP and manually assign the machine a static IP?

In terms of resetting/repairing your Winsock stack, there is a utility called WinsockXP fix which can restore your Windows winsock defaults.

An alternate manual method is described toward the end of this article:
http://support.microsoft.com/kb/811259

And another possible method is here:
http://support.microsoft.com/kb/299357

Try this:

1. Download The Pocket Killbox from this site: http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41.

- Unzip the download and open the Killbox program.

- Click on the button with the folder icon just to the right of the "Full path of file to delete" box, browse to the C:\WINDOWS\SYSTEM\IFFE.DLL file, hilight the file, and then click OK in the browse window.

- Select the "Delete on reboot" option, put a check in the "Unregister dll before deleting" box, and then click the button with the red circle and "X" icon.

- Choose Yes in the resulting two confirmation dialog pop-ups to reboot the computer and complete the deletion.

2. Once the system has rebooted, search for iffe.dll to see if the Killbox was able to delete the file. Hopefully the dll will be gone.

3. Judging from the log entries, you should find copies of the K2OO.0U file in the following folders:

C:\Windows\Start Menu\Programs\StartUp
c:\windows\all users\start menu\programs\startup

When you look for the file, make sure you have Explorer set to show all files as I indicated eariler. Delete all instances of the file if you find them.

4. Run HJT again and post a new log.

Yikes- judging from all of the " C:\Program Files\Internet Explorer\iexplore.exe" log entries, you've got about 25 instances of Internet Explorer running!

You need to close all instances of IE before proceeding with HijackThis fixes:

- Hit Ctrl+Alt+Delete and then hit "T" to open the Task Manager.
- Click on the Processes tab, hilight each and every individual instance of IEXPLORE.EXE and click on the "End Process" button for each one.

Watch the Processes window carefully. If IEXPLORE.exe entries keep automatically regenerating themselves, you'll have to reboot into Safe Mode and see if that keeps IE from starting/running. (You get to the safe mode boot option by hitting the F8 key as your computer is starting up.)

Once you're sure IE isn't running:

1. Have HJT fix:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [KBqpRhMFQ] jgd2cqag.exe
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34545} - C:\WINDOWS\System32\vbsys2.dll

2. Reboot into safe mode if you're not there already.

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search for and delete any and all copies of the following files:
jgd2cqag.exe
vbsys2.dll

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not …

Hi trandill,

You need to start your own thread for that question. We ask that members not "piggyback" their questions onto a thread started by another member.
Also- please include a HijackThis log in your new thread; it will give us a good idea of what sort of "nasties" are lurking in your system.

1. Have HJT fix:

O2 - BHO: (no name) - {47FF45A1-9F67-11D9-9C0E-00045FD38E58} - C:\WINDOWS\SYSTEM\IFFE.DLL
O4 - Startup: K2OO.0U
O4 - Global Startup: K2OO.0U
O18 - Filter: text/html - {47FF45A0-9F67-11D9-9C0E-0004309F2BC3} - C:\WINDOWS\SYSTEM\IFFE.DLL
O18 - Filter: text/plain - {47FF45A0-9F67-11D9-9C0E-0004309F2BC3} - C:\WINDOWS\SYSTEM\IFFE.DLL

Reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

1. Set Windows to show hidden files.
- Open My Computer.
- Click View menu then click Folder Options.
- Select the View tab.
- Scroll to the "Hidden files" section Click "Show all files."
- Uncheck "Hide file extensions for known file types"
- Click OK.

2. Locate and delete the following files:
C:\WINDOWS\SYSTEM\IFFE.DLL
K2OO.0U

3. Delete the entire contents of all Temp, Temporary, and Temporary Internet Files folders.

4. Empty your Recycle Bin and reboot normally.

5. Run HJT again and post a new log.